diff options
| author | Daniel J Walsh <dwalsh@redhat.com> | 2019-02-05 10:04:44 -0800 |
|---|---|---|
| committer | Daniel J Walsh <dwalsh@redhat.com> | 2019-02-06 05:52:39 -0800 |
| commit | 1dd7bd0d0f6b581f26642e61e05984fe7eee5a7f (patch) | |
| tree | b42917afd4a40d237a75ef254562b7b5451eaee1 /troubleshooting.md | |
| parent | d321c5d942f85b56852532edfd225dcdd591f817 (diff) | |
| download | podman-1dd7bd0d0f6b581f26642e61e05984fe7eee5a7f.tar.gz podman-1dd7bd0d0f6b581f26642e61e05984fe7eee5a7f.tar.bz2 podman-1dd7bd0d0f6b581f26642e61e05984fe7eee5a7f.zip | |
Add documentation on running systemd on SELinux systems
Lots of users are attempting to run systemd within a container. They are
being blocked from running SELinux systems since they need the
container_manage_cgroup which is not enabled by default.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'troubleshooting.md')
| -rw-r--r-- | troubleshooting.md | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/troubleshooting.md b/troubleshooting.md index d210d85df..3f66b56ef 100644 --- a/troubleshooting.md +++ b/troubleshooting.md @@ -173,3 +173,21 @@ cat ~/.config/containers/storage.conf [storage.options] mount_program = "/bin/fuse-overlayfs" ``` + +### 8) Permission denied when running systemd within a Podman container + +When running systemd as PID 1 inside of a container on an SELinux +separated machine, it needs to write to the cgroup file system. + +#### Symptom + +Systemd gets permission denied when attempting to write to the cgroup file +system, and AVC messages start to show up in the audit.log file or journal on +the system. + +#### Solution + +SELinux provides a boolean `container_manage_cgroup`, which allows container +processes to write to the cgroup file system. Turn on this boolean, on SELinux separated systems, to allow systemd to run properly in the container. + +`setsebool -P container_manage_cgroup true` |