On Wed, Jun 21, 2023 at 05:28:48PM +0100, Sam Morris wrote: > refpolicy has a 'container' module that appears to work, it's just not > built by default.
BTW, the existance of /etc/selinux/default/contexts/lxc_contexts is what causes Podman to try to label containers. Which prevents it from being able to start any container, since the container module is not included in selinux-policy-default. https://sources.debian.org/src/golang-github-opencontainers-selinux/1.10.0+ds1-1/go-selinux/selinux_linux.go/?hl=943#L943 > Any chance that module could be built by default? So if the module is not suitable to be built by default, please remove the `lxc_contexts` file; I have the feeling it might also cause problems with libvirt and k8s... https://sources.debian.org/src/libvirt/9.0.0-4/src/security/security_selinux.c/?hl=650#L650 https://sources.debian.org/src/kubernetes/1.20.5+really1.20.2-1.1/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go/?hl=887#L887 -- Sam Morris <https://robots.org.uk/> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
