# aureport -a AVC Report ======================================================== # date time comm subj syscall class permission obj event ======================================================== 11. 11.4.2016 10:50:01 mkdir system_u:system_r:svirt_lxc_net_t:s0:c148,c427 83 dir write system_u:object_r:fusefs_t:s0 denied 1437 12. 11.4.2016 13:16:28 mkdir system_u:system_r:svirt_lxc_net_t:s0:c293,c618 83 dir write system_u:object_r:fusefs_t:s0 denied 1558 13. 11.4.2016 13:16:56 mkdir system_u:system_r:svirt_lxc_net_t:s0:c333,c590 83 dir write system_u:object_r:fusefs_t:s0 denied 1574
On Po, 2016-04-11 at 10:37 -0400, Daniel J Walsh wrote: > > On 04/11/2016 10:25 AM, Tomáš Nožička wrote: > > > > Hi, > > > > I have been playing with vagrant-sshfs to build persistent storage > > for > > docker registry inside ADB box but I have encountered SELinux > > issue. > > > > Steps to reproduce: > > $ Add sshfs folder into Vagrantfile > > config.vm.synced_folder "/home/tnozicka/tmp/registry-data", > > "/var/lib/registry", type: "sshfs" > > $ vagrant up > > $ vagrant ssh > > $ docker run -it --rm -v /var/lib/registry:/var/lib/registry > > centos:7 > > bash -c 'mkdir /var/lib/registry/new-dir' > > (fails [and should] since /var/lib/registry does not have the right > > SELinux context) > > > > $ docker run -it --rm -v /var/lib/registry:/var/lib/registry:Z > > centos:7 bash -c 'mkdir /var/lib/registry/new-dir' > > (FAILS with: Error response from daemon: operation not supported) > > > > The later one (:Z) works for ordinary folders, but it is failing > > with > > the one mounted by sshfs :( I tried to fix SELinux with: > > $ sudo chcon -Rt svirt_sandbox_file_t /var/lib/registry > > chcon: failed to change context of ‘docker’ to > > ‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not > > supported > > chcon: failed to change context of ‘/var/lib/registry’ to > > ‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not > > supported > > > > but without success. Does anybody have any ideas how to get sshfs > > and > > Docker/SELinux working together? > > > > Everything works after running: > > $ sudo setenforce 0 > > inside ADB so it is almost definitely SELinux related issue. > > > > > > Thanks, > > Tomas Nozicka > > > > > > [1] - http://www.projectatomic.io/blog/2015/06/using-volumes-with-d > > ocke > > r-can-cause-problems-with-selinux/ > > > > _______________________________________________ > > Container-tools mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/container-tools > What AVC's are you seeing. The problem is sshfs does not support > SELinux labels, so you > can not set them to share within the container. We could attempt to > mount the > sshfs with a context mount, if sshfs works that way. > > mount ... context="system_u:object_r:svirt_sandbox_file_t:s0" > > Or we can add rules to svirt_sandbox_file_t to allow it to manage > sshfs_t _______________________________________________ Container-tools mailing list [email protected] https://www.redhat.com/mailman/listinfo/container-tools
