http://bugzilla.opensuse.org/show_bug.cgi?id=1186158 http://bugzilla.opensuse.org/show_bug.cgi?id=1186158#c11 --- Comment #11 from G.M. Venekamp <gm.venekamp@quicknet.nl> --- I have created a new VM and installed MicroOS (20220401) in it. Chose the container platform version of MicroOS and left SELinux on 'enforce' Started podman as non root like so: systemctl --user enable --now podman.socket I think you should use socket here and not service, but in reality it amount to the same I think. Next I started traefik like this: podman run \ --restart=always \ --memory=1024m \ --memory-reservation=512m \ --network=container-net \ --volume /run/user/1000/podman/podman.sock:/var/run/podman.sock:ro,z \ --volume /home/gerben/containers/traefik/rootfs/etc/traefik:/etc/traefik:Z \ --publish 8080:80 \ --publish 8443:443 \ --name traefik \ traefik:v2.5.6 Once started I can see a number of the following messages: time="2022-04-04T12:02:19Z" level=debug msg="FIXME: Got an status-code for which error does not match any expected type!!!: -1" module=api status_code=-1 time="2022-04-04T12:02:19Z" level=error msg="Failed to retrieve information of the docker client and server host: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/podman.sock: Get \"http://%2Fvar%2Frun%2Fpodman.sock/v1.24/version\": dial unix /var/run/podman.sock: connect: permission denied" providerName=docker Checking the audit log with 'ausearch -m AVC' yields a number of the following messages: type=AVC msg=audit(1649064605.263:115): avc: denied { connectto } for pid=1582 comm="traefik" path="/run/user/1000/podman/podman.sock" scontext=system_u:system_r:container_t:s0:c140,c679 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 Telling me SELinux is blocking access to the file. After having set SELinux to permissive (setenforce 0) and starting the the traefik container as above, I do not see any of those permission denied messages. Of course I see the following message in the audit log now: type=AVC msg=audit(1649098620.131:640): avc: denied { connectto } for pid=7640 comm="traefik" path="/run/user/1000/podman/podman.sock" scontext=system_u:system_r:container_t:s0:c535,c853 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 The traefik dashboard will show up regardless of having access to the socket or not. Traefik uses the docker API to check if there are containers it should proxy for. When starting a container you can use labels to pass info to traefik. Traefik needs the docker API to be able to read those labels. There is not need for Traefik to use the Docker API for displaying its own dashboard. -- You are receiving this mail because: You are on the CC list for the bug.