Hey team,

I've got some odd behavior on a podman in Openshift use case I am trying to figure out. I am trying to run podman in openshift without privilege, extra capabilities and ideally a custom SELinux label that isn't `spc_t`. I have managed to adapt the `container_engine_t` type to get past any denials, but now I'm hitting an issue where the sysfs of the container is read only:

I am running with this yaml:

```

apiVersion: v1
kind: Pod
metadata:
  name: no-priv
  annotations:
    io.kubernetes.cri-o.Devices: "/dev/fuse"

spec:
  containers:
  - name: no-priv-rootful
    image: quay.io/podman/stable
    args:
    - sleep
    - "1000000"
    securityContext:
      runAsUser: 1000
      seLinuxOptions:
        type: "container_engine_t"

```

and using a container-selinux based on https://github.com/haircommander/container-selinux/tree/engine_t-improvements

when I run this container, and then run podman inside, I get this error:

```

 $ oc exec -ti pod/no-priv-rootful -- bash
[podman@no-priv-rootful /]$ podman run ubi8 ls
WARN[0005] Path "/run/secrets/etc-pki-entitlement" from "/etc/containers/mounts.conf" doesn't exist, skipping
Error: crun: set propagation for `sys`: Permission denied: OCI permission denied

```

What I find odd, and what is the subject of this email, is that when I adapt the selinux label to be "spc_t":

```

        type: "spc_t"

```

the container runs fine. There are no denials in AVC when I run `container_engine_t`, but clearly something is different. Can anyone help me identify what is happening?

Thanks

Peter

--

Peter Hunt, RHCE

They/Them or He/Him

Senior Software Engineer, Openshift

Red Hat

_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io

Looks like you have a dontaudit rule.

Run

sudo semodule -DB

Run your test

See if there are AVC messages for container_engine_t.

Run

sudo semodule -B

To turn dontaudit rules back on.