Comment # 11 on bug 1186158 from
I have created a new VM and installed MicroOS (20220401) in it. Chose the
container platform version of MicroOS and left SELinux on 'enforce' Started
podman as non root like so:

systemctl --user enable --now podman.socket

I think you should use socket here and not service, but in reality it amount to
the same I think.

Next I started traefik like this:

podman run \
  --restart=always \
  --memory=1024m \
  --memory-reservation=512m \
  --network=container-net \
  --volume /run/user/1000/podman/podman.sock:/var/run/podman.sock:ro,z \
  --volume /home/gerben/containers/traefik/rootfs/etc/traefik:/etc/traefik:Z \
  --publish 8080:80 \
  --publish 8443:443 \
  --name traefik \
  traefik:v2.5.6

Once started I can see a number of the following messages:

time="2022-04-04T12:02:19Z" level=debug msg="FIXME: Got an status-code for
which error does not match any expected type!!!: -1" module=api status_code=-1
time="2022-04-04T12:02:19Z" level=error msg="Failed to retrieve information of
the docker client and server host: Got permission denied while trying to
connect to the Docker daemon socket at unix:///var/run/podman.sock: Get
\"http://%2Fvar%2Frun%2Fpodman.sock/v1.24/version\": dial unix
/var/run/podman.sock: connect: permission denied" providerName=docker

Checking the audit log with 'ausearch -m AVC' yields a number of the following
messages:

type=AVC msg=audit(1649064605.263:115): avc:  denied  { connectto } for 
pid=1582 comm="traefik" path="/run/user/1000/podman/podman.sock"
scontext=system_u:system_r:container_t:s0:c140,c679
tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023
tclass=unix_stream_socket permissive=0

Telling me SELinux is blocking access to the file.

After having set SELinux to permissive (setenforce 0) and starting the the
traefik container as above, I do not see any of those permission denied
messages. Of course I see the following message in the audit log now:

type=AVC msg=audit(1649098620.131:640): avc:  denied  { connectto } for 
pid=7640 comm="traefik" path="/run/user/1000/podman/podman.sock"
scontext=system_u:system_r:container_t:s0:c535,c853
tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023
tclass=unix_stream_socket permissive=1


The traefik dashboard will show up regardless of having access to the socket or
not. Traefik uses the docker API to check if there are containers it should
proxy for. When starting a container you can use labels to pass info to
traefik. Traefik needs the docker API to be able to read those labels. There is
not need for Traefik to use the Docker API for displaying its own dashboard.


You are receiving this mail because: