I can't seem to get containers (running podman) to be able to write to directories when running a standard user. This solution also did not work. To be clear I can read files from these directories, I just cant write to or create them.
z, Z on the volume does not seem to make it work. I have gotten it to work with a root using chcon, but I have tried adding new policy modules, permissive scopes, permissive mode etc.
I think it some sort of permissions error. The folder in the container (in naive case at least) seems be owned by root and has "group" nogroup I don't know if that is standard or not.
I have tried chowning (like here) the directory to the container user id and/or group id (in which case it can be owned by nobody and nogroup (does not work). I have also logged into the container with the host user+group id (it recognized my username in the bash terminal) -- no difference. Also some combination of these with chowning the folder to different users/groups such as the host user/group, container user/group, root user/group (a bit ambiguous container/host root), etc.
Here are some sample outputs from ls -lnZ from in and outside the container on a few test files (note I changed the user id's except for 65534 as apparently this is a special id reserved for nobody. The id of the host user is 9876 and id of the container user is 1234. I checked with id -u to ensure the actual user id's corresponded to these. Small note, in this case the host group id is different, so lets say 5432, while the group id of the container user would be 1234
test5:
- container:
drwxr-xr-x. 2 0 65534 system_u:object_r:container_file_t:s0 4096 Nov 7 23:50 test - host:
drwxr-xr-x. 2 9876 9876 system_u:object_r:container_file_t:s0 4096 Nov 7 18:50 test5
test4:
- container:
drwxr-xr-x. 2 0 65534 system_u:object_r:container_file_t:s0 4096 Nov 8 02:59 test - host:
drwxr-xr-x. 2 9876 1234 system_u:object_r:container_file_t:s0 4096 Nov 7 21:59 test4
test3:
- container:
drwxr-xr-x. 2 0 65534 system_u:object_r:container_file_t:s0 4096 Nov 7 21:40 test - host before:
drwxr-xr-x. 2 9876 1234 system_u:object_r:container_file_t:s0:c1022,c1023 4096 Nov 7 16:40 test3 - host after:
drwxr-xr-x. 2 9876 1234 system_u:object_r:container_file_t:s0 4096 Nov 7 16:40 test3
If I fix the group id for test5, still does not work:
test5 (again):
- container:
drwxr-xr-x. 2 0 0 system_u:object_r:container_file_t:s0 4096 Nov 7 23:50 test - host:
drwxr-xr-x. 2 9876 5432 system_u:object_r:container_file_t:s0 4096 Nov 7 18:50 test5
What problem might I be having writing/creating files in mounted volumes in a container as a standard user, and how can I make the standard user create/write files in mounted directories properly without resorting to very insecure solutions?
ls -lnfor (some of) the affected files and/or directories and say whether this is from inside or outside the container. Also identify the UID (number) for the container process/owner (id -u)