SELinux permissions with Podman containers #220
Description
Running on Fedora 43, I get permissions errors for qlever CLI commands that read or write from a podman container to the host filesystem.
For example, for a qlever index command, the output is:
2025-11-14 10:08:09.999 - INFO: QLever Server, compiled on Wed Nov 12 15:33:30 UTC 2025 using git hash 8c99fe 2025-11-14 10:08:10.000 - INFO: Initializing server ... 2025-11-14 10:08:10.000 - ERROR: Could not open file "etree.meta-data.json" for reading. Possible causes: The file does not exist or the permissions are insufficient. The absolute path is "/index/etree.meta-data.json".
These errors can be resolved by modifying the docker commands generated to include :z or :Z in the volume argument.
For example (:Z added to the volume argument):
podman run -d --restart=unless-stopped -u root -v /etc/localtime:/etc/localtime:ro -v $(pwd):/index:Z -p 7019:7019 -w /index --name qlever.server.etree --init --entrypoint bash docker.io/adfreiburg/qlever:latest -c 'ServerMain -i etree -j 8 -p 7019 -m 5G -c 2G -e 1G -k 200 -s 30s -a etree_7643543846_6mZZQhEQ1yXj > etree.server-log.txt 2>&1'
If there is something different I should be doing with the SELinux roles, it'd be helpful to have good practice guidance, but it may just be that the :Z switch could usefully be added here on RedHat-based systems