Comment # 1 on bug 1186158 from
Running containers like traefik fail on MicroOS due to SELinux. I am running:

# head -2 /etc/os-release 
NAME="openSUSE MicroOS"
# VERSION="20210520"

as of this morning and I am seeing the following selinux denied in
/var/log/audit/audit.log

type=AVC msg=audit(1621669323.589:1091): avc:  denied  { read write } for 
pid=4872 comm="entrypoint.sh" path="/dev/null" dev="tmpfs" ino=5
scontext=system_u:
system_r:container_t:s0:c587,c659
tcontext=system_u:object_r:container_file_t:s0:c587,c659 tclass=chr_file
permissive=1
type=AVC msg=audit(1621669323.593:1092): avc:  denied  { open } for  pid=4872
comm="entrypoint.sh" path="/dev/null" dev="tmpfs" ino=5
scontext=system_u:system_r:container_t:s0:c587,c659
tcontext=system_u:object_r:container_file_t:s0:c587,c659 tclass=chr_file
permissive=1
type=AVC msg=audit(1621669323.613:1093): avc:  denied  { read } for  pid=4885
comm="traefik" name="hpage_pmd_size" dev="sysfs" ino=3207
scontext=system_u:system_r:container_t:s0:c587,c659
tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1621669323.613:1094): avc:  denied  { open } for  pid=4885
comm="traefik" path="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size"
dev="sysfs" ino=3207 scontext=system_u:system_r:container_t:s0:c587,c659
tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1621669323.701:1095): avc:  denied  { create } for  pid=4885
comm="traefik" scontext=system_u:system_r:container_t:s0:c587,c659
tcontext=system_u:system_r:container_t:s0:c587,c659 tclass=netlink_route_socket
permissive=1
type=AVC msg=audit(1621669323.701:1096): avc:  denied  { bind } for  pid=4885
comm="traefik" scontext=system_u:system_r:container_t:s0:c587,c659
tcontext=system_u:system_r:container_t:s0:c587,c659 tclass=netlink_route_socket
permissive=1
type=AVC msg=audit(1621669323.701:1097): avc:  denied  { nlmsg_read } for 
pid=4885 comm="traefik" scontext=system_u:system_r:container_t:s0:c587,c659
tcontext=system_u:system_r:container_t:s0:c587,c659 tclass=netlink_route_socket
permissive=1
type=AVC msg=audit(1621669323.701:1098): avc:  denied  { getattr } for 
pid=4885 comm="traefik" scontext=system_u:system_r:container_t:s0:c587,c659
tcontext=system_u:system_r:container_t:s0:c587,c659 tclass=netlink_route_socket
permissive=1
type=AVC msg=audit(1621669323.777:1099): avc:  denied  { create } for  pid=4872
comm="traefik" scontext=system_u:system_r:container_t:s0:c587,c659
tcontext=system_u:system_r:container_t:s0:c587,c659 tclass=tcp_socket
permissive=1
type=AVC msg=audit(1621669323.777:1100): avc:  denied  { setopt } for  pid=4872
comm="traefik" scontext=system_u:system_r:container_t:s0:c587,c659
tcontext=system_u:system_r:container_t:s0:c587,c659 tclass=tcp_socket
permissive=1
type=AVC msg=audit(1621669323.777:1101): avc:  denied  { bind } for  pid=4872
comm="traefik" scontext=system_u:system_r:container_t:s0:c587,c659
tcontext=system_u:system_r:container_t:s0:c587,c659 tclass=tcp_socket
permissive=1
type=AVC msg=audit(1621669323.777:1102): avc:  denied  { node_bind } for 
pid=4872 comm="traefik" saddr=::1
scontext=system_u:system_r:container_t:s0:c587,c659
tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1621669323.777:1103): avc:  denied  { name_bind } for 
pid=4872 comm="traefik" src=80
scontext=system_u:system_r:container_t:s0:c587,c659
tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1621669323.777:1104): avc:  denied  { net_bind_service } for
 pid=4872 comm="traefik" capability=10 
scontext=system_u:system_r:container_t:s0:c587,c659
tcontext=system_u:system_r:container_t:s0:c587,c659 tclass=capability
permissive=1
type=AVC msg=audit(1621669323.777:1105): avc:  denied  { listen } for  pid=4872
comm="traefik" lport=80 scontext=system_u:system_r:container_t:s0:c587,c659
tcontext=system_u:system_r:container_t:s0:c587,c659 tclass=tcp_socket
permissive=1
type=AVC msg=audit(1621669323.777:1106): avc:  denied  { getattr } for 
pid=4872 comm="traefik" lport=80
scontext=system_u:system_r:container_t:s0:c587,c659
tcontext=system_u:system_r:container_t:s0:c587,c659 tclass=tcp_socket
permissive=1
type=AVC msg=audit(1621669323.777:1107): avc:  denied  { accept } for  pid=4872
comm="traefik" lport=443 scontext=system_u:system_r:container_t:s0:c587,c659
tcontext=system_u:system_r:container_t:s0:c587,c659 tclass=tcp_socket
permissive=1
type=AVC msg=audit(1621669323.781:1108): avc:  denied  { watch } for  pid=4872
comm="traefik" path="/etc/traefik" dev="overlay" ino=93
scontext=system_u:system_r:container_t:s0:c587,c659
tcontext=unconfined_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1621669323.781:1109): avc:  denied  { write } for  pid=4872
comm="traefik" name="podman.sock" dev="tmpfs" ino=1239
scontext=system_u:system_r:container_t:s0:c587,c659
tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1621669323.781:1110): avc:  denied  { connectto } for 
pid=4872 comm="traefik" path="/run/podman/podman.sock"
scontext=system_u:system_r:container_t:s0:c587,c659
tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket
permissive=1
type=SERVICE_START msg=audit(1621669323.805:1111): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=podman comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'


You are receiving this mail because: