Can't access file originating from `LoadCredentialEncrypted=` #411

eriksjolund · 2025-09-24T06:37:39Z

eriksjolund
Sep 24, 2025

I had to add the quadlet directive

SecurityLabelDisable=true

to be able to access a file that originated from LoadCredentialEncrypted= when using rootless podman.

Here is the quadlet:

[Container]
ContainerName=democontainer
Image=docker.io/library/alpine:latest
Exec=sh -c "ls -l /secretdir ; cat /secretdir/foo"
SecurityLabelDisable=true
Volume=%d:/secretdir
[Service]
LoadCredentialEncrypted=foo:/home/test/test.creds

For details, see

demo: using systemd-creds to store a secret as an unprivileged user podman#27144

The specifier %d is substituted with the credentials directory. (In my demo the credentials directory was /run/user/1013/credentials/demo.service)

For details about the specifier %d, see man page
https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Specifiers

I'm not sure if the SELinux rules should be relaxed to allow this?

Here is a quick analysis

$ cat /tmp/raw
type=AVC msg=audit(1758694064.025:2242): avc:  denied  { open } for  pid=19198 comm="cat" path="/secretdir/foo" dev="tmpfs" ino=207 scontext=system_u:system_r:container_t:s0:c224,c257 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0
type=SERVICE_START msg=audit(1758694127.979:2243): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-creds@22-9-19294_19295-1013 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1758694127.996:2244): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-creds@22-9-19294_19295-1013 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"

$ cat /tmp/raw | audit2allow 


#============= container_t ==============
allow container_t user_tmp_t:file open;
$

I can create a new issue in https://github.com/containers/container-selinux/issues
if you think this rule should be added to SELinux.

Side note:

There are discussions in

Add a new secrets driver with support for encryption using different encrypters podman#25118

about how Podman could support LoadCredentialEncrypted=

We could also wait with doing any changes until issue 25118 has been solved.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Can't access file originating from `LoadCredentialEncrypted=` #411

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 0 comments

Select a reply

Uh oh!

Can't access file originating from LoadCredentialEncrypted= #411

Uh oh!

Uh oh!

eriksjolund Sep 24, 2025

Replies: 0 comments

Can't access file originating from `LoadCredentialEncrypted=` #411

eriksjolund
Sep 24, 2025