SELinux and Podman


Last time I messed around with Podman, I finally got things working and had what I think was a pretty good understanding of how to go forward. But in order to get things working, I’d had to turn off SELinux. Now it was time to see what I had to do to make Podman work with SELinux. I’ve got some ideas based on some Googling and might also need to try a program called udica to create the right contexts.

First of all, when I rebooted the VM, I noticed that the pod was stopped. So eventually I’ll need to figure out how to use systemd to bring it up on boot. I noted that SELinux was on after reboot. I wanted to first see if maybe setting things up with SELinux off and then turning it on would lead to a working situation. (Also, I was learning a lot when setting things up before, maybe I never needed to turn it off) I didn’t see any SELinux complaints. So I tried to load the page. SELinux was blocking MySQL from writing to the directory (and, apparently, reading) and so the site loaded up brand new as if I’d never configured the database.

I stopped the pod again. Then I tried this command first:

# setsebool -P container_manage_cgroup true 

The computer did its thing. I started the pod again. The same issue occurred. Both the documentation I’d consulted and someone on reddit had mentioned using the “:Z” option on the mount to get SELinux to be OK with it. As far as I know, I can’t change it on the container that’s already a part of the pod. Instead, I need to remove the container and create a new one from the image with the :Z option on the mount. So I tried that. After removing:

# podman run -dt --pod phpIPAM --name ipamsql -e MYSQL_ROOT_PASSWORD=my-secret-pw -v /root/phpipam:/var/lib/mysql:Z mysql:5.6

HURRAY! It loaded the site, reading the directory!

And there weren’t any complaints from SELinux in the logs!