I want to install Jellyfin Server as a Podman container, while configuring it correctly with SELinux. I do not want to disable security, just ensure everything is set up properly. The user will be john, and the container will run with the user jelly.
User john should have unrestricted access to all files in the directories exposed to user jelly. User jelly should only be able to access its own files and nothing more.
So far, the file /var/home/jelly/.config/containers/systemd/jellyfin.container looks like this:
[Container]
Image=docker.io/jellyfin/jellyfin:latest
AutoUpdate=registry
PublishPort=8096:8096/tcp
UserNS=keep-id
Volume=/var/home/john/Jelly/config:/config:Z
Volume=/var/home/john/.cache/jellyfin:/cache:Z
Volume=/var/home/john/Jelly/media:/media:Z
# added from the Podman one-liner on the same page
PublishPort=7359:7359/udp
[Service]
# Inform systemd of additional exit status
SuccessExitStatus=0 143
[Install]
# Start by default on boot
WantedBy=default.target
Predictably, running:
systemctl --user start jellyfin
fails.
How can I grant access to those folders alone? Should I place them under /var/home/jelly/?
Can you post the error that you get? Under what user are you trying to run this container?
The idea with containers is that you use them to control which files are available for an application via the volume mounts. You don’t need a complex user setup to do that.
thank you for your answer. i really don’t get containers at all. but i want to understand.
i want to have a user jelly that is going to have only enough access to run the jellyfin server and make it available for the localhost, nothing more.
the media files are under /var/user/john/jellyfin-media/ and the config and cache are down ~/.var/ because for the time being flatpak just works.
i thought the easiest way would be to do something like
mkdir -p ~/{media, config, cache}
as user jelly under /var/home/jelly/
than i realized that will stink up my life and my backups.
i really do not recall the error, but it was related to the fact that selinux does not want the containers to access stuff inside /var/home which makes perfect sense, and that generated the whole post.
i really do not want to just drop selinux protections just because at this point i do not understand selinux or containers.
the overall point is user jelly should have just enough access to run the jellyfin-server container, and have read and write access on three folders: that will contain the media, the config, and the cache. nothing more.