Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Podman doesn't work with SELinux disabled #234

Open
sjpb opened this issue Nov 1, 2022 · 0 comments
Open

Podman doesn't work with SELinux disabled #234

sjpb opened this issue Nov 1, 2022 · 0 comments

Comments

@sjpb
Copy link
Collaborator

sjpb commented Nov 1, 2022
edited
Loading

Fails on this which is first podman command. Output from same shell command:

# sudo -u podman podman system reset --force
ERRO[0000] running `/bin/newuidmap 86262 0 1002 1 1 231072 65536`: newuidmap: write to uid_map failed: Operation not permitted
Error: cannot setup namespace using "/bin/newuidmap": should have setuid or have filecaps setuid: exit status 1

On system with selinux disabled:

# getcap /usr/bin/newuidmap /usr/bin/newgidmap
#

On system with selinux in permissive mode (appliance default):

[root@demo-control rocky]# getcap /usr/bin/newuidmap /usr/bin/newgidmap
/usr/bin/newuidmap cap_setuid=ep
/usr/bin/newgidmap cap_setgid=ep

Fix on selinux-disabled system is to run:

# chmod 4755 /usr/bin/newgidmap
# chmod 4755 /usr/bin/newuidmap

Probably this role should check if those file has either setuid or filecaps, and set former if selinux=disabled. Logic needs some care though.

Relevant thread: containers/podman#2788
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sjpb