podman: rootless `podman run` with :Z results into "relabel failed"

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

I am mounting my cwd into rootless container using :Z and podman errors out with a message:

relabel failed "/home/tt/g/user-cont/packit": operation not permitted

The reason I am opening this issues is that it works fine for my colleague with the exactly same setup. Hence I am confused whether this is actually supposed to work or not. CC @jpopelka

$ ls -Z -d .
system_u:object_r:container_file_t:s0:c240,c746 .

$ podman run --rm -ti -v $PWD:/src:Z fedora:29 bash
relabel failed "/home/tt/g/user-cont/packit": operation not permitted

$ podman run --rm -ti -v $PWD:/src fedora:29 bash
[root@ea90caf155f2 /]# exit

Output of podman version:

Version:       1.0.0
Go Version:    go1.11.4
Git Commit:    "49780a1cf10d572edc4e1ea3b8a8429ce391d47d"
Built:         Mon Jan 14 21:38:17 2019
OS/Arch:       linux/amd64

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 1
  • Comments: 19 (19 by maintainers)

Most upvoted comments

Thanks, Dan! That command finally helped me to resolve it: the problem was that there were files/dirs owned by root down the road which I didn’t notice originally, hence the operation denied message.

Sorry for the fuss.

+5
TomasTomecek on Feb 27, 2019

Have you tried different directories? Could you try chcon -t container_file_t -R SOURCE outside of the container and see if it fails?

+1
rhatdan on Feb 24, 2019
Read more comments on GitHub
← podman: Rootless 'podman rm --force' fails with 'given PIDs did not die within timeout'
podman: Rootless podman using --device and --group-add keep-groups not working as expected →