Podman 无法使用 SELinux 启动容器(sd-bus 调用权限错误)

Podman 无法使用 SELinux 启动容器(sd-bus 调用权限错误)

这是我用来启动容器的命令:

podman run -d --name busybox-top -v ./src:/dest:Z busybox top

错误:

Error: sd-bus call: Permission denied: OCI permission denied

我的用户主目录(该用户不是根)中没有目录.config/

我确实有.local/share/containers

drwx------. 10 jn jn 4096 Oct  8 22:16 .
drwx------.  3 jn jn 4096 Oct  8 19:42 ..
drwx------.  2 jn jn 4096 Oct  8 22:16 cache
drwx------.  2 jn jn 4096 Oct  8 19:42 libpod
drwx------.  2 jn jn 4096 Oct  8 19:42 mounts
drwx------.  9 jn jn 4096 Oct  9 17:39 overlay
drwx------.  6 jn jn 4096 Oct  9 17:39 overlay-containers
drwx------.  4 jn jn 4096 Oct  9 07:23 overlay-images
drwx------.  2 jn jn 4096 Oct  9 17:39 overlay-layers
-rw-r--r--.  1 jn jn   64 Oct  9 17:40 storage.lock
drwx------.  2 jn jn 4096 Oct  8 19:42 tmp
-rw-r--r--.  1 jn jn    0 Oct  8 19:42 userns.lock

ls -la /run/user/1000/有:

total 0
drwx------. 10 jn   jn   220 Oct  9 17:39 .
drwxr-xr-x.  4 root root  80 Oct  9 15:42 ..
srw-rw-rw-.  1 jn   jn     0 Oct  9 15:40 bus
drwx------.  2 jn   jn    40 Oct  9 15:46 containers
drwx------.  2 jn   jn    40 Oct  9 17:39 crun
drwx------.  3 jn   jn    60 Oct  9 15:46 dbus-1
drwx------.  2 jn   jn   140 Oct  9 15:40 gnupg
drwx-----T.  2 jn   jn    40 Oct  9 15:46 libpod
drwxr-xr-x.  2 jn   jn    40 Oct  9 17:39 netns
drwxr-xr-x.  2 jn   jn    60 Oct  9 15:40 podman
drwxr-xr-x.  4 jn   jn   120 Oct  9 15:40 systemd

lsb 信息:

No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:        11
Codename:       bullseye

系统:

systemd 247 (247.3-7+deb11u1)
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified

podman 版本 3.0.1

SELinux 状态:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             default
Current mode:                   enforcing
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

名称:

uname -v
#1 SMP Debian 5.10.140-1 (2022-09-02)

$XDG_RUNTIME_DIR是空的。但我的用户似乎正在使用/run/user/1000/

我使用以下命令登录我的用户帐户:su --login jn

我以前也用过这个:loginctl enable-linger 1000解决其他一些问题。

更新

为了:cat /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files systemd
group:          files systemd
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

我想知道这是否与以下情况有关:

# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
sddm                 xdm                  s0-s0                *

在 RedHat 文档中我没有看到sddm但我确实看到了system_u

也许我需要使用 SELinuxsystem_u甚至来映射 systemd 的用户user_u

Podman 信息:

host:
  arch: amd64
  buildahVersion: 1.19.6
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: 'conmon: /usr/bin/conmon'
    path: /usr/bin/conmon
    version: 'conmon version 2.0.25, commit: unknown'
  cpus: 1
  distribution:
    distribution: debian
    version: "11"
  eventLogger: journald
  hostname: localhost
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.10.0-18-amd64
  linkmode: dynamic
  memFree: 1513025536
  memTotal: 2079420416
  ociRuntime:
    name: crun
    package: 'crun: /usr/bin/crun'
    path: /usr/bin/crun
    version: |-
      crun version 0.17
      commit: 0e9229ae34caaebcb86f1fde18de3acaf18c6d9a
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    selinuxEnabled: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: 'slirp4netns: /usr/bin/slirp4netns'
    version: |-
      slirp4netns version 1.0.1
      commit: 6a7b16babc95b6a3056b33fb45b74a6f62262dd4
      libslirp: 4.4.0
  swapFree: 536866816
  swapTotal: 536866816
  uptime: 14h 57m 56.81s (Approximately 0.58 days)
registries:
  search:
  - docker.io
  - quay.io
  - registry.fedoraproject.org
  - registry.access.redhat.com
store:
  configFile: /home/jn/.config/containers/storage.conf
  containerStore:
    number: 3
    paused: 0
    running: 0
    stopped: 3
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: 'fuse-overlayfs: /usr/bin/fuse-overlayfs'
      Version: |-
        fusermount3 version: 3.10.3
        fuse-overlayfs: version 1.4
        FUSE library version 3.10.3
        using FUSE kernel interface version 7.31
  graphRoot: /home/jn/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 2
  runRoot: /tmp/podman-run-1000/containers
  volumePath: /home/jn/.local/share/containers/storage/volumes
version:
  APIVersion: 3.0.0
  Built: 0
  BuiltTime: Thu Jan  1 00:00:00 1970
  GitCommit: ""
  GoVersion: go1.15.15
  OsArch: linux/amd64
  Version: 3.0.1

journalctl

Oct 10 07:10:54 localhost systemd[470]: selinux: avc:  denied  { start } for auid=0 uid=1000 gid=1000 cmdline="podman run --rm -d --name busybox-top -v ./src:/dest:Z busybox top" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
Oct 10 07:10:54 localhost podman[4755]: 2022-10-10 07:10:54.68733996 +0000 UTC m=+0.044280381 container create 78193de92b7cc76634ca87916330914cfdd62127a3614ac0adbeffa00a751c99 (image=docker.io/library/busybox:latest, name=busybox-top)
Oct 10 07:10:54 localhost systemd[470]: selinux: avc:  denied  { start } for auid=0 uid=1000 gid=1000 cmdline="podman run --rm -d --name busybox-top -v ./src:/dest:Z busybox top" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
Oct 10 07:10:54 localhost systemd[470]: selinux: avc:  denied  { start } for auid=0 uid=1000 gid=1000 cmdline="/usr/bin/crun --systemd-cgroup --log-format=json --log /tmp/podman-run-1000/containers/overlay-containers/78193de92b7cc76634ca87916330914cfdd62127a3614ac0adbeffa00a751c99/userdata/oci-log create --bundle /home/jn/.local/share/containers/storage/overlay-containers/78193de92b7cc76634ca87916330914cfdd62127a3614ac0adbeffa00a751c99/userdata --pid-file /tmp/podman-run-1000/containers/overlay-containers/78193de92b7cc76634ca87916330914cfdd62127a3614ac0adbeffa00a751c99/userdata/pidfile 78193de92b7cc76634ca87916330914cfdd62127a3614ac0adbeffa00a751c99" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
Oct 10 07:10:54 localhost systemd[470]: selinux: avc:  denied  { start } for auid=0 uid=1000 gid=1000 cmdline="/usr/bin/podman --root /home/jn/.local/share/containers/storage --runroot /tmp/podman-run-1000/containers --log-level warning --cgroup-manager systemd --tmpdir /tmp/run-1000/libpod/tmp --runtime crun --storage-driver overlay --storage-opt overlay.mount_program=/usr/bin/fuse-overlayfs --events-backend journald container cleanup --rm 78193de92b7cc76634ca87916330914cfdd62127a3614ac0adbeffa00a751c99" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
Oct 10 07:10:54 localhost podman[4778]: 2022-10-10 07:10:54.76797772 +0000 UTC m=+0.047471111 container remove 78193de92b7cc76634ca87916330914cfdd62127a3614ac0adbeffa00a751c99 (image=docker.io/library/busybox:latest, name=busybox-top)

更新2

$XDG_RUNTIME_DIR

jn@localhost:~$ echo $XDG_RUNTIME_DIR
/run/user/1000

$DBUS_SESSION_BUS_ADDRESS

jn@localhost:~$ echo $DBUS_SESSION_BUS_ADDRESS
unix:path=/run/user/1000/bus

jn@localhost:/run/user/1000$ ls -Zl
total 0
srw-rw-rw-. 1 jn jn unconfined_u:object_r:session_dbusd_runtime_t:s0   0 Oct 10 18:21 bus
drwx------. 2 jn jn unconfined_u:object_r:user_tmp_t:s0               40 Oct 10 18:25 containers
drwx------. 3 jn jn unconfined_u:object_r:user_tmp_t:s0               60 Oct 10 21:49 crun
drwx------. 3 jn jn unconfined_u:object_r:user_tmp_t:s0               60 Oct 10 18:25 dbus-1
drwx------. 2 jn jn unconfined_u:object_r:gpg_runtime_t:s0           140 Oct 10 18:21 gnupg
drwx-----T. 2 jn jn unconfined_u:object_r:user_tmp_t:s0               40 Oct 10 18:25 libpod
drwxr-xr-x. 2 jn jn unconfined_u:object_r:user_tmp_t:s0               60 Oct 10 21:49 netns
drwxr-xr-x. 2 jn jn unconfined_u:object_r:user_tmp_t:s0               60 Oct 10 18:21 podman
drwxr-xr-x. 5 jn jn unconfined_u:object_r:systemd_user_runtime_t:s0  140 Oct 10 20:53 systemd

也许我需要给予波德曼访问标签:session_dbusd_runtime_t甚至systemd_user_runtime_t

相关内容