On Wed, Jun 21, 2023 at 06:04:14PM +0100, Sam Morris wrote: > On Wed, Jun 21, 2023 at 05:28:48PM +0100, Sam Morris wrote: > > refpolicy has a 'container' module that appears to work, it's just not > > built by default. > > BTW, the existance of /etc/selinux/default/contexts/lxc_contexts is what > causes Podman to try to label containers. Which prevents it from being > able to start any container, since the container module is not > included in selinux-policy-default. > > https://sources.debian.org/src/golang-github-opencontainers-selinux/1.10.0+ds1-1/go-selinux/selinux_linux.go/?hl=943#L943 > > > Any chance that module could be built by default? > > So if the module is not suitable to be built by default, please remove > the `lxc_contexts` file; I have the feeling it might also cause problems > with libvirt and k8s...
Actually this file should remain until Debian packages container-selinux (which ships /usr/share/containers/selinux/contexts which replaces /etc/selinux/default/contexts/lxc_contexts; without either file, Podman etc. won't try to label their containers). -- Sam Morris <https://robots.org.uk/> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
