On 04/11/2016 10:37 AM, Daniel J Walsh wrote: > > > On 04/11/2016 10:25 AM, Tomáš Nožička wrote: >> Hi, >> >> I have been playing with vagrant-sshfs to build persistent storage for >> docker registry inside ADB box but I have encountered SELinux issue. >> >> Steps to reproduce: >> $ Add sshfs folder into Vagrantfile >> config.vm.synced_folder "/home/tnozicka/tmp/registry-data", >> "/var/lib/registry", type: "sshfs" >> $ vagrant up >> $ vagrant ssh >> $ docker run -it --rm -v /var/lib/registry:/var/lib/registry centos:7 >> bash -c 'mkdir /var/lib/registry/new-dir' >> (fails [and should] since /var/lib/registry does not have the right >> SELinux context) >> >> $ docker run -it --rm -v /var/lib/registry:/var/lib/registry:Z >> centos:7 bash -c 'mkdir /var/lib/registry/new-dir' >> (FAILS with: Error response from daemon: operation not supported) >> >> The later one (:Z) works for ordinary folders, but it is failing with >> the one mounted by sshfs :( I tried to fix SELinux with: >> $ sudo chcon -Rt svirt_sandbox_file_t /var/lib/registry >> chcon: failed to change context of ‘docker’ to >> ‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not supported >> chcon: failed to change context of ‘/var/lib/registry’ to >> ‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not supported >> >> but without success. Does anybody have any ideas how to get sshfs and >> Docker/SELinux working together? >> >> Everything works after running: >> $ sudo setenforce 0 >> inside ADB so it is almost definitely SELinux related issue. >> >> >> Thanks, >> Tomas Nozicka >> >> >> [1] - http://www.projectatomic.io/blog/2015/06/using-volumes-with-docke >> r-can-cause-problems-with-selinux/ >> >> _______________________________________________ >> Container-tools mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/container-tools > What AVC's are you seeing. The problem is sshfs does not support > SELinux labels, so you > can not set them to share within the container. We could attempt to > mount the > sshfs with a context mount, if sshfs works that way. > > mount ... context="system_u:object_r:svirt_sandbox_file_t:s0"
Something like this was added some time ago but there is no release with it included as of yet: https://github.com/libfuse/libfuse/commit/c52cafc81ced83fbd5cc7edf4ef5f7cb57b82729 > > Or we can add rules to svirt_sandbox_file_t to allow it to manage sshfs_t > > _______________________________________________ > Container-tools mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/container-tools > _______________________________________________ Container-tools mailing list [email protected] https://www.redhat.com/mailman/listinfo/container-tools
