In order to use nx-gzip on Power Systems with a non-privileged container, use the following recipe:
On each of the nodes, create the selinux power-nx-gzip.cil:
(block nx
(blockinherit container)
(allow process container_file_t ( chr_file ( map )))
)
Install the CIL on each worker node
sudo semodule -i power-nx-gzip.cil /usr/share/udica/templates/base_container.cil
I ran the following:
podman run -it --security-opt label=type:nx.process --device=/dev/crypto/nx-gzip registry.access.redhat.com/ubi9/ubi@sha256:a1804302f6f53e04cc1c6b20bc2204d5c9ae6e5a664174b38fbeeb30f7983d4e sh
I copied the files into the container using the container CONTAINER ID:
podman ps
podman cp temp 6a4d967f3b6b:/tmp
podman cp gzfht_test 6a4d967f3b6b:/tmp
Then running in the container:
sh-5.1# cd /tmp
sh-5.1# ./gzfht_test temp
file temp read, 1048576 bytes
compressed 1048576 to 1105922 bytes total, crc32 checksum = 3c56f054
You can use ausearch -m avc -ts recent | audit2allow to track down missing permissions
Hope this helps you…
Reference
Leave a Reply