Issue Description
I have a podman quadlet that worked just prior to a recent system update. After the update, a bind mounted volume is inaccessible if selinux is enable. If I run setenforce 0, the mount becomes accessible.
Steps to reproduce the issue
Steps to reproduce the issue
- Start the quadlet
systemctl --user start jellyfin.service
podman exec -it <id> bash
ls -l /jelly
Describe the results you received
The above results in permission denied.
If I disable selinux with setenforce 0 I get the expected directory listing.
Describe the results you expected
Expected a directory listing
podman info output
host:
arch: amd64
buildahVersion: 1.43.0
cgroupControllers:
- cpu
- io
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.2.1-2.fc43.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.2.1, commit: '
cpuUtilization:
idlePercent: 96.55
systemPercent: 1.47
userPercent: 1.98
cpus: 4
databaseBackend: sqlite
distribution:
distribution: fedora
variant: workstation
version: "43"
emulatedArchitectures:
- linux/arm
- linux/arm64
- linux/arm64be
- linux/loong64
- linux/mips
- linux/mips64
- linux/ppc
- linux/ppc64
- linux/ppc64le
- linux/riscv32
- linux/riscv64
- linux/s390x
eventLogger: journald
freeLocks: 2045
hostname: tworker
idMappings:
gidmap:
- container_id: 0
host_id: 1001
size: 1
- container_id: 1
host_id: 589824
size: 65536
uidmap:
- container_id: 0
host_id: 1001
size: 1
- container_id: 1
host_id: 589824
size: 65536
kernel: 6.19.11-200.fc43.x86_64
linkmode: dynamic
logDriver: journald
memFree: 268099584
memTotal: 16523198464
networkBackend: netavark
networkBackendInfo:
backend: netavark
defaultNetwork: podman
dns:
package: aardvark-dns-1.17.0-1.fc43.x86_64
path: /usr/libexec/podman/aardvark-dns
version: aardvark-dns 1.17.0
package: netavark-1.17.2-1.fc43.x86_64
path: /usr/libexec/podman/netavark
version: netavark 1.17.2
ociRuntime:
name: crun
package: crun-1.27-1.fc43.x86_64
path: /usr/bin/crun
version: |-
crun version 1.27
commit: a718a92cc9a94955a5a550b6fdec1378c247ec50
rundir: /run/user/1001/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
pasta:
executable: /usr/bin/pasta
package: passt-0^20260120.g386b5f5-1.fc43.x86_64
version: |
pasta 0^20260120.g386b5f5-1.fc43.x86_64
Copyright Red Hat
GNU General Public License, version 2 or later
<https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
remoteSocket:
exists: true
path: /run/user/1001/podman/podman.sock
rootlessNetworkCmd: pasta
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.3.1-3.fc43.x86_64
version: |-
slirp4netns version 1.3.1
commit: e5e368c4f5db6ae75c2fce786e31eef9da6bf236
libslirp: 4.9.1
SLIRP_CONFIG_VERSION_MAX: 6
libseccomp: 2.6.0
swapFree: 8588677120
swapTotal: 8589930496
uptime: 1h 20m 46.00s (Approximately 0.04 days)
variant: ""
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- docker.io
store:
configFile: /home/jack/.config/containers/storage.conf
containerStore:
number: 1
paused: 0
running: 1
stopped: 0
graphDriverName: overlay
graphOptions: {}
graphRoot: /home/jack/.local/share/containers/storage
graphRootAllocated: 510405902336
graphRootUsed: 34054492160
graphStatus:
Backing Filesystem: btrfs
Native Overlay Diff: "true"
Supports d_type: "true"
Supports shifting: "false"
Supports volatile: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 16
runRoot: /run/user/1001/containers
transientStore: false
volumePath: /home/jack/.local/share/containers/storage/volumes
version:
APIVersion: 5.8.1
BuildOrigin: Fedora Project
Built: 1773187200
BuiltTime: Tue Mar 10 18:00:00 2026
GitCommit: c6077f645788743258a1a749f8005b4fb3cbe533
GoVersion: go1.25.7 X:nodwarf5
Os: linux
OsArch: linux/amd64
Version: 5.8.1
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
Yes
Additional environment details
Distro: Fedora 43
Additional information
Here is the quadlet I'm using. This quadlet worked prior to a system update I performed today.
I've also tried adding 'Z' and 'z' to the Volume options. None work.
/jellyfin is an NFS mounted filesystem
[Unit]
Description="Jellyfin media server"
[Container]
AddDevice=/dev/dri:/dev/dri
AutoUpdate=registry
ContainerName=jellyfin
Image=docker.io/jellyfin/jellyfin:latest
Network=slirp4netns:port_handler=slirp4netns
PublishPort=8096:8096/tcp
UserNS=keep-id
Volume=jellyfin-config.volume:/config
Volume=jellyfin-cache.volume:/cache
Volume=/jellyfin:/jelly:ro,slave
Issue Description
I have a podman quadlet that worked just prior to a recent system update. After the update, a bind mounted volume is inaccessible if selinux is enable. If I run
setenforce 0, the mount becomes accessible.Steps to reproduce the issue
Steps to reproduce the issue
systemctl --user start jellyfin.servicepodman exec -it <id> bashls -l /jellyDescribe the results you received
The above results in permission denied.
If I disable selinux with
setenforce 0I get the expected directory listing.Describe the results you expected
Expected a directory listing
podman info output
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
Yes
Additional environment details
Distro: Fedora 43
Additional information
Here is the quadlet I'm using. This quadlet worked prior to a system update I performed today.
I've also tried adding 'Z' and 'z' to the Volume options. None work.
/jellyfinis an NFS mounted filesystem