In my previous post on volumes with podman, I touched on SELinux but I think it’s worthy of its own post to work through some details.
If your host has SELinux enabled, then container processes are confined to the
system_u:system_r:container_t:s0 domain. Volumes you pass to
podman will need to have appropriate labels, otherwise the container won’t be able access the volume, no-matter what the filesystem permissions are.
When running rootless containers (as your non-root user), files in your homedir will probably have the context of
unconfined_u:object_r:data_home_t:s0, however the context that is required for container volumes is
Fortunately, container volumes which podman creates at runtime will have the appropriate context set automatically. However, for host-dir volumes podman will not change the context by default, you will need to tell it to.
Let’s spin up a busybox container without setting the SELinux context and note that the container is not able to access the host-dir volume.
I’m sure there are lots of howtos on the Internet for this, but…
Say you are running a web server like nginx and your log files are in a non-standard location, you may have problems starting the service because SELinux is blocking nginx from reading or writing to the files.
You can set the context of these files so that nginx will be happy:
[user@server ~]$ sudo chcon -Rv --type=httpd_log_t /srv/mydomain.com/logs/
That’s only temporary however, and the original context will be restored if you run restorecon or relabel your filesystem.
So you can do this permanently using the semanage command, like so:
[user@server ~]$ sudo semanage fcontext -a -t httpd_log_t "/srv/mydomain.com/logs(/.*)?"
Now you can use the standard selinux command to restore the correct label and it will use the new one you set above.
[user@server ~]$ sudo restorecon -rv /srv/
Unfortunately an update to the SELinux policy package in Fedora 20 (and therefore Korora 20) caused RPM scriptlets to fail when updating packages.
This bug only affects systems that have SELinux mode set to enforcing (which is the default) and were updated to version 3.12.1-116 of the selinux-policy package. If you have seen the following sort of error when updating packages, then this bug may affect you:
warning: %post(libkcompactdisc-4.12.1-1.fc20.x86_64) scriptlet failed, exit status 127
Non-fatal POSTIN scriptlet failure in rpm package libkcompactdisc-4.12.1-1.fc20.x86_64
Below are the commands to resolve this issue (which has been fixed in an updated 3.12.1-117 version of selinux-policy).
sudo setenforce 0
sudo yum clean expire-cache
sudo yum update selinux-policy\*
sudo setenforce 1
The first command disables SELinux enforcement for the current session and the subsequent commands expire the yum cache and install the SELinux policy update which fixes this issue. The last command re-enables SELinux enforcement.
If you previously installed any packages which failed with scriptlet errors like above, you can reinstall them using the following command:
sudo yum reinstall
You can find out what packages were installed after the broken update using a command like this:
sudo sed '1,/selinux-policy-3.12.1-116/d' /var/log/yum.log
If you require any assistance please don’t hesitate to ask for help using Engage or jump onto the #korora channel in IRC freenode.net servers.