From 1dd7bd0d0f6b581f26642e61e05984fe7eee5a7f Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Tue, 5 Feb 2019 10:04:44 -0800
Subject: Add documentation on running systemd on SELinux systems

Lots of users are attempting to run systemd within a container.  They are
being blocked from running SELinux systems since they need the
container_manage_cgroup which is not enabled by default.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 docs/podman-create.1.md | 8 +++++++-
 docs/podman-run.1.md    | 8 +++++++-
 2 files changed, 14 insertions(+), 2 deletions(-)

(limited to 'docs')

diff --git a/docs/podman-create.1.md b/docs/podman-create.1.md
index 178542f0d..98b1a2a17 100644
--- a/docs/podman-create.1.md
+++ b/docs/podman-create.1.md
@@ -610,6 +610,12 @@ It will also set the default stop signal to SIGRTMIN+3.
 
 This allow systemd to run in a confined container without any modifications.
 
+Note: On `SELinux` systems, systemd attempts to write to the cgroup
+file system.  Containers writing to the cgroup file system are denied by default.
+The `container_manage_cgroup` boolean must be enabled for this to be allowed on an SELinux separated system.
+
+`setsebool -P container_manage_cgroup true`
+
 **--tmpfs**=[] Create a tmpfs mount
 
 Mount a temporary filesystem (`tmpfs`) mount into a container, for example:
@@ -804,7 +810,7 @@ WantedBy=multi-user.target
 **/etc/subgid**
 
 ## SEE ALSO
-subgid(5), subuid(5), libpod.conf(5), systemd.unit(5)
+subgid(5), subuid(5), libpod.conf(5), systemd.unit(5), setsebool(8)
 
 ## HISTORY
 October 2017, converted from Docker documentation to podman by Dan Walsh for podman <dwalsh@redhat.com>
diff --git a/docs/podman-run.1.md b/docs/podman-run.1.md
index 8b96ea6d9..828ae96a8 100644
--- a/docs/podman-run.1.md
+++ b/docs/podman-run.1.md
@@ -612,6 +612,12 @@ It will also set the default stop signal to SIGRTMIN+3.
 
 This allow systemd to run in a confined container without any modifications.
 
+Note: On `SELinux` systems, systemd attempts to write to the cgroup
+file system.  Containers writing to the cgroup file system are denied by default.
+The `container_manage_cgroup` boolean must be enabled for this to be allowed on an SELinux separated system.
+
+`setsebool -P container_manage_cgroup true`
+
 **--tmpfs**=[] Create a tmpfs mount
 
 Mount a temporary filesystem (`tmpfs`) mount into a container, for example:
@@ -1096,7 +1102,7 @@ WantedBy=multi-user.target
 **/etc/subgid**
 
 ## SEE ALSO
-subgid(5), subuid(5), libpod.conf(5), systemd.unit(5)
+subgid(5), subuid(5), libpod.conf(5), systemd.unit(5), setsebool(8)
 
 ## HISTORY
 September 2018, updated by Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
-- 
cgit v1.2.3-54-g00ecf