Question on capabilities required for non-root Openresty podman container in SeLinux enabled RHEL 9.4 #265
Description
I'm running a Openresty nginx container, which is running on top of SeLinux enabled RHEL 9.4 host box.
What are the minimum capabilities the ngnix container should have for the basic openresty ngnix + lua functionalities to work properly? Wanted to know if any functionality will break I remove any of the capabilities?
Starting Podman container started as non-root user:
These are the default capabilities added when I start the container.
cap_chown
cap_dac_override
cap_fowner
cap_fsetid
cap_kill
cap_net_bind_service
cap_setfcap
cap_setgid
cap_setpcap
cap_setuid
cap_sys_chroot
I can understand cap_net_bind_service is required to bind any system port with the container.
I could start the container with just with these 2 capabilities: cap_net_bind_service and cap_setuid
will there be any problem by removing other capabilities? Is that mandatory to have cap_setuid capability?