podman with pasta (passt) fails with apparmor

https://bugzilla.opensuse.org/show_bug.cgi?id=1221840

On Sun, Apr 7, 2024 at 1:46 AM Berthold Höllmann <berthold-tumbleweed@höllmanns.de> wrote:

I had some podman containers run woch the 4.* version, but after
upgrading to podman 5.0.1 they fail to start.

,----
| > podman run hello
| Error: pasta failed with exit code 1:
| Couldn't open network namespace /run/user/1000/netns/netns-254f2095-273b-04d1-9b6f-af01071a4f4e: Permission denied
`----

The problem seems to be related to the usage of pasta with the new
podman:

,----
| > pasta
| Could not open /proc/self/uid_map: Permission denied
| Couldn't configure user mappings
| Couldn't mount /proc: Permission denied
| Failed to join network namespace: Permission denied
| Could not open /proc/sys/net/ipv4/ping_group_range: Permission denied
| Cannot set ping_group_range, ICMP requests might fail
`----

I suspect apparmor for causing these permission problems, but are
helpless on how to solve this.