SELinux & Podman Permissions Error

Rocky Linux General
1

SELinux & Podman Permissions Error

I’m having some permission issues between RL9 and my custom container OS (RL9 based); any help would be appreciated.

Backstory

This container is one of several in a sequence of specialized container builds. For the container design, I took inspiration from RHEL ubi9 containers, but for reasons that RL patrons may appreciate, I built my container off from RL9 with buildah from scratch; aptly calling my containers “rbi9.” Life has been good, until my image file permissions snag.

Host Stack: x86_64, RL v9.1, Podman v4.2, Buildah v1.27.3, Podman Compose v1.0.3

Container Stack: RL v9, Systemd -v250, Nginx v1.20.1, MariaDB v10.5.16, PHP v4.0.27

Note: anything in the description below that is contained within <> brackets has been intentionally omitted.

Issue at Hand

The web server acts as expected; except when I try load images (perhaps other media) into the page, the container reports in …/nginx/error.log:

..<system deets and url of image>... failed (13:Permission denied) ...<client & host details>

When viewing the file permissions as root from within the container, via podman exec. I get the following output:

ls: cannot access '/var/www/html/images/<image_file_name>.jpg': permission denied 
total 0 
-????????? ? ? ? ?                      ?  <image_file_name>.jpg

Answering the Obvious First

  1. This is a very new build with minor changes from the default settings.
  2. In the container-compose.yml all pertinent volumes are mounted with the appended :z option. Not sure that it matters, but the host OS is on XFS and all the persistent containers files are on ZFS pool/volumes.
  3. I’ve reviewed the nginx mime.type, nginx.conf, etc. and those are solid.
  4. nginx is configured for user ‘nginx’.
  5. No, I don’t want to use any of the “off the shelf” solutions. This is an exercise in being a control freak.

I can post the pertinent info from any files or logs as needed, please just advise. Any troubleshooting thoughts on this issue would be helpful.

Thanks,
shimmy

1 Like
3

Lesson learned: RTFLs

Shortly after the original post, I discovered an SELinux error relating to the aforementioned non-permissive file. After a bit of research on ‘big brothers’ website, I was able to follow a work around posted there. To fix the problem I had to update my config for SELinux to permissive. Then set SELinux to relabel the entire filesystem touch /.autorelabel and then reboot. This caused my system to restart twice, and in between everything was relabeled.

After that, I followed the suggested resolution from SELinux error in journctl and all was good to go. It’s also worth noting that all this information was in the cockpit interface, but I hardly use that… but perhaps that will change.

I lost a full day of productivity due to troubleshooting this issue; about an hour of work is all it took from the time that I read the f.*g logs and all was good again.

Leaving this posted just in case anyone else has a similar issue; however, the mods are welcome to take it down.

4