podman: SELinux blocks bind mount with Docker Compose

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

I have a service called db defined as follows in docker-compose.yml:

        db:
                image: mariadb:10.5
                environment:
                        MYSQL_ROOT_PASSWORD:  pass
                        MYSQL_DATABASE: user
                        MYSQL_USER: user
                        MYSQL_PASSWORD: pass
                networks:
                        - myapp_net
                ports: 
                        - 6603:3306
                volumes:
                        - ./data/:/docker-entrypoint-initdb.d:Z
                        - myapp_dbvol:/var/lib/mysql:Z
                        - ./data/conf.d:/etc/mysql/conf.d:Z

Steps to reproduce the issue:

  1. Start podman.socket (systemctl --user start podman.socket)

  2. Start docker-compose in the directory where docker-compose.yml exists

Describe the results you received: When starting docker-compose, backed by Podman, I get the following error:

db_1     |      mysqld: Can't read dir of '/etc/mysql/conf.d/' (Errcode: 13 "Permission denied")

Describe the results you expected:

/etc/mysql/conf.d is inside the container, and not probably on the host. So I don’t understand why SELinux does not like the container’s access to it. Currently, I have to setenforce 0 to work around this, but wonder if there is a better solution.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

3.2.0

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.21.0
  cgroupControllers: []
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.29-1.el8.3.4.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.29, commit: '
  cpus: 4
  distribution:
    distribution: fedora
    version: "34"
  eventLogger: journald
  hostname: codezombie
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1002
      size: 1
    - container_id: 1
      host_id: 231072
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1002
      size: 1
    - container_id: 1
      host_id: 231072
      size: 65536
  kernel: 5.12.10-300.fc34.x86_64
  linkmode: dynamic
  memFree: 4007854080
  memTotal: 16671232000
  ociRuntime:
    name: crun
    package: crun-0.20.1-1.fc34.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.20.1
      commit: 0d42f1109fd73548f44b01b3e84d04a279e99d2e
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/user/1002/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.9-1.fc34.x86_64
    version: |-
      slirp4netns version 1.1.8+dev
      commit: 6dc0186e020232ae1a6fcc1f7afbc3ea02fd3876
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.0
  swapFree: 16965951488
  swapTotal: 16965951488
  uptime: 31m 30.69s
registries:
  127.0.0.1:
    Blocked: false
    Insecure: true
    Location: 127.0.0.1
    MirrorByDigestOnly: false
    Mirrors: []
    Prefix: 127.0.0.1
  172.30.0.0/16:
    Blocked: false
    Insecure: true
    Location: 172.30.0.0/16
    MirrorByDigestOnly: false
    Mirrors: []
    Prefix: 172.30.0.0/16
  search:
  - docker.io
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - quay.io
store:
  configFile: /home/mehdi/.config/containers/storage.conf
  containerStore:
    number: 11
    paused: 0
    running: 1
    stopped: 10
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.5.0-1.fc34.x86_64
      Version: |-
        fusermount3 version: 3.10.3
        fuse-overlayfs: version 1.5
        FUSE library version 3.10.3
        using FUSE kernel interface version 7.31
  graphRoot: /home/mehdi/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 49
  runRoot: /run/user/1002/containers
  volumePath: /home/mehdi/.local/share/containers/storage/volumes
version:
  APIVersion: 3.2.0
  Built: 1623248656
  BuiltTime: Wed Jun  9 10:24:16 2021
  GitCommit: ""
  GoVersion: go1.16.3
  OsArch: linux/amd64
  Version: 3.2.0

Package info (e.g. output of rpm -q podman or apt list podman):

podman-3.2.0-5.fc34.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

No

Additional environment details (AWS, VirtualBox, physical, etc.):

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 17 (8 by maintainers)

Most upvoted comments

That Error has nothing to do with Podman, I would think. Could you show me the line in the docker-compose.yml, we might have a bug in our code.

Anyways if you go to the directory on the host and do chcon -R -t container_file_t PATHTOHOSTDIR

It should solve your issue.

+7
rhatdan on Jun 25, 2021

On my case, I solved a similar problem with host_volume/container_volume:z with z lowercase

+1
pidement on Mar 29, 2023

This AVC message is not related to the volume. Probably can be ignored. This looks like the iptables command was executed while sitting in a cgroup directory.

+1
rhatdan on Jul 4, 2021
Read more comments on GitHub
← podman: Segfault when running from bazel
podman: SELinux volume permission issues when playing kube file (rootless) →