Description of problem: running a podman command to run homeassistant on Fedora 34 IoT networking does not work. Version-Release number of selected component (if applicable): libselinux-3.2-1.fc34.aarch64 libselinux-utils-3.2-1.fc34.aarch64 rpm-plugin-selinux-4.16.1.3-1.fc34.aarch64 selinux-policy-34-1.fc34.noarch selinux-policy-targeted-34-1.fc34.noarch container-selinux-2.158.0-1.gite78ac4f.fc34.noarch python3-libselinux-3.2-1.fc34.aarch64 podman-plugins-3.1.0-1.fc34.aarch64 podman-3.1.0-1.fc34.aarch64 How reproducible: Steps to Reproduce: on a fedora 34 IoT system run 1. podman run --init -d --name homeassistant --restart=unless-stopped -v /etc/localtime:/etc/localtime:ro -v /home/homeassistant:/config --network=host homeassistant/home-assistant:stable 2. 3. Actual results: the container does not work, after switching from enforcing to permissive mode I see type=AVC msg=audit(1619112380.373:899666): avc: denied { write } for pid=552924 comm="udevadm" name="uevent" dev="sysfs" ino=10484 scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619112384.163:899668): avc: denied { write } for pid=552939 comm="python3" name="homeassistant" dev="mmcblk0p3" ino=250884 scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1619112384.163:899669): avc: denied { add_name } for pid=552939 comm="python3" name="deps" scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1619112384.163:899670): avc: denied { create } for pid=552939 comm="python3" name="deps" scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1619112384.563:899672): avc: denied { create } for pid=552939 comm="python3" name="configuration.yaml" scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619112384.563:899673): avc: denied { write open } for pid=552939 comm="python3" path="/config/configuration.yaml" dev="mmcblk0p3" ino=259891 scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619112384.563:899674): avc: denied { ioctl } for pid=552939 comm="python3" path="/config/configuration.yaml" dev="mmcblk0p3" ino=259891 ioctlcmd=0x5413 scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619112384.583:899675): avc: denied { read } for pid=552939 comm="python3" name=".HA_VERSION" dev="mmcblk0p3" ino=259894 scontext=system_u:system_r:container_t:s0:c568,c815 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619112396.543:899676): avc: denied { write } for pid=553352 comm="udevadm" name="uevent" dev="sysfs" ino=10484 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619112400.723:899678): avc: denied { write } for pid=553368 comm="python3" name="homeassistant" dev="mmcblk0p3" ino=250884 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1619112400.723:899680): avc: denied { read } for pid=553368 comm="python3" name=".HA_VERSION" dev="mmcblk0p3" ino=259894 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619112400.723:899681): avc: denied { open } for pid=553368 comm="python3" path="/config/.HA_VERSION" dev="mmcblk0p3" ino=259894 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619112400.723:899682): avc: denied { ioctl } for pid=553368 comm="python3" path="/config/.HA_VERSION" dev="mmcblk0p3" ino=259894 ioctlcmd=0x5413 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619112402.263:899683): avc: denied { add_name } for pid=553368 comm="python3" name="home-assistant_v2.db" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1619112402.263:899684): avc: denied { create } for pid=553368 comm="python3" name="home-assistant_v2.db" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619112402.263:899685): avc: denied { write } for pid=553368 comm="python3" path="/config/home-assistant_v2.db" dev="mmcblk0p3" ino=259900 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619112402.283:899686): avc: denied { lock } for pid=553368 comm="python3" path="/config/home-assistant_v2.db" dev="mmcblk0p3" ino=259900 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619112402.283:899687): avc: denied { setattr } for pid=553368 comm="python3" name="home-assistant_v2.db-journal" dev="mmcblk0p3" ino=259901 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619112402.293:899688): avc: denied { remove_name } for pid=553368 comm="python3" name="home-assistant_v2.db-journal" dev="mmcblk0p3" ino=259901 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1619112402.293:899689): avc: denied { unlink } for pid=553368 comm="python3" name="home-assistant_v2.db-journal" dev="mmcblk0p3" ino=259901 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619112402.303:899690): avc: denied { map } for pid=553368 comm="python3" path="/config/home-assistant_v2.db-shm" dev="mmcblk0p3" ino=259902 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619112404.593:899691): avc: denied { create } for pid=553368 comm="python3" name=".cloud" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1619112408.353:899693): avc: denied { write } for pid=553368 comm="python3" name="blueprints" dev="mmcblk0p3" ino=259908 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1619112408.353:899694): avc: denied { add_name } for pid=553368 comm="python3" name="automation" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1619112408.363:899695): avc: denied { relabelfrom } for pid=553368 comm="python3" name="motion_light.yaml" dev="mmcblk0p3" ino=259912 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619112408.373:899696): avc: denied { setattr } for pid=553368 comm="python3" name="homeassistant" dev="mmcblk0p3" ino=259911 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1619112408.373:899697): avc: denied { relabelfrom } for pid=553368 comm="python3" name="homeassistant" dev="mmcblk0p3" ino=259911 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1619112408.423:899698): avc: denied { remove_name } for pid=553368 comm="python3" name="tmpfah9tsms" dev="mmcblk0p3" ino=259916 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1619112408.423:899699): avc: denied { rename } for pid=553368 comm="python3" name="tmpfah9tsms" dev="mmcblk0p3" ino=259916 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619113408.009:899720): avc: denied { read write } for pid=553368 comm="python3" name="home-assistant_v2.db" dev="mmcblk0p3" ino=259900 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619113408.009:899721): avc: denied { open } for pid=553368 comm="python3" path="/config/home-assistant_v2.db" dev="mmcblk0p3" ino=259900 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619113408.009:899722): avc: denied { lock } for pid=553368 comm="python3" path="/config/home-assistant_v2.db" dev="mmcblk0p3" ino=259900 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619113408.019:899723): avc: denied { create } for pid=553368 comm="python3" name="home-assistant_v2.db-wal" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619113408.019:899724): avc: denied { setattr } for pid=553368 comm="python3" name="home-assistant_v2.db-wal" dev="mmcblk0p3" ino=259921 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619113408.019:899725): avc: denied { map } for pid=553368 comm="python3" path="/config/home-assistant_v2.db-shm" dev="mmcblk0p3" ino=259934 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619113408.049:899726): avc: denied { unlink } for pid=553368 comm="python3" name="home-assistant_v2.db-shm" dev="mmcblk0p3" ino=259934 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619113430.629:899727): avc: denied { write } for pid=553368 comm="python3" name=".storage" dev="mmcblk0p3" ino=259915 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1619113430.629:899728): avc: denied { add_name } for pid=553368 comm="python3" name="tmpxb6igo5e" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1619113430.629:899729): avc: denied { ioctl } for pid=553368 comm="python3" path="/config/.storage/tmpxb6igo5e" dev="mmcblk0p3" ino=259921 ioctlcmd=0x5413 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619113430.629:899730): avc: denied { remove_name } for pid=553368 comm="python3" name="tmpxb6igo5e" dev="mmcblk0p3" ino=259921 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1619113430.639:899731): avc: denied { rename } for pid=553368 comm="python3" name="tmpxb6igo5e" dev="mmcblk0p3" ino=259921 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619113641.008:899734): avc: denied { write } for pid=553368 comm="python3" name="homeassistant" dev="mmcblk0p3" ino=250884 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1619113641.008:899735): avc: denied { add_name } for pid=553368 comm="python3" name="home-assistant_v2.db-wal" scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1619113641.028:899736): avc: denied { remove_name } for pid=553368 comm="python3" name="home-assistant_v2.db-shm" dev="mmcblk0p3" ino=259934 scontext=system_u:system_r:container_t:s0:c347,c512 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 in the audit log. Expected results: the container to run Additional info:
You are attempting to leak and entire homedirectory into a container and SELinux is rightly blocking the access. If you need to do this you need to disable SELinux container separation or play around with udica. I would run the following command. podman run --init -d --security-opt label=disable --name homeassistant --restart=unless-stopped --tz=local -v /home/homeassistant:/config --network=host homeassistant/home-assistant:stable BTW Notice the --tz flag.
as the directory was just a directory containing config files I moved it to /var/lib/homeassistant running "podman run --init -d --name homeassistant --restart=unless-stopped -v /etc/localtime:/etc/localtime:ro -v /var/lib/homeassistant:/config --network=host homeassistant/home-assistant:stable" I get: type=AVC msg=audit(1619287263.705:547): avc: denied { write } for pid=1780 comm="udevadm" name="uevent" dev="sysfs" ino=10484 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619287267.855:549): avc: denied { write } for pid=1796 comm="python3" name="home-assistant.log" dev="mmcblk0p3" ino=259917 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1 type=AVC msg=audit(1619287267.855:551): avc: denied { read } for pid=1796 comm="python3" name=".HA_VERSION" dev="mmcblk0p3" ino=259894 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1 type=AVC msg=audit(1619287267.855:552): avc: denied { ioctl } for pid=1796 comm="python3" path="/config/.HA_VERSION" dev="mmcblk0p3" ino=259894 ioctlcmd=0x5413 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1 type=AVC msg=audit(1619287268.915:553): avc: denied { lock } for pid=1796 comm="python3" path="/config/home-assistant_v2.db" dev="mmcblk0p3" ino=259900 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1 type=AVC msg=audit(1619287268.915:554): avc: denied { write } for pid=1796 comm="python3" name="homeassistant" dev="mmcblk0p3" ino=250884 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=dir permissive=1 type=AVC msg=audit(1619287268.915:555): avc: denied { add_name } for pid=1796 comm="python3" name="home-assistant_v2.db-wal" scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=dir permissive=1 type=AVC msg=audit(1619287268.915:556): avc: denied { create } for pid=1796 comm="python3" name="home-assistant_v2.db-wal" scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1 type=AVC msg=audit(1619287268.915:557): avc: denied { setattr } for pid=1796 comm="python3" name="home-assistant_v2.db-wal" dev="mmcblk0p3" ino=250890 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1 type=AVC msg=audit(1619287268.925:558): avc: denied { remove_name } for pid=1796 comm="python3" name="home-assistant_v2.db-shm" dev="mmcblk0p3" ino=259652 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=dir permissive=1 type=AVC msg=audit(1619287268.925:559): avc: denied { unlink } for pid=1796 comm="python3" name="home-assistant_v2.db-shm" dev="mmcblk0p3" ino=259652 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1 type=AVC msg=audit(1619287273.645:561): avc: denied { rename } for pid=1796 comm="python3" name="tmpqq7mj4zg" dev="mmcblk0p3" ino=250890 scontext=system_u:system_r:container_t:s0:c263,c985 tcontext=system_u:object_r:container_file_t:s0:c286,c789 tclass=file permissive=1 If instead I run "podman run --init -d --name homeassistant --restart=unless-stopped -v /etc/localtime:/etc/localtime:ro -v /var/lib/homeassistant:/config:Z --network=host homeassistant/home-assistant:stable" I still get one denial: type=AVC msg=audit(1619287145.126:537): avc: denied { write } for pid=1262 comm="udevadm" name="uevent" dev="sysfs" ino=10484 scontext=system_u:system_r:container_t:s0:c286,c789 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 should udevadm be able to run inside of a container?
Currently we block this via SELinux, writing to sysfs `uevent`. I do not believe this is going to work the way you expect, IE Devices will not appear on the hosts /dev. You can disable SELinux separation to see if it works. If it does, I could consider adding this allow rule.
clearing needinfo