SELinux policy for a directory accessed by both a system service and container

Hi!

I have a directory, /var/log/smartd, where smartd writes logfiles about failing hard drives (through a script running with the fsdaemon_t context).

I also want to access this directory using home assistant running in a podman container. Mounting it in podman with the :z flag marks it as container_t, meaning smartd can’t write to the directory.

I have temporarily made smartd unconfined, which works, but isn’t very pretty. Is there a better solution? Can I somehow mark a directory as not audited? Can I allow fsdaemon_t access to container_t?

I am not very knowledgeable about selinux, but since this is a multi-user system I don’t want to turn it off.

So:

I have a conflict. smartd running with fsdaemon_t wants to write to /var/log/smartd. That directory is mounted in a podman container and is relabeled container_t, preventing smartd from writing to it. Can I somehow allow smartd to write to it, despite podman relabeling it container_t?

Best regards
Linus

If home assistant only needs read access, would it be enough to use a volume mount with just :ro ?

If that does not work, then I guess from the podman-run docs in the Labeling Volume Mounts section the last note applies:

Note: Do not relabel system files and directories. Relabeling system content might cause other confined services on the machine to fail. For these types of containers we recommend disabling SELinux separation. The option –security-opt label=disable disables SELinux separation for the container.

This way, home assistant is not confined by selinux, but still kept in the podman sandbox, while smartd running directly on the host is confined.