Show me ausearch -m avc -ts recent
On 04/11/2016 01:28 PM, Tomáš Nožička wrote:
# aureport -a
AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
11. 11.4.2016 10:50:01 mkdir
system_u:system_r:svirt_lxc_net_t:s0:c148,c427 83 dir write
system_u:object_r:fusefs_t:s0 denied 1437
12. 11.4.2016 13:16:28 mkdir
system_u:system_r:svirt_lxc_net_t:s0:c293,c618 83 dir write
system_u:object_r:fusefs_t:s0 denied 1558
13. 11.4.2016 13:16:56 mkdir
system_u:system_r:svirt_lxc_net_t:s0:c333,c590 83 dir write
system_u:object_r:fusefs_t:s0 denied 1574
On Po, 2016-04-11 at 10:37 -0400, Daniel J Walsh wrote:
On 04/11/2016 10:25 AM, Tomáš Nožička wrote:
Hi,
I have been playing with vagrant-sshfs to build persistent storage
for
docker registry inside ADB box but I have encountered SELinux
issue.
Steps to reproduce:
$ Add sshfs folder into Vagrantfile
config.vm.synced_folder "/home/tnozicka/tmp/registry-data",
"/var/lib/registry", type: "sshfs"
$ vagrant up
$ vagrant ssh
$ docker run -it --rm -v /var/lib/registry:/var/lib/registry
centos:7
bash -c 'mkdir /var/lib/registry/new-dir'
(fails [and should] since /var/lib/registry does not have the right
SELinux context)
$ docker run -it --rm -v /var/lib/registry:/var/lib/registry:Z
centos:7 bash -c 'mkdir /var/lib/registry/new-dir'
(FAILS with: Error response from daemon: operation not supported)
The later one (:Z) works for ordinary folders, but it is failing
with
the one mounted by sshfs :( I tried to fix SELinux with:
$ sudo chcon -Rt svirt_sandbox_file_t /var/lib/registry
chcon: failed to change context of ‘docker’ to
‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not
supported
chcon: failed to change context of ‘/var/lib/registry’ to
‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not
supported
but without success. Does anybody have any ideas how to get sshfs
and
Docker/SELinux working together?
Everything works after running:
$ sudo setenforce 0
inside ADB so it is almost definitely SELinux related issue.
Thanks,
Tomas Nozicka
[1] - http://www.projectatomic.io/blog/2015/06/using-volumes-with-d
ocke
r-can-cause-problems-with-selinux/
_______________________________________________
Container-tools mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/container-tools
What AVC's are you seeing. The problem is sshfs does not support
SELinux labels, so you
can not set them to share within the container. We could attempt to
mount the
sshfs with a context mount, if sshfs works that way.
mount ... context="system_u:object_r:svirt_sandbox_file_t:s0"
Or we can add rules to svirt_sandbox_file_t to allow it to manage
sshfs_t
_______________________________________________
Container-tools mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/container-tools
