Cannot access host filesystem from podman containers

Hello,

I would like my container to access (r/w) a host directory, but all I can get is “permision denied”.

Here is a basic example:

$ podman run -ti --rm  -v /tmp:/aaa -v ~/:/bbb fedora:31
[root@fe13abffe7f1 /]# ls -ld aaa bbb
drwxrwxrwt. 17 nobody nobody  360 Jan  4 11:47 aaa
drwx--x--x. 55 root   root   4096 Jan  4 11:38 bbb
[root@fe13abffe7f1 /]# ls -l aaa bbb
ls: cannot open directory 'aaa': Permission denied
ls: cannot open directory 'bbb': Permission denied
[root@fe13abffe7f1 /]# 

Am I doing something wrong according to Silverblue security rules ?
I am running Silverblue 31, and trying to migrate my usual containers on it…

This is most likely due to SELinux labeling/protection. You can add :z to the end of the --volume option specification to relabel files in the shared directories so that they can be accessed from a container. man podman-run for more information.

I would consider the implications of this, though. You most likely only want to relabel files that you explicitly want to share in the container. Putting those files into a separate directory will help. For your home directory sharing, maybe you would prefer to use a tool like toolbox to set up these containers for you.

1 Like

Thanks! That works now.

For my actual use case, I wanted to share specific directories, so no problem with relabeling them as shared this time. Will think about it for other cases though.

1 Like

Hi Dusty!

I just had the same issue - I would prefer to avoid over-sharing, is there a podman equivalent of the Docker group that I can use to flag files that I want containers to have access to?

Thanks,
Dave.

There’s more context in this article (a bit old but still relevant). Though the simplest thing to do is to just create a new empty directory and share that with :z.

If you really need to share a system directory (or your $HOME) then the podman-run man page says you should use --security-opt label=disable:

Note: Do not relabel system files and directories.  Relabel‐
       ing  system  content  might cause other confined services on
       your machine to fail.  For these types of containers we rec‐
       ommend  that disable SELinux separation.  The option --secu‐
       rity-opt label=disable disables SELinux separation  for  the
       container.   For  example  if  a user wanted to volume mount
       their entire home directory into a container, they  need  to
       disable SELinux separation.

                 $ podman run --security-opt label=disable -v $HOME:/home/user fedora touch /home/user/file

Thanks Dusty!

1 Like