Bug 1811876 - SElinux is preventing my container to mount tmpfs
Summary: SElinux is preventing my container to mount tmpfs
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 31
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-10 02:40 UTC by louisgtwo
Modified: 2020-03-10 12:39 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-10 12:39:55 UTC
Type: Bug


Attachments (Terms of Use)

Description louisgtwo 2020-03-10 02:40:26 UTC
I'm trying to setup a docker container pducharme/unifi-video-controller on fedora 31. SElinux is preventing this container to mount. With selinux set to permissive the container runs fine.


time->Mon Mar  9 22:31:34 2020
type=AVC msg=audit(1583807494.146:39157): avc:  denied  { mount } for  pid=1744176 comm="mount" name="/" dev="tmpfs" ino=6140956 scontext=system_u:system_r:container_t:s0:c392,c980 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
----
time->Mon Mar  9 22:31:34 2020
type=AVC msg=audit(1583807494.146:39158): avc:  denied  { mount } for  pid=1744176 comm="mount" name="/" dev="tmpfs" ino=6140957 scontext=system_u:system_r:container_t:s0:c392,c980 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0

Comment 1 Daniel Walsh 2020-03-10 12:39:55 UTC
The Container must be attempting to execute a mount command?  This would be blocked by SELinux as well as CAP_SYS_ADMIN capability.
Most likely you would need to run this container without these protections.

podman run --security-opt label=disable --cap-add CAP_SYS_ADMIN ...


Note You need to log in before you can comment on or make changes to this bug.