From 550f9b1f6f0311034fbc265257e196dfc9e52b61 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Thu, 7 Mar 2019 14:42:36 -0500
Subject: Add troublshoot information about SELinux labeling of
 containers/storage

We have some bug reports about people moving containers storage to new
directories and this troubleshooter should help them fix this.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 troubleshooting.md | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/troubleshooting.md b/troubleshooting.md
index 24a1dc6cb..33434cdbb 100644
--- a/troubleshooting.md
+++ b/troubleshooting.md
@@ -254,3 +254,42 @@ grep johndoe /etc/subuid /etc/subgid
 /etc/subuid:johndoe:200000:1001
 /etc/subgid:johndoe:200000:1001
 ```
+
+### 11) Changing the location of the Graphroot leads to permission denied
+
+When I change the graphroot storage location in storage.conf, the next time I
+run podman I get an error like:
+
+```
+# podman run -p 5000:5000 -it centos bash
+
+bash: error while loading shared libraries: /lib64/libc.so.6: cannot apply additional memory protection after relocation: Permission denied
+```
+
+For example, the admin sets up a spare disk to be mounted at `/src/containers`,
+and points storage.conf at this directory.
+
+
+#### Symptom
+
+SELinux blocks containers from using random locations for overlay storage.
+These directories need to be labeled with the same labels as if the content was
+under /var/lib/containers/storage.
+
+#### Solution
+
+Tell SELinux about the new containers storage by setting up an equivalence record.
+This tells SELinux to label content under the new path, as if it was stored
+under `/var/lib/containers/storage`.
+
+```
+semanage fcontext -a -e /var/lib/containers /srv/containers
+restorecon -R -v /src/containers
+```
+
+The semanage command above tells SELinux to setup the default labeling of
+`/srv/containers` to match `/var/lib/containers`.  The `restorecon` command
+tells SELinux to apply the labels to the actual content.
+
+Now all new content created in these directories will automatically be created
+with the correct label.
-- 
cgit v1.2.3-54-g00ecf