From 1dd7bd0d0f6b581f26642e61e05984fe7eee5a7f Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Tue, 5 Feb 2019 10:04:44 -0800
Subject: Add documentation on running systemd on SELinux systems

Lots of users are attempting to run systemd within a container.  They are
being blocked from running SELinux systems since they need the
container_manage_cgroup which is not enabled by default.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 docs/podman-create.1.md |  8 +++++++-
 docs/podman-run.1.md    |  8 +++++++-
 troubleshooting.md      | 18 ++++++++++++++++++
 3 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/docs/podman-create.1.md b/docs/podman-create.1.md
index 178542f0d..98b1a2a17 100644
--- a/docs/podman-create.1.md
+++ b/docs/podman-create.1.md
@@ -610,6 +610,12 @@ It will also set the default stop signal to SIGRTMIN+3.
 
 This allow systemd to run in a confined container without any modifications.
 
+Note: On `SELinux` systems, systemd attempts to write to the cgroup
+file system.  Containers writing to the cgroup file system are denied by default.
+The `container_manage_cgroup` boolean must be enabled for this to be allowed on an SELinux separated system.
+
+`setsebool -P container_manage_cgroup true`
+
 **--tmpfs**=[] Create a tmpfs mount
 
 Mount a temporary filesystem (`tmpfs`) mount into a container, for example:
@@ -804,7 +810,7 @@ WantedBy=multi-user.target
 **/etc/subgid**
 
 ## SEE ALSO
-subgid(5), subuid(5), libpod.conf(5), systemd.unit(5)
+subgid(5), subuid(5), libpod.conf(5), systemd.unit(5), setsebool(8)
 
 ## HISTORY
 October 2017, converted from Docker documentation to podman by Dan Walsh for podman <dwalsh@redhat.com>
diff --git a/docs/podman-run.1.md b/docs/podman-run.1.md
index 8b96ea6d9..828ae96a8 100644
--- a/docs/podman-run.1.md
+++ b/docs/podman-run.1.md
@@ -612,6 +612,12 @@ It will also set the default stop signal to SIGRTMIN+3.
 
 This allow systemd to run in a confined container without any modifications.
 
+Note: On `SELinux` systems, systemd attempts to write to the cgroup
+file system.  Containers writing to the cgroup file system are denied by default.
+The `container_manage_cgroup` boolean must be enabled for this to be allowed on an SELinux separated system.
+
+`setsebool -P container_manage_cgroup true`
+
 **--tmpfs**=[] Create a tmpfs mount
 
 Mount a temporary filesystem (`tmpfs`) mount into a container, for example:
@@ -1096,7 +1102,7 @@ WantedBy=multi-user.target
 **/etc/subgid**
 
 ## SEE ALSO
-subgid(5), subuid(5), libpod.conf(5), systemd.unit(5)
+subgid(5), subuid(5), libpod.conf(5), systemd.unit(5), setsebool(8)
 
 ## HISTORY
 September 2018, updated by Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
diff --git a/troubleshooting.md b/troubleshooting.md
index d210d85df..3f66b56ef 100644
--- a/troubleshooting.md
+++ b/troubleshooting.md
@@ -173,3 +173,21 @@ cat ~/.config/containers/storage.conf
   [storage.options]
     mount_program = "/bin/fuse-overlayfs"
 ```
+
+### 8) Permission denied when running systemd within a Podman container
+
+When running systemd as PID 1 inside of a container on an SELinux
+separated machine, it needs to write to the cgroup file system.
+
+#### Symptom
+
+Systemd gets permission denied when attempting to write to the cgroup file
+system, and AVC messages start to show up in the audit.log file or journal on
+the system.
+
+#### Solution
+
+SELinux provides a boolean `container_manage_cgroup`, which allows container
+processes to write to the cgroup file system. Turn on this boolean, on SELinux separated systems, to allow systemd to run properly in the container.
+
+`setsebool -P container_manage_cgroup true`
-- 
cgit v1.2.3-54-g00ecf