Hey team, I've got some odd behavior on a podman in Openshift use case I am trying to figure out. I am trying to run podman in openshift without privilege, extra capabilities and ideally a custom SELinux label that isn't `spc_t`. I have managed to adapt the `container_engine_t` type to get past any denials, but now I'm hitting an issue where the sysfs of the container is read only: I am running with this yaml: ``` apiVersion: v1 kind: Pod metadata:   name: no-priv   annotations:     io.kubernetes.cri-o.Devices: "/dev/fuse" spec:   containers:   - name: no-priv-rootful     image: quay.io/podman/stable <http://quay.io/podman/stable>     args:     - sleep     - "1000000"     securityContext:       runAsUser: 1000       seLinuxOptions:         type: "container_engine_t" ``` and using a container-selinux based on https://github.com/haircommander/container-selinux/tree/engine_t-improvem... when I run this container, and then run podman inside, I get this error: ```  $ oc exec -ti pod/no-priv-rootful -- bash [podman@no-priv-rootful /]$ podman run ubi8 ls WARN[0005] Path "/run/secrets/etc-pki-entitlement" from "/etc/containers/mounts.conf" doesn't exist, skipping Error: crun: set propagation for `sys`: Permission denied: OCI permission denied ``` What I find odd, and what is the subject of this email, is that when I adapt the selinux label to be "spc_t": ```         type: "spc_t" ``` the container runs fine. There are no denials in AVC when I run `container_engine_t`, but clearly something is different. Can anyone help me identify what is happening? Thanks Peter -- Peter Hunt, RHCE They/Them or He/Him Senior Software Engineer, Openshift Red Hat <https://www.redhat.com> <https://www.redhat.com> _______________________________________________ Podman mailing list --podman(a)lists.podman.io To unsubscribe send an email topodman-leave(a)lists.podman.io

On 12/19/23 16:25, Peter Hunt wrote: Hey team, I've got some odd behavior on a podman in Openshift use case I am trying to figure out. I am trying to run podman in openshift without privilege, extra capabilities and ideally a custom SELinux label that isn't `spc_t`. I have managed to adapt the `container_engine_t` type to get past any denials, but now I'm hitting an issue where the sysfs of the container is read only: I am running with this yaml: ``` apiVersion: v1 kind: Pod metadata: name: no-priv annotations: io.kubernetes.cri-o.Devices: "/dev/fuse" spec: containers: - name: no-priv-rootful image: quay.io/podman/stable args: - sleep - "1000000" securityContext: runAsUser: 1000 seLinuxOptions: type: "container_engine_t" ``` and using a container-selinux based on https://github.com/haircommander/container-selinux/tree/engine_t-improvem... when I run this container, and then run podman inside, I get this error: ``` $ oc exec -ti pod/no-priv-rootful -- bash [podman@no-priv-rootful /]$ podman run ubi8 ls WARN[0005] Path "/run/secrets/etc-pki-entitlement" from "/etc/containers/mounts.conf" doesn't exist, skipping Error: crun: set propagation for `sys`: Permission denied: OCI permission denied ``` What I find odd, and what is the subject of this email, is that when I adapt the selinux label to be "spc_t": ``` type: "spc_t" ``` the container runs fine. There are no denials in AVC when I run `container_engine_t`, but clearly something is different. Can anyone help me identify what is happening? Thanks Peter -- Peter Hunt, RHCE They/Them or He/Him Senior Software Engineer, Openshift Red Hat <https://www.redhat.com> <https://www.redhat.com> _______________________________________________ Podman mailing list -- podman(a)lists.podman.io To unsubscribe send an email to podman-leave(a)lists.podman.io Have you tried it in permissive mode? _______________________________________________ Podman mailing list -- podman(a)lists.podman.io To unsubscribe send an email to podman-leave(a)lists.podman.io