Re: [Container-tools] vagrant-sshfs vs. Docker/SELinux

Mon, 11 Apr 2016 07:38:19 -0700 


On 04/11/2016 10:25 AM, Tomáš Nožička wrote:

Hi,

I have been playing with vagrant-sshfs to build persistent storage for
docker registry inside ADB box but I have encountered SELinux issue.

Steps to reproduce:
  $ Add sshfs folder into Vagrantfile
    config.vm.synced_folder "/home/tnozicka/tmp/registry-data",
"/var/lib/registry", type: "sshfs"
  $ vagrant up
  $ vagrant ssh
  $ docker run -it --rm -v /var/lib/registry:/var/lib/registry centos:7
bash -c 'mkdir /var/lib/registry/new-dir'
(fails [and should] since /var/lib/registry does not have the right
SELinux context)

  $ docker run -it --rm -v /var/lib/registry:/var/lib/registry:Z
centos:7 bash -c 'mkdir /var/lib/registry/new-dir'
(FAILS with: Error response from daemon: operation not supported)

The later one (:Z) works for ordinary folders, but it is failing with
the one mounted by sshfs :( I tried to fix SELinux with:
$ sudo chcon -Rt svirt_sandbox_file_t /var/lib/registry
chcon: failed to change context of ‘docker’ to
‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not supported
chcon: failed to change context of ‘/var/lib/registry’ to
‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not supported

but without success. Does anybody have any ideas how to get sshfs and
Docker/SELinux working together?

Everything works after running:
$ sudo setenforce 0
inside ADB so it is almost definitely SELinux related issue.


Thanks,
Tomas Nozicka


[1] - http://www.projectatomic.io/blog/2015/06/using-volumes-with-docke
r-can-cause-problems-with-selinux/

_______________________________________________
Container-tools mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/container-tools

What AVC's are you seeing.  The problem is sshfs does not support 
SELinux labels, so you
can not set them to share within the container.  We could attempt to 
mount the

sshfs with a context mount, if sshfs works that way.

mount ... context="system_u:object_r:svirt_sandbox_file_t:s0"

Or we can add rules to svirt_sandbox_file_t to allow it to manage sshfs_t

_______________________________________________
Container-tools mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/container-tools






















					Reply via email to