9:16 a.m.
Hi guys.
I map /root very often - I'd imagine many do - and I do that
with Z
What I get is quite puzzling to me, say host has it:
system_u:object_r:container_file_t:s0 bin
system_u:object_r:container_file_t:s0:c526,c622 cacert.p12
system_u:object_r:container_file_t:s0:c526,c622 kracert.p12
system_u:object_r:container_file_t:s0:c74,c78 pki
in container:
-> $ ls -Z1 bin pki
bin:
system_u:object_r:container_file_t:s0 conf
system_u:object_r:container_file_t:s0 container-config
ls: cannot open directory 'pki': Permission denied
'root' existed prior to container creation and 'pki' was
added later, & outside of container.
fcontext is not enough? SELinux says:
allow container_init_t container_file_t:dir read;
label=disable seems to be the way of it it but is that the
right way?
many thanks, L.
10:09 a.m.
On 14/06/2023 15:16, lejeczek via Podman wrote:
Hi guys.
I map /root very often - I'd imagine many do - and I do
that with Z
What I get is quite puzzling to me, say host has it:
system_u:object_r:container_file_t:s0 bin
system_u:object_r:container_file_t:s0:c526,c622 cacert.p12
system_u:object_r:container_file_t:s0:c526,c622 kracert.p12
system_u:object_r:container_file_t:s0:c74,c78 pki
in container:
-> $ ls -Z1 bin pki
bin:
system_u:object_r:container_file_t:s0 conf
system_u:object_r:container_file_t:s0 container-config
ls: cannot open directory 'pki': Permission denied
'root' existed prior to container creation and 'pki' was
added later, & outside of container.
fcontext is not enough? SELinux says:
allow container_init_t container_file_t:dir read;
label=disable seems to be the way of it it but is that the
right way?
ah, fcontext is good enough - another tool/daemon kept
changing labels.
9:36 p.m.
On 6/14/23 09:16, lejeczek via Podman wrote:
Hi guys.
I map /root very often - I'd imagine many do - and I do that with Z
What I get is quite puzzling to me, say host has it:
system_u:object_r:container_file_t:s0 bin
system_u:object_r:container_file_t:s0:c526,c622 cacert.p12
system_u:object_r:container_file_t:s0:c526,c622 kracert.p12
system_u:object_r:container_file_t:s0:c74,c78 pki
in container:
You should not relabel /root from the host into a container, this can
cause other issues. You should just not use SELinux separation if you
want to share /root into a container. podman run --security-opt
label=disable
-> $ ls -Z1 bin pki
bin:
system_u:object_r:container_file_t:s0 conf
system_u:object_r:container_file_t:s0 container-config
ls: cannot open directory 'pki': Permission denied
'root' existed prior to container creation and 'pki' was added later,
& outside of container.
fcontext is not enough? SELinux says:
allow container_init_t container_file_t:dir read;
label=disable seems to be the way of it it but is that the right way?
many thanks, L.
_______________________________________________
Podman mailing list --podman(a)lists.podman.io
To unsubscribe send an email topodman-leave(a)lists.podman.io
524
days inactive
526
days old
2 comments
2 participants
participants (2)
-
Daniel Walsh -
lejeczek