On Thu, Dec 21, 2023 at 12:42 PM Daniel Walsh <dwalsh@redhat.com> wrote:
_______________________________________________On 12/19/23 16:25, Peter Hunt wrote:
Hey team,
I've got some odd behavior on a podman in Openshift use case I am trying to figure out. I am trying to run podman in openshift without privilege, extra capabilities and ideally a custom SELinux label that isn't `spc_t`. I have managed to adapt the `container_engine_t` type to get past any denials, but now I'm hitting an issue where the sysfs of the container is read only:
I am running with this yaml:```apiVersion: v1
kind: Pod
metadata:
name: no-priv
annotations:
io.kubernetes.cri-o.Devices: "/dev/fuse"
spec:
containers:
- name: no-priv-rootful
image: quay.io/podman/stable
args:
- sleep
- "1000000"
securityContext:
runAsUser: 1000
seLinuxOptions:
type: "container_engine_t"```and using a container-selinux based on https://github.com/haircommander/container-selinux/tree/engine_t-improvements
when I run this container, and then run podman inside, I get this error:
```$ oc exec -ti pod/no-priv-rootful -- bash
[podman@no-priv-rootful /]$ podman run ubi8 ls
WARN[0005] Path "/run/secrets/etc-pki-entitlement" from "/etc/containers/mounts.conf" doesn't exist, skipping
Error: crun: set propagation for `sys`: Permission denied: OCI permission denied```
What I find odd, and what is the subject of this email, is that when I adapt the selinux label to be "spc_t":```
type: "spc_t"```
the container runs fine. There are no denials in AVC when I run `container_engine_t`, but clearly something is different. Can anyone help me identify what is happening?
ThanksPeter
_______________________________________________ Podman mailing list -- podman@lists.podman.io To unsubscribe send an email to podman-leave@lists.podman.ioHave you tried it in permissive mode?
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io
