Join Log in
Score:1
jnbdz avatar Server

Podman is unable to start container with SELinux (sd-bus call permission error)

th flag
jnbdz

Here is the command I am using to start the container:

podman run -d --name busybox-top -v ./src:/dest:Z busybox top

Error:

Error: sd-bus call: Permission denied: OCI permission denied

I do not have in my user home directory (the user is not root) .config/ directory.

I do have .local/share/containers with:

drwx------. 10 jn jn 4096 Oct  8 22:16 .
drwx------.  3 jn jn 4096 Oct  8 19:42 ..
drwx------.  2 jn jn 4096 Oct  8 22:16 cache
drwx------.  2 jn jn 4096 Oct  8 19:42 libpod
drwx------.  2 jn jn 4096 Oct  8 19:42 mounts
drwx------.  9 jn jn 4096 Oct  9 17:39 overlay
drwx------.  6 jn jn 4096 Oct  9 17:39 overlay-containers
drwx------.  4 jn jn 4096 Oct  9 07:23 overlay-images
drwx------.  2 jn jn 4096 Oct  9 17:39 overlay-layers
-rw-r--r--.  1 jn jn   64 Oct  9 17:40 storage.lock
drwx------.  2 jn jn 4096 Oct  8 19:42 tmp
-rw-r--r--.  1 jn jn    0 Oct  8 19:42 userns.lock

In ls -la /run/user/1000/ I have:

total 0
drwx------. 10 jn   jn   220 Oct  9 17:39 .
drwxr-xr-x.  4 root root  80 Oct  9 15:42 ..
srw-rw-rw-.  1 jn   jn     0 Oct  9 15:40 bus
drwx------.  2 jn   jn    40 Oct  9 15:46 containers
drwx------.  2 jn   jn    40 Oct  9 17:39 crun
drwx------.  3 jn   jn    60 Oct  9 15:46 dbus-1
drwx------.  2 jn   jn   140 Oct  9 15:40 gnupg
drwx-----T.  2 jn   jn    40 Oct  9 15:46 libpod
drwxr-xr-x.  2 jn   jn    40 Oct  9 17:39 netns
drwxr-xr-x.  2 jn   jn    60 Oct  9 15:40 podman
drwxr-xr-x.  4 jn   jn   120 Oct  9 15:40 systemd

lsb info:

No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:        11
Codename:       bullseye

systemd:

systemd 247 (247.3-7+deb11u1)
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified

podman version 3.0.1

SELinux status:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             default
Current mode:                   enforcing
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

Uname:

uname -v
#1 SMP Debian 5.10.140-1 (2022-09-02)

$XDG_RUNTIME_DIR is empty. But my user seems to be using /run/user/1000/.

I login in my user account with this command: su --login jn

I also used this in the past: loginctl enable-linger 1000 to resolved some other issue.

UPDATE

For: cat /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files systemd
group:          files systemd
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

I am wandering if this has something to do with:

# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
sddm                 xdm                  s0-s0                *

In the RedHat documentation I don't see sddm but I do see system_u.

Maybe I need to map the systemd's users with SELinux system_u or even user_u.

Podman info:

host:
  arch: amd64
  buildahVersion: 1.19.6
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: 'conmon: /usr/bin/conmon'
    path: /usr/bin/conmon
    version: 'conmon version 2.0.25, commit: unknown'
  cpus: 1
  distribution:
    distribution: debian
    version: "11"
  eventLogger: journald
  hostname: localhost
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.10.0-18-amd64
  linkmode: dynamic
  memFree: 1513025536
  memTotal: 2079420416
  ociRuntime:
    name: crun
    package: 'crun: /usr/bin/crun'
    path: /usr/bin/crun
    version: |-
      crun version 0.17
      commit: 0e9229ae34caaebcb86f1fde18de3acaf18c6d9a
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    selinuxEnabled: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: 'slirp4netns: /usr/bin/slirp4netns'
    version: |-
      slirp4netns version 1.0.1
      commit: 6a7b16babc95b6a3056b33fb45b74a6f62262dd4
      libslirp: 4.4.0
  swapFree: 536866816
  swapTotal: 536866816
  uptime: 14h 57m 56.81s (Approximately 0.58 days)
registries:
  search:
  - docker.io
  - quay.io
  - registry.fedoraproject.org
  - registry.access.redhat.com
store:
  configFile: /home/jn/.config/containers/storage.conf
  containerStore:
    number: 3
    paused: 0
    running: 0
    stopped: 3
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: 'fuse-overlayfs: /usr/bin/fuse-overlayfs'
      Version: |-
        fusermount3 version: 3.10.3
        fuse-overlayfs: version 1.4
        FUSE library version 3.10.3
        using FUSE kernel interface version 7.31
  graphRoot: /home/jn/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 2
  runRoot: /tmp/podman-run-1000/containers
  volumePath: /home/jn/.local/share/containers/storage/volumes
version:
  APIVersion: 3.0.0
  Built: 0
  BuiltTime: Thu Jan  1 00:00:00 1970
  GitCommit: ""
  GoVersion: go1.15.15
  OsArch: linux/amd64
  Version: 3.0.1

From journalctl:

Oct 10 07:10:54 localhost systemd[470]: selinux: avc:  denied  { start } for auid=0 uid=1000 gid=1000 cmdline="podman run --rm -d --name busybox-top -v ./src:/dest:Z busybox top" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
Oct 10 07:10:54 localhost podman[4755]: 2022-10-10 07:10:54.68733996 +0000 UTC m=+0.044280381 container create 78193de92b7cc76634ca87916330914cfdd62127a3614ac0adbeffa00a751c99 (image=docker.io/library/busybox:latest, name=busybox-top)
Oct 10 07:10:54 localhost systemd[470]: selinux: avc:  denied  { start } for auid=0 uid=1000 gid=1000 cmdline="podman run --rm -d --name busybox-top -v ./src:/dest:Z busybox top" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
Oct 10 07:10:54 localhost systemd[470]: selinux: avc:  denied  { start } for auid=0 uid=1000 gid=1000 cmdline="/usr/bin/crun --systemd-cgroup --log-format=json --log /tmp/podman-run-1000/containers/overlay-containers/78193de92b7cc76634ca87916330914cfdd62127a3614ac0adbeffa00a751c99/userdata/oci-log create --bundle /home/jn/.local/share/containers/storage/overlay-containers/78193de92b7cc76634ca87916330914cfdd62127a3614ac0adbeffa00a751c99/userdata --pid-file /tmp/podman-run-1000/containers/overlay-containers/78193de92b7cc76634ca87916330914cfdd62127a3614ac0adbeffa00a751c99/userdata/pidfile 78193de92b7cc76634ca87916330914cfdd62127a3614ac0adbeffa00a751c99" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
Oct 10 07:10:54 localhost systemd[470]: selinux: avc:  denied  { start } for auid=0 uid=1000 gid=1000 cmdline="/usr/bin/podman --root /home/jn/.local/share/containers/storage --runroot /tmp/podman-run-1000/containers --log-level warning --cgroup-manager systemd --tmpdir /tmp/run-1000/libpod/tmp --runtime crun --storage-driver overlay --storage-opt overlay.mount_program=/usr/bin/fuse-overlayfs --events-backend journald container cleanup --rm 78193de92b7cc76634ca87916330914cfdd62127a3614ac0adbeffa00a751c99" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
Oct 10 07:10:54 localhost podman[4778]: 2022-10-10 07:10:54.76797772 +0000 UTC m=+0.047471111 container remove 78193de92b7cc76634ca87916330914cfdd62127a3614ac0adbeffa00a751c99 (image=docker.io/library/busybox:latest, name=busybox-top)

UPDATE 2

$XDG_RUNTIME_DIR:

jn@localhost:~$ echo $XDG_RUNTIME_DIR
/run/user/1000

$DBUS_SESSION_BUS_ADDRESS:

jn@localhost:~$ echo $DBUS_SESSION_BUS_ADDRESS
unix:path=/run/user/1000/bus

jn@localhost:/run/user/1000$ ls -Zl
total 0
srw-rw-rw-. 1 jn jn unconfined_u:object_r:session_dbusd_runtime_t:s0   0 Oct 10 18:21 bus
drwx------. 2 jn jn unconfined_u:object_r:user_tmp_t:s0               40 Oct 10 18:25 containers
drwx------. 3 jn jn unconfined_u:object_r:user_tmp_t:s0               60 Oct 10 21:49 crun
drwx------. 3 jn jn unconfined_u:object_r:user_tmp_t:s0               60 Oct 10 18:25 dbus-1
drwx------. 2 jn jn unconfined_u:object_r:gpg_runtime_t:s0           140 Oct 10 18:21 gnupg
drwx-----T. 2 jn jn unconfined_u:object_r:user_tmp_t:s0               40 Oct 10 18:25 libpod
drwxr-xr-x. 2 jn jn unconfined_u:object_r:user_tmp_t:s0               60 Oct 10 21:49 netns
drwxr-xr-x. 2 jn jn unconfined_u:object_r:user_tmp_t:s0               60 Oct 10 18:21 podman
drwxr-xr-x. 5 jn jn unconfined_u:object_r:systemd_user_runtime_t:s0  140 Oct 10 20:53 systemd

Maybe I need to give Podman access to the label: session_dbusd_runtime_t or even systemd_user_runtime_t?

1918
0 + 7
in flag
Erik Sjölund
Instead of `su --login jn` use `machinectl shell jn@`
0
Reply
in flag
Erik Sjölund
Quote: _The answer is that sudo and su do not create a login session._ from https://www.redhat.com/sysadmin/sudo-rootless-podman
0
Reply
jnbdz avatar
th flag
jnbdz
@ErikSjölund I just tried but I still get the same error: `Error: sd-bus call: Permission denied: OCI permission denied`
0
Reply
in flag
Erik Sjölund
I'm running out of ideas.
0
Reply
jnbdz avatar
th flag
jnbdz
@ErikSjölund me too. I have been trying a bunch of things. I know it's SELinux Linux blocking it because when SELinux is set as permissive it works. But I want to run my containers with SELinux. Maybe it's my Linux distribution that is the issue. It's hard to say. Is there any other information that you would like to have to be able to help me?
0
Reply
jnbdz avatar
th flag
jnbdz
I was wandering if my issue could be similar to this one: https://serverfault.com/questions/1006417/selinux-blocking-execution-in-systemd-unit Maybe I need to run it somewhere special?
0
Reply
jnbdz avatar
th flag
jnbdz
@ErikSjölund it seems to be a Debian specific issue. I tried it on Rocky OS and everything works. Debian is not set correctly or something.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.