Rootless quadlet MinIO with direct filesystem access

[skyblaster]

Linking to my question here: minio/minio#20226
I used source,destination instead of source,target based on the following: https://github.com/containers/podman/pull/17656/files

Host machine is Fedora Server with SELinux enforcing. Thanks!

[ygalblum]

Hi,
The issue does seem to be SELinux related.
With the file as you pasted, SELinux prevents the application from accessing the directory. This can be seen in the AVC logs:

$ sudo ausearch -m avc | grep minio
type=AVC msg=audit(1723099041.874:435): avc:  denied  { write } for  pid=122197 comm="minio" name="/" dev="loop12" ino=2 scontext=system_u:system_r:container_t:s0:c448,c710 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1723099041.874:436): avc:  denied  { write } for  pid=122197 comm="minio" name="/" dev="loop12" ino=2 scontext=system_u:system_r:container_t:s0:c448,c710 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1723099041.874:437): avc:  denied  { read } for  pid=122197 comm="minio" name="/" dev="loop12" ino=2 scontext=system_u:system_r:container_t:s0:c448,c710 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1723099041.874:438): avc:  denied  { write } for  pid=122197 comm="minio" name="/" dev="loop12" ino=2 scontext=system_u:system_r:container_t:s0:c448,c710 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0

Your idea of letting Podman relabel the directory is a step at the right direction. But, first the syntax when using Mount should be:

Mount=type=bind,source=/mnt/disk1,destination=/mnt/disk1,relabel=shared

And second, Podman will still fail since it will try to relabel a directory owned by root while running as rootless.

So, instead of having Podman relabel the folders, you should do so at mount time and then the original file should work.

I am not an SELinux expert, but I can say that setting the option context="system_u:object_r:container_file_t:s0" to the entries in /etc/fstab does work

[skyblaster]

Thank you so much Ygal!
I fixed the Mount= syntax to include relabel=shared and chown'd the mounts to the user running the container.

[rhatdan]

I am kind of an SELinux expert, at least I am known as one, and @ygalblum was correct.

[skyblaster]

@rhatdan I was wondering if that comment would lure you in ;-)

Would you omit the relabel=shared append to the Mount statement and tackle this another way...perhaps as suggested by @ygalblum below?

I am not an SELinux expert, but I can say that setting the option context="system_u:object_r:container_file_t:s0" to the entries in /etc/fstab does work

I really should get your book so I can minimize the questions.

[rhatdan]

Yes that makes sense to label the mount point at mount time, rather then attempting to relabel it at runtime.