[Documentation]: Add SELinux configuration for Podman socket access on Fedora/RHEL

[0x1f6]

Component

Agent

Description

Environment

OS: Fedora 42 (also affects RHEL/CentOS/Rocky Linux)
SELinux: Enforcing
Podman: Running as root with socket enabled
beszel-agent: 0.12.12

Issue

When running beszel-agent on a system with SELinux enforcing, the agent cannot access the Podman socket and fails with:
Containers err="Get \"http://localhost/containers/json\": dial unix /run/podman/podman.sock: connect: permission denied"

Root Cause

SELinux blocks the connection because the container runs in the container_t context, while the Podman socket requires container_runtime_t context. This is visible in audit logs:

sudo ausearch -m avc -ts recent | grep podman
# Shows: avc: denied { connectto } for comm="agent" path="/run/podman/podman.sock" 
# scontext=system_u:system_r:container_t:s0 tcontext=system_u:system_r:container_runtime_t:s0

Solution

Explicitly define the selinux context by dding security_opt to the compose configuration:

beszel-agent:
  image: henrygd/beszel-agent
  container_name: beszel-agent
  restart: always
  network_mode: host
  security_opt:
    - label=type:container_runtime_t  # Required for SELinux
  volumes:
    - /run/podman/podman.sock:/run/podman/podman.sock:ro
    - ./beszel_agent_data:/var/lib/beszel-agent:Z
  environment:
    DOCKER_HOST: unix:///run/podman/podman.sock

Note: No :Z label for the podman.sock mount because we use security_opt explicitly.

Expected Behavior

This could be mentioned in the documentation. Also, for running podman as root, the socket path is /run/podman/podman.sock.

Steps to Reproduce

sudo systemctl start podman.socket (not persistent) or sudo systemctl enable --now podman.socket (persistent)

beszel-agent:
  image: henrygd/beszel-agent
  container_name: beszel-agent
  restart: always
  network_mode: host
  volumes:
    - /run/podman/podman.sock:/run/podman/podman.sock:ro,Z
    - ./beszel_agent_data:/var/lib/beszel-agent:Z
  environment:
    DOCKER_HOST: unix:///run/podman/podman.sock

Category

Charts & Visualization

Affected Metrics

Containers

OS / Architecture

Fedora 42 (also affects RHEL/CentOS/Rocky Linux)

Beszel version

0.12.12

Installation method

Docker

Configuration

beszel-agent:
  image: henrygd/beszel-agent
  container_name: beszel-agent
  restart: always
  network_mode: host
  security_opt:
    - label=type:container_runtime_t  # Required for SELinux
  volumes:
    - /run/podman/podman.sock:/run/podman/podman.sock:ro
    - ./beszel_agent_data:/var/lib/beszel-agent:Z
  environment:
    DOCKER_HOST: unix:///run/podman/podman.sock

Hub Logs

Agent Logs

Containers err="Get \"http://localhost/containers/json\": dial unix /run/podman/podman.sock: connect: permission denied"

[0x1f6]

Sorry, i did reload the page and forgot to switch to "agent" as affected component... my bad!

[0x1f6]

The same issue is affecting the ssh socket communication for the local unix ssh socket.

Adding

security_opt:
      - label=type:container_runtime_t

to the hub as well, fixes the issue.

Maybe it would be good to have an environment variable for the agent to explicitly deny using the websocket connection. I could only test this because i removed the HUB_URL from the agent.

[svenvg93]

As this is related to the documentation, @henrygd can you move the to the docs repo.

[svenvg93]

Please create a issue over at the docs repo https://github.com/henrygd/beszel-docs
We also welcome any PR over there to improve the docs.

[henrygd]

Sorry, missed this one but I'll still transfer it over.