2023/12/13/adventures-with-rootless-containers/

[giscus[bot]]

2023/12/13/adventures-with-rootless-containers/

How I Learned to Stop Worrying and Love the Rootless Container

https://kcore.org/2023/12/13/adventures-with-rootless-containers/

[baka-yuki]

Hi, I don't know if you will reading this, but I needed to leave a message to sincerely thank you for this article, specifically the SELinux section. I am trying to move my infrastructure from combination of various linux distributions to a single unified deployment using alma and podman, while adhering to security best practices.

You are the only person I found to explain the process of audit to allow access to the podman.socket file from traefik. So many other blogs just apply disabled label which I did not want to do. Before I read your answer on what your policy looked like, I read through the linked articles at RHEL and did it on my own and only missed one permission, which means I think I can apply this knowledge to other containers as I deploy them.

I've now ported the policies into ansible and I'm using fedora.linux_system_roles to deploy both SELinux modules and the quadlets.

I thought I would go crazy before I found your blog post. Thank you so so so much.

Love from Japan,
Yuki

[jdeluyck]

Thanks! I had the same issue back then. There's little good documentation on this, and once you wrap your head around it it's fairly straightforward.

Happy that this helped you :)