[DSE-Dev] Bug#984879: podman does not work on Debian with selinux loaded
Sam Morris
sam at robots.org.uk
Wed Jun 21 18:04:14 BST 2023
On Wed, Jun 21, 2023 at 05:28:48PM +0100, Sam Morris wrote:
> refpolicy has a 'container' module that appears to work, it's just not
> built by default.
BTW, the existance of /etc/selinux/default/contexts/lxc_contexts is what
causes Podman to try to label containers. Which prevents it from being
able to start any container, since the container module is not
included in selinux-policy-default.
https://sources.debian.org/src/golang-github-opencontainers-selinux/1.10.0+ds1-1/go-selinux/selinux_linux.go/?hl=943#L943
> Any chance that module could be built by default?
So if the module is not suitable to be built by default, please remove
the `lxc_contexts` file; I have the feeling it might also cause problems
with libvirt and k8s...
https://sources.debian.org/src/libvirt/9.0.0-4/src/security/security_selinux.c/?hl=650#L650
https://sources.debian.org/src/kubernetes/1.20.5+really1.20.2-1.1/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go/?hl=887#L887
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
More information about the SELinux-devel
mailing list