0

Trying to run any pods on Podman fails, after an SELinux relabeling

$ podman run -ti alpine Error relocating /lib/ld-musl-x86_64.so.1: RELRO protection failed: No error information Error relocating /bin/sh: RELRO protection failed: No error information

And you have moved your ~/.local/share/containers elsewhere, linking there:

$ ls -l ~/.local/share/containers lrwxrwxrwx. 1 asdf asdf 32 Oct 13 2022 /home/asdf/.local/share/containers -> /x/y/z/containers/

On the audit logs, an AVC alert will be logged

Improve this question

2 Answers 2

Reset to default
1

Root cause

SELinux' semanage fcontext database deals with realpaths [1]. If you moved your ~/.local/share/containers elsewhere (in my case, to manage disk space) and created a link to it, when restorecon runs, it will will reset its labels to whatever the real location corresponds to (most probably default_t).

You can check that with [2]:

ls -Z ~/.local/share/containers/storage/overlay{,-images,-layers} | less

The files should have an SELinux context of container_ro_file_t. You'll be able to see the original semanage fcontext rules with the following command:

# semanage fcontext -l | grep container | grep storage /home/[^/]+/\.local/share/containers/storage/overlay(/.*)? all files unconfined_u:object_r:container_ro_file_t:s0 /home/[^/]+/\.local/share/containers/storage/overlay-images(/.*)? all files unconfined_u:object_r:container_ro_file_t:s0 /home/[^/]+/\.local/share/containers/storage/overlay-layers(/.*)? all files unconfined_u:object_r:container_ro_file_t:s0 /home/[^/]+/\.local/share/containers/storage/overlay2(/.*)? all files unconfined_u:object_r:container_ro_file_t:s0 /home/[^/]+/\.local/share/containers/storage/overlay2-images(/.*)? all files unconfined_u:object_r:container_ro_file_t:s0 /home/[^/]+/\.local/share/containers/storage/overlay2-layers(/.*)? all files unconfined_u:object_r:container_ro_file_t:s0 /home/[^/]+/\.local/share/containers/storage/volumes/[^/]*/.* all files unconfined_u:object_r:container_file_t:s0

Fix

You'll have to copy and adapt each of the rules to your environment. For example, for the first line above:

semanage fcontext -a -t container_ro_file_t '/x/y/z/containers/storage/overlay(/.*)?'

Of course, replace /x/y/z with your environment's location and execute the command for each of the original rules. Make sure to use your system's original rules as the source of truth, as it may differ from mine.

Pay attention that the volumes line is slightly different from the rest.

Once all rules are in place, run restorecon:

restorecon -Rv /x/y/z/containers/

I'm not sure whether this is the best or most correct way to go about this, and it may not be supported. But creating that link in the first place is already a deviation, in any case. And it did work for me :)

References

Improve this answer
0

The posted response (by caxcaxcoatl) is on point.

I found perhaps a more straightforward solution for this:

for item in $(ls -Z ~/.local/share/containers/storage/overlay{,-images,-layers} | grep home | sed 's/://g') do sudo restorecon -Rv ${item} done
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.