Error: /usr/bin/slirp4netns failed: "open(\"/dev/net/tun\"): Permission denied

[open-antux]

Issue Description

When I'm trying to run a rootless container with podman I receive this error:

Error: /usr/bin/slirp4netns failed: "open(\"/dev/net/tun\"): Permission denied\nWARNING: Support for seccomp is experimental\nWARNING: Support for IPv6 is experimental\nchild failed(1)\nWARNING: Support for seccomp is experimental\nWARNING: Support for IPv6 is experimental\n"

The TUN and fuse module are correctly loaded as you can see here:

root@autoapi:~[root@autoapi ~]# lsmod | grep -e ^tun -e ^fuse
tun                     4242  -2
fuse                    4242  -2
root@autoapi:~[root@autoapi ~]# ls -la /dev/net/tun 
crw-rw-rw- 1 root root 10, 200 Sep  9 14:34 /dev/net/tun
root@autoapi:~[root@autoapi ~]# ls -la /dev/fuse  
crw-rw-rw- 1 root root 10, 229 Sep  9 14:34 /dev/fuse

Steps to reproduce the issue

Steps to reproduce the issue
1.podman run hello-world

Describe the results you received

When I'm trying to run a rootless container I receive the error:

Error: /usr/bin/slirp4netns failed: "open(\"/dev/net/tun\"): Permission denied\nWARNING: Support for seccomp is experimental\nWARNING: Support for IPv6 is experimental\nchild failed(1)\nWARNING: Support for seccomp is experimental\nWARNING: Support for IPv6 is experimental\n"

This issue doesn't reproduce when I try it using root:

[root@autoapi ~]# podman run hello-world
WARN[0000] Ignoring global metacopy option, not supported with booted kernel 4.18.0 #1 SMP Thu Dec 15 20:31:06 MSK 2022 
!... Hello Podman World ...!

         .--"--.           
       / -     - \         
      / (O)   (O) \        
   ~~~| -=(,Y,)=- |         
    .---. /`  \   |~~      
 ~/  o  o \~~~~.----. ~~   
  | =(X)= |~  / (O (O) \   
   ~~~~~~~  ~| =(Y_)=-  |   
  ~~~~    ~~~|   U      |~~ 

Project:   https://github.com/containers/podman
Website:   https://podman.io
Documents: https://docs.podman.io
Twitter:   @Podman_io

Describe the results you expected

I'm expecting this output when I'm run the container in rootless mode:

!... Hello Podman World ...!

         .--"--.           
       / -     - \         
      / (O)   (O) \        
   ~~~| -=(,Y,)=- |         
    .---. /`  \   |~~      
 ~/  o  o \~~~~.----. ~~   
  | =(X)= |~  / (O (O) \   
   ~~~~~~~  ~| =(Y_)=-  |   
  ~~~~    ~~~|   U      |~~ 

Project:   https://github.com/containers/podman
Website:   https://podman.io
Documents: https://docs.podman.io
Twitter:   @Podman_io

podman info output

ag23724@autoapi:~$ podman --version
podman version 4.4.1
ag23724@autoapi:~$ podman info --debug
host:
  arch: amd64
  buildahVersion: 1.29.0
  cgroupControllers: []
  cgroupManager: cgroupfs
  cgroupVersion: v1
  conmon:
    package: conmon-2.1.6-1.module_el8.8.0+3470+252b1910.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.6, commit: 21c43a36b2ccb9799dfab0e8428837fca920fb45'
  cpuUtilization:
    idlePercent: 94.82
    systemPercent: 0.6
    userPercent: 4.58
  cpus: 6
  distribution:
    distribution: '"almalinux"'
    version: "8.5"
  eventLogger: file
  hostname: autoapi.servereasy.it
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 100
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 4.18.0
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 13225619456
  memTotal: 17179869184
  networkBackend: cni
  ociRuntime:
    name: runc
    package: runc-1.1.4-1.module_el8.7.0+3407+95aa0ca9.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.1.4
      spec: 1.0.2-dev
      go: go1.18.9
      libseccomp: 2.5.1
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_SYS_CHROOT,CAP_NET_RAW,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-2.module_el8.7.0+3407+95aa0ca9.x86_64
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.1
  swapFree: 268435456
  swapTotal: 268435456
  uptime: 0h 8m 14.00s
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.access.redhat.com
  - registry.redhat.io
  - docker.io
store:
  configFile: /home/antonio/.config/containers/storage.conf
  containerStore:
    number: 9
    paused: 0
    running: 0
    stopped: 9
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/antonio/.local/share/containers/storage
  graphRootAllocated: 94983856128
  graphRootUsed: 19813425152
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 5
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/antonio/.local/share/containers/storage/volumes
version:
  APIVersion: 4.4.1
  Built: 1688126783
  BuiltTime: Fri Jun 30 14:06:23 2023
  GitCommit: ""
  GoVersion: go1.19.10
  Os: linux
  OsArch: linux/amd64
  Version: 4.4.1
ag23724@autoapi:~$ rpm -q podman
podman-4.4.1-14.module_el8.8.0+3573+7ff2a686.x86_64

Podman in a container

Yes

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Additional environment details

The Linux machine is a containerized one under OpenVZ.

Additional information

No response

[giuseppe]

is /dev/net/tun usable for your user?

Can you share ls -lZ /dev/net/tun? Could you temporarily disable selinux with setenforce 0 and try the command again?

[open-antux]

Actually, it seems that normal user can't use /dev/net/tun:

ag23724@autoapi:~$ ls /dev/net/tun
ls: impossibile accedere a '/dev/net/tun': Permission denied
ag23724@autoapi:~$ setenforce 0
setenforce: SELinux is disabled
ag23724@autoapi:~$ podman run hello-world
Error: /usr/bin/slirp4netns failed: "open(\"/dev/net/tun\"): Permission denied\nWARNING: Support for seccomp is experimental\nWARNING: Support for IPv6 is experimental\nchild failed(1)\nWARNING: Support for seccomp is experimental\nWARNING: Support for IPv6 is experimental\n"
ag23724@autoapi:~$ sudo ls -lZ /dev/net/tun
crw-rw-rw- 1 root root ? 10, 200  9 set 14.34 /dev/net/tun

[Luap99]

What are the permissions on /dev/net?

Anyway since this is doe not seems to be a podman bug rather something without your environment I will convert this to a discussion.