Hi guys.

I map /root very often - I'd imagine many do - and I do that with Z
What I get is quite puzzling to me, say host has it:

          system_u:object_r:container_file_t:s0 bin
system_u:object_r:container_file_t:s0:c526,c622 cacert.p12
system_u:object_r:container_file_t:s0:c526,c622 kracert.p12
  system_u:object_r:container_file_t:s0:c74,c78 pki

in container:

You should not relabel /root from the host into a container, this can cause other issues.  You should just not use SELinux separation if you want to share /root into a container.  podman run --security-opt label=disable

-> $ ls -Z1 bin pki
bin:
system_u:object_r:container_file_t:s0 conf
system_u:object_r:container_file_t:s0 container-config
ls: cannot open directory 'pki': Permission denied

'root' existed prior to container creation and 'pki' was added later, & outside of container.
fcontext is not enough? SELinux says:

allow container_init_t container_file_t:dir read;

label=disable seems to be the way of it it but is that the right way?

many thanks, L.

_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io