-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SELinux prevents rootless container from using passed device #15930
Comments
have you tried running |
This works! Wow, thank you! Am I blind or is this option really hidden? I have been searching the web for podman + devices and even that exact SELinux option name for quite a while now and nothing close to this comes up. TIL new stuff about SELinux 🥳 |
We should add this information to the podman run and podman create man page, to make this more discoverable. |
Fixes: containers#15930 Signed-off-by: Daniel J Walsh <[email protected]>
Fixes: containers#15930 Signed-off-by: Daniel J Walsh <[email protected]>
Fixes: containers#15930 Signed-off-by: Daniel J Walsh <[email protected]>
I have a block device on host, I can see it and read/write to it in container, but a process in container wants to chown the device node. how do I assign the user and group ownership to the device inside the container, so that process would not need to issue a chown? it currently shows as using podman on oracle linux 9.2 setup like https://www.redhat.com/sysadmin/files-devices-podman not sure I understand this paragraph from the article, is it that the cause for user nobody? should instead I use the "If you use the --group-add keep-groups call, you cannot set other groups within the container. Instead, the container can only inherit the parent's groups. The reason for this is that Podman requires the setgroups call to set additional groups within the container, and this would lose access to the parent's groups. Giuseppe Scrivanohas proposed two patches to allow setgroups in this situation. This approach is still under discussion. Giuseppe has also opened an issue with the runtime-spec to make this a formal part of the specification and get it into other oci-runtimes like runc, but it also has not merged yet." my goal is to run the unsupported el9 feature of qemu macos guest, and instead of recompiling I am thinking of running a fedora qemu+libvirt (which can emulate apple) inside a container, also an unsupported el9 libvirt/qemu feature (but it seems to work in red hat openshift for virtualization - how do they do it there? is it it privileged container?) |
You can't unless the actual UID/GID is mapped in the user namespace via the /etc/subuid and /etc/subgid files. |
/kind bug
Description
Unable to use a device I pass to my rootless container due to SELinux denying it.
Steps to reproduce the issue:
Make sure my device is accessible by my non-root user with udev rules. Here I make sure I own the device. To rule out issues related to the mapping of groups discussed in most other threads about passing devices to containers.
Pass the device to a container and try to access it there (I get the exact same error with
--group-add keep-groups
added):Check the SELinux audit log:
Try the same thing with SELinux disabled:
Describe the results you received:
SELinux blocking access to devices I own inside containers.
Describe the results you expected:
To be able to have SELinux enabled and access the hardware device inside a rootless container that my non-root user owns and can use without a problem outside of the container.
Additional information you deem important:
I found a similar but closed issue. I added some earlier findings there first. But since it seems old and dead, I create this new issue instead. #9706 (comment).
I found this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1770553. And it talks about:
Which I traced down to be containers/container-selinux@v2.174.0...v2.175.0. Does
podman
make use of the newcontainer_use_devices
in any way? Is that the issue or is this a red herring completely?Output of
podman version
:Output of
podman info
:Package info (e.g. output of
rpm -q podman
orapt list podman
):Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)
Yes. I have tried with podman 4.2.0, and the latest as of writing this is 4.2.1. But the changelog for 4.2.1 does not mention devices or SELinux.
The troubleshooting guide talks about devices in question 20 and 35. Neither seem to be SELinux related or helps here.
Additional environment details (AWS, VirtualBox, physical, etc.):
Physical PC
The text was updated successfully, but these errors were encountered: