podman: Containers fails to start if SELinux policy is not defining the correct types

Hello,

On debian unstable (podman 3.0.1), with SELinux enabled and running the refpolicy (I disabled the virt module for some reasons) in permissive mode, podman is not able to start a container. If I reboot and disabled SELinux, everything works fine.

podman just fails (as root or non-root user) with:

Error: failed to mount shm tmpfs "/home/bigon/.local/share/containers/storage/overlay-containers/99d002d974978230de6e6214d41c4f9b24f4d054f7d58b7b7cc6729adddcc7ec/userdata/shm": invalid argument

If SELinux is in permissive podman should probably just ignore that and continue. In any case, it should log it instead of displaying a cryptic error

log.txt

About this issue

Original URL
State: closed
Created 3 years ago
Comments: 21 (10 by maintainers)

Commits related to this issue

Validate selinux label before attempting to use it Certain platforms might not have container_file_t defined, so we need to check if the label is defined before attempting to use it. Discussion is g... — committed to rhatdan/storage by rhatdan 3 years ago

Most upvoted comments

container_t should not be hard coded anywhere in podman, and I do find it anywhere. The type comes from either: /usr/share/containers/selinux/contexts, which is defined in the container-selinux package, which should define conainer_t.

$ cat /usr/share/containers/selinux/contexts 
process = "system_u:system_r:container_t:s0"
file = "system_u:object_r:container_file_t:s0"
ro_file="system_u:object_r:container_ro_file_t:s0"
kvm_process = "system_u:system_r:container_kvm_t:s0"
init_process = "system_u:system_r:container_init_t:s0"
engine_process = "system_u:system_r:container_engine_t:s0"
$ rpm -qf /usr/share/containers/selinux/contexts 
container-selinux-2.160.0-1.fc34.noarch

Or it is coming from /etc/selinux/targeted/contexts/lxc_contexts

 cat /etc/selinux/targeted/contexts/lxc_contexts 
process = "system_u:system_r:container_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"
file = "system_u:object_r:container_file_t:s0"
ro_file="system_u:object_r:container_ro_file_t:s0"
container_kvm_process = "system_u:system_r:container_kvm_t:s0"
sandbox_lxc_process = "system_u:system_r:container_t:s0"

Which is part of selinux-policy-targeted package.

Where are you getting it from?

rhatdan on Apr 21, 2021