Unable to use SELinux port rules with custom contexts

[gucci-on-fleek]

Issue Description

I'm trying to use a custom SELinux policy to limit which services are allowed to bind to specific ports, but this doesn't seem to work with Podman.

When running rootless, it looks like Podman is trying to run pasta in the container_runtime_t context instead of the context set with --security-opt=label=type:. When running as root, Podman itself is trying to bind the port in the container_runtime_t context instead of the context set with --security-opt=label=type:.

Steps to reproduce the issue

First, install the following SELinux policy:

;; Install with "sudo semodule --install=./<file-name>.cil --install=/usr/share/udica/templates/base_container.cil --install=/usr/share/udica/templates/net_container.cil"

;; Includes
(roleattributeset cil_gen_require object_r)
(typeattributeset cil_gen_require files_unconfined_type)

;; Define the testing port
(type local_test_port_t)
(roletype object_r local_test_port_t)
(portcon tcp 9124 (system_u object_r local_test_port_t ((s0) (s0))))

;; Define the container runtime type
(block local_test_container
    (blockinherit container)
    (blockinherit restricted_net_container)
    (allow process process (capability (all)))

    (allow process http_port_t (tcp_socket (name_bind)))
    (allow process local_test_port_t (tcp_socket (name_bind)))
    (typeattributeset files_unconfined_type process)
)

;; Limit binding to the testing port
(constrain
    (tcp_socket (name_bind))
    (or
        (neq t1 local_test_port_t)
        (eq t2 local_test_container.process)
    )
)

;; Allow anyone to connect to the testing port
(allow domain local_test_port_t (tcp_socket (name_connect)))

Now, confirm that only processes with the local_test_container.process type are allowed to bind to port 9124:

$ journalctl --follow --lines=0 _TRANSPORT=audit &  # Show the SELinux denials

$ python3 -m http.server 8000  # Works ok, as expected
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

$ python3 -m http.server 9124  # Doesn't work, as expected
Traceback (most recent call last):
[...]
PermissionError: [Errno 13] Permission denied

audit[195772]: AVC avc:  denied  { name_bind } for  pid=195772 comm="python3" src=9124 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:local_test_port_t:s0 tclass=tcp_socket permissive=0

$ runcon --type=local_test_container.process python3 -m http.server 9124  # Works ok, as expected
Serving HTTP on 0.0.0.0 port 9124 (http://0.0.0.0:9124/) ...

Now try running the same commands in a container as a regular user:

$ podman run --rm -it --publish=8000:8000 --entrypoint=/usr/bin/python3 quay.io/fedora/python-313 -m http.server 8000  # Works ok, as expected
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

$ podman run --rm -it --publish=8000:9124 --entrypoint=/usr/bin/python3 quay.io/fedora/python-313 -m http.server 9124  # Doesn't work, as expected
Traceback (most recent call last):
[...]
PermissionError: [Errno 13] Permission denied

audit[196820]: AVC avc:  denied  { name_bind } for  pid=196820 comm="python3" src=9124 scontext=unconfined_u:unconfined_r:container_t:s0:c109,c854 tcontext=system_u:object_r:local_test_port_t:s0 tclass=tcp_socket permissive=0

$ podman run --rm -it --security-opt=label=type:local_test_container.process --publish=8000:9124 --entrypoint=/usr/bin/python3 quay.io/fedora/python-313 -m http.server 9124  # Works ok, as expected
Serving HTTP on 0.0.0.0 port 9124 (http://0.0.0.0:9124/) ...

$ podman run --rm -it --security-opt=label=type:local_test_container.process --publish=9124:9124 --entrypoint=/usr/bin/python3 quay.io/fedora/python-313 -m http.server 9124  # Doesn't work, unexpected!
Error: pasta failed with exit code 1:
Failed to bind port 9124 (Permission denied) for option '-t 9124-9124:9124-9124'

audit[199026]: AVC avc:  denied  { name_bind } for  pid=199026 comm="pasta.avx2" src=9124 scontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tcontext=system_u:object_r:local_test_port_t:s0 tclass=tcp_socket permissive=0
audit[199026]: AVC avc:  denied  { name_bind } for  pid=199026 comm="pasta.avx2" src=9124 scontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tcontext=system_u:object_r:local_test_port_t:s0 tclass=tcp_socket permissive=0
audit[199026]: AVC avc:  denied  { name_bind } for  pid=199026 comm="pasta.avx2" src=9124 scontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tcontext=system_u:object_r:local_test_port_t:s0 tclass=tcp_socket permissive=0

And as root:

$ sudo machinectl shell root@

# podman run --rm -it --publish=8000:8000 --entrypoint=/usr/bin/python3 quay.io/fedora/python-313 -m http.server 8000  # Works ok, as expected
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

# podman run --rm -it --publish=8000:9124 --entrypoint=/usr/bin/python3 quay.io/fedora/python-313 -m http.server 9124  # Doesn't work, as expected
Traceback (most recent call last):
[...]
PermissionError: [Errno 13] Permission denied

audit[208351]: AVC avc:  denied  { name_bind } for  pid=208351 comm="python3" src=9124 scontext=unconfined_u:unconfined_r:container_t:s0:c312,c746 tcontext=system_u:object_r:local_test_port_t:s0 tclass=tcp_socket permissive=0

# podman run --rm -it --security-opt=label=type:local_test_container.process --publish=8000:9124 --entrypoint=/usr/bin/python3 quay.io/fedora/python-313 -m http.server 9124  # Works ok, as expected
Serving HTTP on 0.0.0.0 port 9124 (http://0.0.0.0:9124/) ...

# podman run --rm -it --security-opt=label=type:local_test_container.process --publish=9124:9124 --entrypoint=/usr/bin/python3 quay.io/fedora/python-313 -m http.server 9124  # Doesn't work, unexpected!
Error: cannot listen on the TCP port: listen tcp4 :9124: bind: permission denied

audit[208901]: AVC avc:  denied  { name_bind } for  pid=208901 comm="podman" src=9124 scontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tcontext=system_u:object_r:local_test_port_t:s0 tclass=tcp_socket permissive=0

Describe the results you received

(described inline above, repeated again here)

When rootless, Podman returns the following error message:

Error: pasta failed with exit code 1:
Failed to bind port 9124 (Permission denied) for option '-t 9124-9124:9124-9124'

and the audit log shows the following messages:

audit[199026]: AVC avc:  denied  { name_bind } for  pid=199026 comm="pasta.avx2" src=9124 scontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tcontext=system_u:object_r:local_test_port_t:s0 tclass=tcp_socket permissive=0
audit[199026]: AVC avc:  denied  { name_bind } for  pid=199026 comm="pasta.avx2" src=9124 scontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tcontext=system_u:object_r:local_test_port_t:s0 tclass=tcp_socket permissive=0
audit[199026]: AVC avc:  denied  { name_bind } for  pid=199026 comm="pasta.avx2" src=9124 scontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tcontext=system_u:object_r:local_test_port_t:s0 tclass=tcp_socket permissive=0

When run as root, Podman returns the following error message:

Error: cannot listen on the TCP port: listen tcp4 :9124: bind: permission denied

and the audit log shows the following message:

audit[208901]: AVC avc:  denied  { name_bind } for  pid=208901 comm="podman" src=9124 scontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tcontext=system_u:object_r:local_test_port_t:s0 tclass=tcp_socket permissive=0

Describe the results you expected

I expected that Podman would allow binding to port 9124 and would return no error messages.

podman info output

host:
  arch: amd64
  buildahVersion: 1.39.4
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.13-1.fc41.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.13, commit: '
  cpuUtilization:
    idlePercent: 97.43
    systemPercent: 0.85
    userPercent: 1.72
  cpus: 16
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: workstation
    version: "41"
  eventLogger: journald
  freeLocks: 2037
  hostname: max-new-laptop
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.14.5-200.fc41.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 2337062912
  memTotal: 32947945472
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.14.0-1.fc41.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.14.0
    package: netavark-1.14.1-1.fc41.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.14.1
  ociRuntime:
    name: crun
    package: crun-1.21-1.fc41.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.21
      commit: 10269840aa07fb7e6b7e1acff6198692d8ff5c88
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20250415.g2340bbf-1.fc41.x86_64
    version: ""
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 42451677184
  swapTotal: 42949660672
  uptime: 30h 9m 51.00s (Approximately 1.25 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
store:
  configFile: /home/max/.config/containers/storage.conf
  containerStore:
    number: 2
    paused: 0
    running: 0
    stopped: 2
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/max/.local/share/containers/storage
  graphRootAllocated: 1985756528640
  graphRootUsed: 1291768381440
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 22
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/max/.local/share/containers/storage/volumes
version:
  APIVersion: 5.4.2
  BuildOrigin: Fedora Project
  Built: 1743552000
  BuiltTime: Tue Apr  1 18:00:00 2025
  GitCommit: be85287fcf4590961614ee37be65eeb315e5d9ff
  GoVersion: go1.23.7
  Os: linux
  OsArch: linux/amd64
  Version: 5.4.2

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

The transcripts and logs above are from Fedora 41:

$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

$ cat /etc/os-release | grep PRETTY_NAME
PRETTY_NAME="Fedora Linux 41 (Workstation Edition)"

$ podman --version
podman version 5.4.2

$ uname --kernel-release
6.14.5-200.fc41.x86_64

$ rpm --query --queryformat='%{NAME}\t%{VERSION}\n' containers-common container-selinux libselinux passt podman policycoreutils selinux-policy selinux-policy-targeted | column --table
containers-common        0.62.2
container-selinux        2.236.0
libselinux               3.7
libselinux               3.7
passt                    0^20250415.g2340bbf
podman                   5.4.2
policycoreutils          3.7
selinux-policy           41.38
selinux-policy-targeted  41.38

$ podman info
host:
  arch: amd64
  buildahVersion: 1.39.4
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.13-1.fc41.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.13, commit: '
  cpuUtilization:
    idlePercent: 97.43
    systemPercent: 0.85
    userPercent: 1.72
  cpus: 16
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: workstation
    version: "41"
  eventLogger: journald
  freeLocks: 2037
  hostname: max-new-laptop
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.14.5-200.fc41.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 1942081536
  memTotal: 32947945472
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.14.0-1.fc41.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.14.0
    package: netavark-1.14.1-1.fc41.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.14.1
  ociRuntime:
    name: crun
    package: crun-1.21-1.fc41.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.21
      commit: 10269840aa07fb7e6b7e1acff6198692d8ff5c88
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20250415.g2340bbf-1.fc41.x86_64
    version: ""
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 42451595264
  swapTotal: 42949660672
  uptime: 30h 3m 34.00s (Approximately 1.25 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
store:
  configFile: /home/max/.config/containers/storage.conf
  containerStore:
    number: 2
    paused: 0
    running: 0
    stopped: 2
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/max/.local/share/containers/storage
  graphRootAllocated: 1985756528640
  graphRootUsed: 1292103151616
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 22
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/max/.local/share/containers/storage/volumes
version:
  APIVersion: 5.4.2
  BuildOrigin: Fedora Project
  Built: 1743552000
  BuiltTime: Tue Apr  1 18:00:00 2025
  GitCommit: be85287fcf4590961614ee37be65eeb315e5d9ff
  GoVersion: go1.23.7
  Os: linux
  OsArch: linux/amd64
  Version: 5.4.2

$ sudo id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

$ sudo podman info
host:
  arch: amd64
  buildahVersion: 1.39.4
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  - dmem
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.13-1.fc41.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.13, commit: '
  cpuUtilization:
    idlePercent: 97.42
    systemPercent: 0.85
    userPercent: 1.72
  cpus: 16
  databaseBackend: boltdb
  distribution:
    distribution: fedora
    variant: workstation
    version: "41"
  eventLogger: journald
  freeLocks: 2047
  hostname: max-new-laptop
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.14.5-200.fc41.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 2579410944
  memTotal: 32947945472
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.14.0-1.fc41.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.14.0
    package: netavark-1.14.1-1.fc41.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.14.1
  ociRuntime:
    name: crun
    package: crun-1.21-1.fc41.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.21
      commit: 10269840aa07fb7e6b7e1acff6198692d8ff5c88
      rundir: /run/user/0/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20250415.g2340bbf-1.fc41.x86_64
    version: ""
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 42444677120
  swapTotal: 42949660672
  uptime: 30h 21m 8.00s (Approximately 1.25 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 0
    stopped: 1
  graphDriverName: overlay
  graphOptions:
    overlay.additionalImageStores:
    - /usr/lib/containers/storage
    overlay.imagestore: /usr/lib/containers/storage
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 1985756528640
  graphRootUsed: 1292842369024
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 5
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 5.4.2
  BuildOrigin: Fedora Project
  Built: 1743552000
  BuiltTime: Tue Apr  1 18:00:00 2025
  GitCommit: be85287fcf4590961614ee37be65eeb315e5d9ff
  GoVersion: go1.23.7
  Os: linux
  OsArch: linux/amd64
  Version: 5.4.2

I also tested on Fedora 42 and got the same results:

$ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023

$ cat /etc/os-release | grep PRETTY_NAME
PRETTY_NAME="Fedora Linux 42 (IoT Edition)"

$ podman --version
podman version 5.4.2

$ uname --kernel-release
6.14.5-300.fc42.x86_64

$ rpm --query --queryformat='%{NAME}\t%{VERSION}\n' containers-common container-selinux libselinux passt podman policycoreutils selinux-policy selinux-policy-targeted | column --table
containers-common        0.62.2
container-selinux        2.237.0
libselinux               3.8
passt                    0^20250503.g587980c
podman                   5.4.2
policycoreutils          3.8
selinux-policy           41.39
selinux-policy-targeted  41.39

$ podman info
host:
  arch: amd64
  buildahVersion: 1.39.4
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.13-1.fc42.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.13, commit: '
  cpuUtilization:
    idlePercent: 97.29
    systemPercent: 1.13
    userPercent: 1.58
  cpus: 4
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: iot
    version: "42"
  eventLogger: journald
  freeLocks: 2047
  hostname: maxchernoff.ca
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
  kernel: 6.14.5-300.fc42.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 199876608
  memTotal: 8259084288
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.14.0-1.fc42.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.14.0
    package: netavark-1.14.1-1.fc42.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.14.1
  ociRuntime:
    name: crun
    package: crun-1.21-1.fc42.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.21
      commit: 10269840aa07fb7e6b7e1acff6198692d8ff5c88
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20250503.g587980c-1.fc42.x86_64
    version: ""
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 16076832768
  swapTotal: 16848510976
  uptime: 25h 44m 29.00s (Approximately 1.04 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  localhost:23719:
    Blocked: false
    Insecure: true
    Location: localhost:23719
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: localhost:23719
    PullFromMirror: ""
  maxchernoff.ca:
    Blocked: false
    Insecure: true
    Location: localhost:23719
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: maxchernoff.ca
    PullFromMirror: ""
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
store:
  configFile: /var/home/max/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 0
    stopped: 1
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/home/max/.local/share/containers/storage
  graphRootAllocated: 261466619904
  graphRootUsed: 138351955968
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 4
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /var/home/max/.local/share/containers/storage/volumes
version:
  APIVersion: 5.4.2
  BuildOrigin: Fedora Project
  Built: 1743552000
  BuiltTime: Tue Apr  1 18:00:00 2025
  GitCommit: be85287fcf4590961614ee37be65eeb315e5d9ff
  GoVersion: go1.24.1
  Os: linux
  OsArch: linux/amd64
  Version: 5.4.2

Additional information

No response

[Honny1]

I'm not sure if this is expected behavior. WDYT? @Luap99 and @sbrivio-rh

[Luap99]

This is expected, the custom policy from --security-opt is only used for the container process not anything podman is doing or its other process we start.

The fact the we run pasta as container_runtime_t is actually sort of a bug, it should run under pasta_t but there are some policy issues we would need to fix first: https://bugs.passt.top/show_bug.cgi?id=81

[gucci-on-fleek]

First, thanks for the quick response!

This is expected, the custom policy from --security-opt is only used for the container process not anything podman is doing or its other process we start.

Hmm, ok. Do you know of any (obvious) workarounds for this, or not really?

[sbrivio-rh]

Do you know of any (obvious) workarounds for this, or not really?

Actually, as you seem to be familiar with the matter, I wonder if you should consider taking care of the (few?) policy changes we would need to fix https://bugs.passt.top/show_bug.cgi?id=81. It might be more productive than finding a workaround, and probably take you a similar amount of time and effort.

They should be entirely described there, it's mostly about allowing pasta_t to bind to any port, and make sure that Podman can transition to pasta_t when running a pasta_exec_t binary. And then play with the whole thing and iron out issues that might come up, if any.

[gucci-on-fleek]

Do you know of any (obvious) workarounds for this, or not really?

Actually, as you seem to be familiar with the matter, I wonder if you should consider taking care of the (few?) policy changes we would need to fix https://bugs.passt.top/show_bug.cgi?id=81. It might be more productive than finding a workaround, and probably take you a similar amount of time and effort.

They should be entirely described there, it's mostly about allowing pasta_t to bind to any port, and make sure that Podman can transition to pasta_t when running a pasta_exec_t binary. And then play with the whole thing and iron out issues that might come up, if any.

Sure, I'll try getting that to work in the next few days.

[sbrivio-rh]

Fixed in passt 2025_06_06.754c6d7 and matching Fedora 41 update. Thanks @gucci-on-fleek for fixing this!