I have a clean install of RL9 and installed Podman.
As a non-root user (although sudo powers) I tried to start the Podman socket via the cockpit console. SELinux was flooded with errors:
SELinux is preventing /usr/bin/podman from create access on the file labeled etc_t.
SELinux is preventing /usr/bin/rpm from setattr access on the file rpmdb.sqlite-wal.
SELinux is preventing /usr/bin/podman from getattr access on the sock_file /run/podman/podman.sock.
SELinux is preventing /usr/bin/podman from read access on the file system.journal.
SELinux is preventing /usr/bin/podman from map access on the file /run/log/journal/45e3664c7d634182a97fbf7c7a666028/system.journal.
SELinux is preventing /usr/bin/podman from watch access on the directory /run/log/journal.
Is this intentional? Obviously, Podman doesnāt start.
Any hints on how to deal with this?
Please show the exact podman command that you used instead of just the results. It helps to see all information for anyone to be able to assist as we are unable to guess.
- Clean install of RL9
sudo dnf install podman cockpit-podman- opened the cockpit dashboard and went to the Pdoman Containers page
- Clicked āStart podmanā
I didnāt use cli but clicked āstart Podmanā on the cockpit-podman page.
If Iām not mistaken, it starts the podman.socket.
Itās running with SELinux disbled, which is obviously not what I want.
Did you disable selinux via /etc/selinux/config or did you just use setenforce temporarily to put in permissive mode? Or put it in permissive by editing /etc/selinux/config?
Ideally via ssh and get to root access and then do:
systemctl stop podman.socket
setenforce 1
systemctl start podman.socket
if it fails, take a look at /var/log/audit/audit.log and see if anything then shows up. You can also do:
audit2why -a /var/log/audit/audit.log
and this should print out what has happened and what remedy needs to be taken to get selinux to allow it to work.
type=AVC msg=audit(1658414107.681:233): avc: denied { read } for pid=7964 comm="podman" name="journal" dev="tmpfs" ino=65 scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1658414107.801:234): avc: denied { quotamod } for pid=7964 comm="podman" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1658414107.816:235): avc: denied { create } for pid=7964 comm="podman" name="net.d" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1658414107.819:236): avc: denied { create } for pid=7964 comm="podman" name="net.d" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
The list goes on and on because the service tries to restart.
Itās always missing type information, for net.d and journal andā¦
OK, so we can now allow it. First you can do:
audit2allow -a /var/log/audit/audit.log
this will generate a smaller amount of text with the type enforcement rules that would allow it to run/work. Then we generate a module:
audit2allow -a /var/log/audit/audit.log -M podman
this will generate you a file called podman.pp, and we can then apply this with:
semodule -i podman.pp
then it should work with selinux enabled.
1 Like
Of course your solution worked. Thank you!
But allow me to make a remark that in RL8, this wasnāt needed. I understand many things changed for the better and this is (for me) something unexpected.
Iām happy it works now though.
1 Like
The solutions allows to correctly start the service, but on the cockpit podman page you canāt do anything with each container cause SELinux is blocking all the commands.
For exemple when I want to start a container or if I want to see the logs I get errors and these logs appears on SELinux page:
That means you need to run the same commands as in the solution to allow the remaining problems that selinux is blocking.
The combination of audit2why, audit2allow, semodule allow you to fix selinux problems. Thatās what the tools are there for. So any subsequent blockages also need to be allowed.
Thank you, I will try.
For fun I also tried with the latest CentOs version and everything work out of the box. Also in the previous version of RockyLinux everything worked out of the box.
Block that service is a specific choice or a ābugā?
Sorry for the question but I was courious of this different behaviour.
Thank you again.
Bear in mind CentOS Stream is not the same thing. The only real thing to compare with would be to install RHEL9 and see if the same problems exist. Chances are it may do, in which case a bug report most likely exists for it and would be fixed in due course.
2 Likes
Sorry, itās me again. I had the opportunity to try RHEL9 with a developer subscription and a fresh install (like I did with Rocky). Everything seems to work out of the box.
The podman service correctly start and you can use the cockpit page to manage the system container without errors and SELinux logs.
Iām a newbie with Linux so if you need some other informations let me know. I also see there is already a bug report here on the RockyLinux section (0000147: Rocky Linux 9 Podmanę ę³ęååÆåØ - Rocky BugTracker).
Thank you and best.
