-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
/sys/fs/selinux gets mounted in rootless mode when both '--network host' and '--privileged' are used #4452
Comments
Thanks @debarshiray for your detective work! |
personally I'd prefer to solve it with something like |
I've opened a PR to add support for |
What is the problem you are trying to solve? Why is /sys/fs/selinux getting mounted when --privileged? |
the feature I've added is more generic, we currently have no way to disable |
Agree, I like your PR, I am just asking why we are mounting this and what trouble it is causing. |
I've not verified but that can be an effect of bind mounting I don't think we should treat |
Makes sense. |
This is the second time a selinuxfs instance has leaked into /sys/fs/selinux, tricking various components into trying to use SELinux. Might be better to work this around in Toolbox until the situation in Podman is figured out. Based on an idea from Colin Walters. containers/podman#4452
This is the second time a Podman regression has caused a selinuxfs instance to leak into the toolbox container's /sys/fs/selinux, tricking various components into trying to use SELinux. It might be better to work this around in Toolbox until the situation in Podman is figured out. Based on an idea from Colin Walters. containers/podman#4452
This is now fixed in Toolbox with containers/toolbox#337 I am wondering if this should still be fixed in Podman itself, or is it so that |
The issue is if someone wanted to SELinux stuff from a process within a container, we need the process to know that SELinux is enabled. |
In hope to make the prune tests more robust, run two top containers and stop one explicitly to reduce the risk of a race condition. Fixes: containers#4452 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
/kind bug
Description
Looks like containers/toolbox#47 has raised its head again.
An instance of
selinuxfs
is getting mounted at/sys/fs/selinux
when both--network host
and--privileged
are used.Compare:
Output of
podman version
:Output of
podman info --debug
:Package info (e.g. output of
rpm -q podman
orapt list podman
):The text was updated successfully, but these errors were encountered: