[DSE-Dev] Bug#984879: podman does not work on Debian with selinux loaded
Sam Morris
sam at robots.org.uk
Wed Jun 21 17:28:48 BST 2023
On Thu, May 13, 2021 at 10:14:38AM +0200, Laurent Bigonville wrote:
> From a SELinux policy perspective, the main problem is that the "container"
> policy is 100% Red Hat specific and has not been upstreamed and the
> difficulty is that the RH SELinux policy is heavily patched compared to the
> debian and upstream one.
Hi folks,
refpolicy has a 'container' module that appears to work, it's just not
built by default.
Steps taken to test it:
1. Edit debian/modules.conf.default, adding 'container = module'
2. Run 'debian/rules build-default-policy'
3. Run 'semodule -i debian/build-default/container.pp'
4. Start a container with 'podman run --rm -it docker.io/library/debian:11 sleep inf'
5. Check the context of the sleep process with 'ps -Z <pid>'
Any chance that module could be built by default?
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
More information about the SELinux-devel
mailing list