[Bug 1186158] New: SElinux is blocking socket access for podman
http://bugzilla.opensuse.org/show_bug.cgi?id=1186158 Bug ID: 1186158 Summary: SElinux is blocking socket access for podman Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: openSUSE MicroOS Status: NEW Severity: Normal Priority: P5 - None Component: MicroOS Assignee: kubic-bugs@opensuse.org Reporter: gm.venekamp@quicknet.nl QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- test-vm:~ # head -2 /etc/os-release NAME="openSUSE MicroOS" # VERSION="20210515" When starting a container (as root) like traefik, I get the following error: test-vm:~ # podman run -p 8080:8080 -p 80:80 -v /etc/traefik/traefik.yml:/etc/traefik/traefik.yml -v /var/run/podman/podman.sock:/var/run/docker.sock traefik:v2.0 time="2021-05-18T06:46:37Z" level=info msg="Configuration loaded from file: /etc/traefik/traefik.yml" time="2021-05-18T06:46:38Z" level=error msg="Failed to retrieve information of the docker client and server host: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.24/version: dial unix /var/run/docker.sock: connect: permission denied" providerName=docker This is what /var/log/audit/audit/log tells me: type=AVC msg=audit(1621319586.484:965): avc: denied { connectto } for pid=1785 comm="traefik" path="/run/podman/podman.sock" scontext=system_u:system_r:container_t:s0:c741,c830 tcontext=system_u:system_r:container_runtime_t:s0 tclass=unix_stream_socket permissive=1 test-vm:~ # ll -Z /var/run/podman/podman.sock srw-rw----. 1 root root system_u:object_r:var_run_t:s0 0 May 18 08:46 /var/run/podman/podman.sock Am I doing anything wrong -- You are receiving this mail because: You are the assignee for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1186158
G.M. Venekamp
http://bugzilla.opensuse.org/show_bug.cgi?id=1186158
G.M. Venekamp
http://bugzilla.opensuse.org/show_bug.cgi?id=1186158
G.M. Venekamp
http://bugzilla.opensuse.org/show_bug.cgi?id=1186158
http://bugzilla.opensuse.org/show_bug.cgi?id=1186158#c1
--- Comment #1 from G.M. Venekamp
http://bugzilla.opensuse.org/show_bug.cgi?id=1186158
http://bugzilla.opensuse.org/show_bug.cgi?id=1186158#c2
--- Comment #2 from G.M. Venekamp
http://bugzilla.opensuse.org/show_bug.cgi?id=1186158
http://bugzilla.opensuse.org/show_bug.cgi?id=1186158#c3
--- Comment #3 from Thorsten Kukuk
Using podman 3.2.0 and starting the docker API as a regular user, i.e. systemctl --user start podman yield the same issues that SELinux forbids reading /run/user/1000/podman/podman.sock The socket is readable from outside a container, but from the inside SELinux is preventing access to it.
That's exatlx what SELinux should do and is designed for, so everything is working. Accessing the podman.sock from inside a container is really dangerous security wise. If you really need that, you need to learn SELinux and adjust the policy for your use case (or look if somebody has already a solution documented somewhere). But we will not allow this by default. -- You are receiving this mail because: You are the assignee for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1186158
http://bugzilla.opensuse.org/show_bug.cgi?id=1186158#c4
--- Comment #4 from G.M. Venekamp
http://bugzilla.opensuse.org/show_bug.cgi?id=1186158
http://bugzilla.opensuse.org/show_bug.cgi?id=1186158#c5
--- Comment #5 from G.M. Venekamp
http://bugzilla.opensuse.org/show_bug.cgi?id=1186158
http://bugzilla.opensuse.org/show_bug.cgi?id=1186158#c8
--- Comment #8 from G.M. Venekamp
http://bugzilla.opensuse.org/show_bug.cgi?id=1186158
http://bugzilla.opensuse.org/show_bug.cgi?id=1186158#c10
--- Comment #10 from G.M. Venekamp
http://bugzilla.opensuse.org/show_bug.cgi?id=1186158
http://bugzilla.opensuse.org/show_bug.cgi?id=1186158#c11
--- Comment #11 from G.M. Venekamp
participants (1)
-
bugzilla_noreply@suse.com