Running containers like traefik fail on MicroOS due to SELinux. I am running: # head -2 /etc/os-release NAME="openSUSE MicroOS" # VERSION="20210520" as of this morning and I am seeing the following selinux denied in /var/log/audit/audit.log type=AVC msg=audit(1621669323.589:1091): avc: denied { read write } for pid=4872 comm="entrypoint.sh" path="/dev/null" dev="tmpfs" ino=5 scontext=system_u: system_r:container_t:s0:c587,c659 tcontext=system_u:object_r:container_file_t:s0:c587,c659 tclass=chr_file permissive=1 type=AVC msg=audit(1621669323.593:1092): avc: denied { open } for pid=4872 comm="entrypoint.sh" path="/dev/null" dev="tmpfs" ino=5 scontext=system_u:system_r:container_t:s0:c587,c659 tcontext=system_u:object_r:container_file_t:s0:c587,c659 tclass=chr_file permissive=1 type=AVC msg=audit(1621669323.613:1093): avc: denied { read } for pid=4885 comm="traefik" name="hpage_pmd_size" dev="sysfs" ino=3207 scontext=system_u:system_r:container_t:s0:c587,c659 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1621669323.613:1094): avc: denied { open } for pid=4885 comm="traefik" path="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" dev="sysfs" ino=3207 scontext=system_u:system_r:container_t:s0:c587,c659 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1621669323.701:1095): avc: denied { create } for pid=4885 comm="traefik" scontext=system_u:system_r:container_t:s0:c587,c659 tcontext=system_u:system_r:container_t:s0:c587,c659 tclass=netlink_route_socket permissive=1 type=AVC msg=audit(1621669323.701:1096): avc: denied { bind } for pid=4885 comm="traefik" scontext=system_u:system_r:container_t:s0:c587,c659 tcontext=system_u:system_r:container_t:s0:c587,c659 tclass=netlink_route_socket permissive=1 type=AVC msg=audit(1621669323.701:1097): avc: denied { nlmsg_read } for pid=4885 comm="traefik" scontext=system_u:system_r:container_t:s0:c587,c659 tcontext=system_u:system_r:container_t:s0:c587,c659 tclass=netlink_route_socket permissive=1 type=AVC msg=audit(1621669323.701:1098): avc: denied { getattr } for pid=4885 comm="traefik" scontext=system_u:system_r:container_t:s0:c587,c659 tcontext=system_u:system_r:container_t:s0:c587,c659 tclass=netlink_route_socket permissive=1 type=AVC msg=audit(1621669323.777:1099): avc: denied { create } for pid=4872 comm="traefik" scontext=system_u:system_r:container_t:s0:c587,c659 tcontext=system_u:system_r:container_t:s0:c587,c659 tclass=tcp_socket permissive=1 type=AVC msg=audit(1621669323.777:1100): avc: denied { setopt } for pid=4872 comm="traefik" scontext=system_u:system_r:container_t:s0:c587,c659 tcontext=system_u:system_r:container_t:s0:c587,c659 tclass=tcp_socket permissive=1 type=AVC msg=audit(1621669323.777:1101): avc: denied { bind } for pid=4872 comm="traefik" scontext=system_u:system_r:container_t:s0:c587,c659 tcontext=system_u:system_r:container_t:s0:c587,c659 tclass=tcp_socket permissive=1 type=AVC msg=audit(1621669323.777:1102): avc: denied { node_bind } for pid=4872 comm="traefik" saddr=::1 scontext=system_u:system_r:container_t:s0:c587,c659 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket permissive=1 type=AVC msg=audit(1621669323.777:1103): avc: denied { name_bind } for pid=4872 comm="traefik" src=80 scontext=system_u:system_r:container_t:s0:c587,c659 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=1 type=AVC msg=audit(1621669323.777:1104): avc: denied { net_bind_service } for pid=4872 comm="traefik" capability=10 scontext=system_u:system_r:container_t:s0:c587,c659 tcontext=system_u:system_r:container_t:s0:c587,c659 tclass=capability permissive=1 type=AVC msg=audit(1621669323.777:1105): avc: denied { listen } for pid=4872 comm="traefik" lport=80 scontext=system_u:system_r:container_t:s0:c587,c659 tcontext=system_u:system_r:container_t:s0:c587,c659 tclass=tcp_socket permissive=1 type=AVC msg=audit(1621669323.777:1106): avc: denied { getattr } for pid=4872 comm="traefik" lport=80 scontext=system_u:system_r:container_t:s0:c587,c659 tcontext=system_u:system_r:container_t:s0:c587,c659 tclass=tcp_socket permissive=1 type=AVC msg=audit(1621669323.777:1107): avc: denied { accept } for pid=4872 comm="traefik" lport=443 scontext=system_u:system_r:container_t:s0:c587,c659 tcontext=system_u:system_r:container_t:s0:c587,c659 tclass=tcp_socket permissive=1 type=AVC msg=audit(1621669323.781:1108): avc: denied { watch } for pid=4872 comm="traefik" path="/etc/traefik" dev="overlay" ino=93 scontext=system_u:system_r:container_t:s0:c587,c659 tcontext=unconfined_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1621669323.781:1109): avc: denied { write } for pid=4872 comm="traefik" name="podman.sock" dev="tmpfs" ino=1239 scontext=system_u:system_r:container_t:s0:c587,c659 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1621669323.781:1110): avc: denied { connectto } for pid=4872 comm="traefik" path="/run/podman/podman.sock" scontext=system_u:system_r:container_t:s0:c587,c659 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1 type=SERVICE_START msg=audit(1621669323.805:1111): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=podman comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'