Distrobox SELinux OCI permission error

Help
1

Distrobox stopped working a few days ago (worked on 2025-05-27) and I think it’s due to an issue with Podman. Running podman with a specific command yields the same problem:

# with distrobox: Error: unable to start container "...": crun: mkdir `/sys/fs/selinux`: Permission denied: OCI permission denied
Error: crun: mkdir `/sys/fs/selinux`: Permission denied: OCI permission denied

A simplified command which has the same effect:

podman run --rm -v /sys/fs/selinux --entrypoint /bin/bash -it debian:latest
2 Likes
2

Possibly due to podman running as rootless?

Podman can run rootless containers and be a drop-in replacement for Docker.
Podman - NixOS Wiki

3

Yes it always ran as rootless, but I don’t see how it could become an issue now since it worked before.

2 Likes
4

Same issue. I’m using unstable channel.

1 Like
5

The issue does not appear for new containers created with Distrobox because it does not try to mount the volume /sys/fs/selinux since the folder on the host does not exist (??? I don’t get it). By the way, I’m on stable channel.

1 Like
6

I just booted into the older generation where the problem is not present, and I can confirm that the folder /sys/fs/selinux exists, so the problem is that in newer generations for some reason it disappeared, even though I did not touch any SELinux settings (never used it). The only solution I can think of is recreating the container without this folder, so Distrobox does not try to mount that volume. I also tried --security-opt unmask=ALL but it did not work.

7

I recreated container and it fixed. Thank you.

9

same issue with distrobox and docker

bisected it to this nixos/security: add landlock, yama, and bpf defaults by RossComputerGuy · Pull Request #407748 · NixOS/nixpkgs · GitHub maybe @RossComputerGuy can help

1 Like
10

Yeah so there’s a few solutions:

  1. The WIP NixOS module for SELinux and enabling it
  2. Throwing in selinux to security.lsm
  3. Disable SELinux in Distrobox

I don’t recommend the first one due to it being very WIP and shouldn’t be used yet. The other two are the best possible. Though I recommend disabling SELinux in Distrobox because we don’t support SELinux without the SELinux NixOS module that isn’t ready yet.

2 Likes
11

How can I disable SELinux in distrobox?

1 Like
12

I’m not sure, I’m not familiar with Distrobox.

13

I set security.lsm = lib.mkForce [ ]; to restore the previous default value.

Also this should be fixed in nixpkgs, not in individual users’ configurations for those who happen to come across this thread.

created an issue in nixpkgs issue tracker distrobox: issue with selinux · Issue #414135 · NixOS/nixpkgs · GitHub linking to this post

3 Likes
14

I don’t think you can. When you first create the container with distrobox, it checks whether the folder /sys/fs/selinux exists and if it does it adds the volume /sys/fs/selinux. As far as I know you can’t change existing containers’ volumes, so you are forced to create it from scratch. Since the folder does not exist anymore, distrobox will not try to mount that volume on new containers. That’s what I’ve personally done but you could try the other solutions proposed here.

15

Yes it does, but maybe it’s something to consider for distrobox to change. See the discrepancy between the distrobox workaround and the coretoolbox/toolbx workaround for the same podman bug:

Maybe they are all functionally equivalent though, I am not very informed on container runtime internals… I think it makes sense to ask upstream to make it --tmpfs /sys/fs/selinux or similar.

16

I can confirm the supplied workaround has allowed me back into my existing distroboxes. Thank you! Required full system restart to work.

{ config, pkgs, lib, ... }:
{
  # ...
  security.lsm = lib.mkForce [ ];
  # ...
}
3 Likes
17

This also worked for me

18

Thank you so much! This line is the exact line I need to make distrobox works again. I almost thought I needed to recreate the containers from scratch. Thanks again!