[DSE-Dev] Bug#984879: podman does not work on Debian with selinux loaded
Sam Morris
sam at robots.org.uk
Mon Jul 3 09:55:11 BST 2023
On Wed, Jun 21, 2023 at 06:04:14PM +0100, Sam Morris wrote:
> On Wed, Jun 21, 2023 at 05:28:48PM +0100, Sam Morris wrote:
> > refpolicy has a 'container' module that appears to work, it's just not
> > built by default.
>
> BTW, the existance of /etc/selinux/default/contexts/lxc_contexts is what
> causes Podman to try to label containers. Which prevents it from being
> able to start any container, since the container module is not
> included in selinux-policy-default.
>
> https://sources.debian.org/src/golang-github-opencontainers-selinux/1.10.0+ds1-1/go-selinux/selinux_linux.go/?hl=943#L943
>
> > Any chance that module could be built by default?
>
> So if the module is not suitable to be built by default, please remove
> the `lxc_contexts` file; I have the feeling it might also cause problems
> with libvirt and k8s...
Actually this file should remain until Debian packages container-selinux
(which ships /usr/share/containers/selinux/contexts which replaces
/etc/selinux/default/contexts/lxc_contexts; without either file, Podman
etc. won't try to label their containers).
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
More information about the SELinux-devel
mailing list