RL9: SELinux errors when starting Podman socket

I have a clean install of RL9 and installed Podman.
As a non-root user (although sudo powers) I tried to start the Podman socket via the cockpit console. SELinux was flooded with errors:

		SELinux is preventing /usr/bin/podman from create access on the file labeled etc_t.	
		SELinux is preventing /usr/bin/rpm from setattr access on the file rpmdb.sqlite-wal.	
		SELinux is preventing /usr/bin/podman from getattr access on the sock_file /run/podman/podman.sock.	
		SELinux is preventing /usr/bin/podman from read access on the file system.journal.	
		SELinux is preventing /usr/bin/podman from map access on the file /run/log/journal/45e3664c7d634182a97fbf7c7a666028/system.journal.	
		SELinux is preventing /usr/bin/podman from watch access on the directory /run/log/journal.

Is this intentional? Obviously, Podman doesn’t start.
Any hints on how to deal with this?

Please show the exact podman command that you used instead of just the results. It helps to see all information for anyone to be able to assist as we are unable to guess.

  • Clean install of RL9
  • sudo dnf install podman cockpit-podman
  • opened the cockpit dashboard and went to the Pdoman Containers page
  • Clicked “Start podman”

I didn’t use cli but clicked “start Podman” on the cockpit-podman page.

image

If I’m not mistaken, it starts the podman.socket.

It’s running with SELinux disbled, which is obviously not what I want.

Did you disable selinux via /etc/selinux/config or did you just use setenforce temporarily to put in permissive mode? Or put it in permissive by editing /etc/selinux/config?

Ideally via ssh and get to root access and then do:

systemctl stop podman.socket
setenforce 1
systemctl start podman.socket

if it fails, take a look at /var/log/audit/audit.log and see if anything then shows up. You can also do:

audit2why -a /var/log/audit/audit.log

and this should print out what has happened and what remedy needs to be taken to get selinux to allow it to work.

type=AVC msg=audit(1658414107.681:233): avc:  denied  { read } for  pid=7964 comm="podman" name="journal" dev="tmpfs" ino=65 scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1658414107.801:234): avc:  denied  { quotamod } for  pid=7964 comm="podman" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1658414107.816:235): avc:  denied  { create } for  pid=7964 comm="podman" name="net.d" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1658414107.819:236): avc:  denied  { create } for  pid=7964 comm="podman" name="net.d" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

The list goes on and on because the service tries to restart.

It’s always missing type information, for net.d and journal and…

OK, so we can now allow it. First you can do:

audit2allow -a /var/log/audit/audit.log

this will generate a smaller amount of text with the type enforcement rules that would allow it to run/work. Then we generate a module:

audit2allow -a /var/log/audit/audit.log -M podman

this will generate you a file called podman.pp, and we can then apply this with:

semodule -i podman.pp

then it should work with selinux enabled.

1 Like

Of course your solution worked. Thank you!

But allow me to make a remark that in RL8, this wasn’t needed. I understand many things changed for the better and this is (for me) something unexpected.

I’m happy it works now though.

1 Like

The solutions allows to correctly start the service, but on the cockpit podman page you can’t do anything with each container cause SELinux is blocking all the commands.

For exemple when I want to start a container or if I want to see the logs I get errors and these logs appears on SELinux page:

That means you need to run the same commands as in the solution to allow the remaining problems that selinux is blocking.

The combination of audit2why, audit2allow, semodule allow you to fix selinux problems. That’s what the tools are there for. So any subsequent blockages also need to be allowed.

Thank you, I will try.

For fun I also tried with the latest CentOs version and everything work out of the box. Also in the previous version of RockyLinux everything worked out of the box.
Block that service is a specific choice or a “bug”?

Sorry for the question but I was courious of this different behaviour.
Thank you again.

Bear in mind CentOS Stream is not the same thing. The only real thing to compare with would be to install RHEL9 and see if the same problems exist. Chances are it may do, in which case a bug report most likely exists for it and would be fixed in due course.

2 Likes

Sorry, it’s me again. I had the opportunity to try RHEL9 with a developer subscription and a fresh install (like I did with Rocky). Everything seems to work out of the box.
The podman service correctly start and you can use the cockpit page to manage the system container without errors and SELinux logs.
I’m a newbie with Linux so if you need some other informations let me know. I also see there is already a bug report here on the RockyLinux section (0000147: Rocky Linux 9 Podman无法成功启动 - Rocky BugTracker).

Thank you and best.