Local podman container does not start due to SELinux violation

[tiran]

make run fails to run the test containers locally as non-root user on my system (Fedora 36, podman 4.2.0). The containers are unable to open some files from their volume mounts:

$ podman pod logs webconsoleapp
27c97aa74d14 2022/10/11 10:15:58 [emerg] 1#1: open() "/etc/nginx/nginx.conf" failed (13: Permission denied)
27c97aa74d14 nginx: [emerg] open() "/etc/nginx/nginx.conf" failed (13: Permission denied)
5f6fece4a9e4 python3: can't open file '/usr/local/bin/multiplexer.py': [Errno 13] Permission denied

The problem seems to be caused by SELinux violations. The files have wrong SELinux labels:

type=AVC msg=audit(1665483358.464:2468): avc:  denied  { read } for  pid=792821 comm="nginx" name="nginx.conf" dev="dm-3" ino=9177030 scontext=system_u:system_r:container_t:s0:c375,c920 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

type=AVC msg=audit(1665483358.584:2469): avc:  denied  { read } for  pid=792885 comm="python3" name="multiplexer.py" dev="dm-3" ino=9177035 scontext=system_u:system_r:container_t:s0:c375,c920 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

I tried to set the volume option SELinuxRelabel: true, but that doesn't fix the issue.

[martinpitt]

Right, that's a generic podman issue with using volumes. In an interactive podman run .. call one would use -v hostpath:containerpath:z to relabel the files on the host with container_file_t. podman-play-kube claims that it will give an SELinux shared label to hostPath volumes, but apparently that's broken for you? I'm afraid there's nothing explicit that we can do in console.dot about that -- you either need to run this as root (which works fine, I've done it a lot to work around this bug), or explicitly chcon the mounted paths.