GitList

Browse code

dockerd-rootless.sh: avoid /run/xtables.lock EACCES on SELinux hosts

Previously, running dockerd-rootless.sh on SELinux-enabled hosts
was failing with "can't open lock file /run/xtables.lock: Permission denied" error.
(issue 41230).

This commit avoids hitting the error by relabeling /run in the RootlessKit child.
The actual /run on the parent is unaffected.

https://github.com/containers/podman/blob/e6fc34b71aa9d876b1218efe90e14f8b912b0603/libpod/networking_linux.go#L396-L401

Tested on Fedora 34

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit cdaf82ba3fe97eda242488ec70f400b9b345e16a)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

Akihiro Suda authored on 2021/03/25 17:23:37
Showing 1 changed files

contrib/dockerd-rootless.sh

History View file @ 44f95c7

@@ -84,6 +84,12 @@ if [ -z $_DOCKERD_ROOTLESS_CHILD ]; then
                      		echo "This script must be executed as a non-privileged user"
                      		exit 1
                      	fi
                     +	# `selinuxenabled` always returns false in RootlessKit child, so we execute `selinuxenabled` in the parent.
                     +	# https://github.com/rootless-containers/rootlesskit/issues/94
                     +	if command -v selinuxenabled > /dev/null 2>&1 && selinuxenabled; then
                     +		_DOCKERD_ROOTLESS_SELINUX=1
                     +		export _DOCKERD_ROOTLESS_SELINUX
                     +	fi
                      	# Re-exec the script via RootlessKit, so as to create unprivileged {user,mount,network} namespaces.
+                     	#
                      	# --copy-up allows removing/creating files in the directories by creating tmpfs and symlinks
@@ -105,5 +111,12 @@ else
                      	# remove the symlinks for the existing files in the parent namespace if any,
                      	# so that we can create our own files in our mount namespace.
                      	rm -f /run/docker /run/containerd /run/xtables.lock
+                    +
                     +	if [ -n "$_DOCKERD_ROOTLESS_SELINUX" ]; then
                     +		# iptables requires /run in the child to be relabeled. The actual /run in the parent is unaffected.
                     +		# https://github.com/containers/podman/blob/e6fc34b71aa9d876b1218efe90e14f8b912b0603/libpod/networking_linux.go#L396-L401
                     +		# https://github.com/moby/moby/issues/41230
                     +		chcon system_u:object_r:iptables_var_run_t:s0 /run
                     +	fi
                      	exec dockerd $@
                      fi