$ sudo ausearch -m avc -ts recent
----
time->Tue Apr 12 03:43:58 2016
type=SYSCALL msg=audit(1460447038.315:1316): arch=c000003e syscall=83
success=no exit=-13 a0=7ffcc351cf42 a1=1ff a2=1ff a3=7ffcc351be30
items=0 ppid=8949 pid=15718 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="mkdir"
exe="/usr/bin/mkdir"
subj=system_u:system_r:svirt_lxc_net_t:s0:c179,c826 key=(null)
type=AVC msg=audit(1460447038.315:1316): avc: denied { write }
for pid=15718 comm="mkdir" name="/" dev="fuse" ino=1
scontext=system_u:system_r:svirt_lxc_net_t:s0:c179,c826
tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
On Po, 2016-04-11 at 13:58 -0400, Daniel J Walsh wrote:
> Show me ausearch -m avc -ts recent
>
> On 04/11/2016 01:28 PM, Tomáš Nožička wrote:
> >
> > # aureport -a
> >
> > AVC Report
> > ========================================================
> > # date time comm subj syscall class permission obj event
> > ========================================================
> > 11. 11.4.2016 10:50:01 mkdir
> > system_u:system_r:svirt_lxc_net_t:s0:c148,c427 83 dir write
> > system_u:object_r:fusefs_t:s0 denied 1437
> > 12. 11.4.2016 13:16:28 mkdir
> > system_u:system_r:svirt_lxc_net_t:s0:c293,c618 83 dir write
> > system_u:object_r:fusefs_t:s0 denied 1558
> > 13. 11.4.2016 13:16:56 mkdir
> > system_u:system_r:svirt_lxc_net_t:s0:c333,c590 83 dir write
> > system_u:object_r:fusefs_t:s0 denied 1574
> >
> >
> > On Po, 2016-04-11 at 10:37 -0400, Daniel J Walsh wrote:
> > >
> > > On 04/11/2016 10:25 AM, Tomáš Nožička wrote:
> > > >
> > > > Hi,
> > > >
> > > > I have been playing with vagrant-sshfs to build persistent
> > > > storage
> > > > for
> > > > docker registry inside ADB box but I have encountered SELinux
> > > > issue.
> > > >
> > > > Steps to reproduce:
> > > > $ Add sshfs folder into Vagrantfile
> > > > config.vm.synced_folder "/home/tnozicka/tmp/registry-
> > > > data",
> > > > "/var/lib/registry", type: "sshfs"
> > > > $ vagrant up
> > > > $ vagrant ssh
> > > > $ docker run -it --rm -v /var/lib/registry:/var/lib/registry
> > > > centos:7
> > > > bash -c 'mkdir /var/lib/registry/new-dir'
> > > > (fails [and should] since /var/lib/registry does not have the
> > > > right
> > > > SELinux context)
> > > >
> > > > $ docker run -it --rm -v
> > > > /var/lib/registry:/var/lib/registry:Z
> > > > centos:7 bash -c 'mkdir /var/lib/registry/new-dir'
> > > > (FAILS with: Error response from daemon: operation not
> > > > supported)
> > > >
> > > > The later one (:Z) works for ordinary folders, but it is
> > > > failing
> > > > with
> > > > the one mounted by sshfs :( I tried to fix SELinux with:
> > > > $ sudo chcon -Rt svirt_sandbox_file_t /var/lib/registry
> > > > chcon: failed to change context of ‘docker’ to
> > > > ‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not
> > > > supported
> > > > chcon: failed to change context of ‘/var/lib/registry’ to
> > > > ‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not
> > > > supported
> > > >
> > > > but without success. Does anybody have any ideas how to get
> > > > sshfs
> > > > and
> > > > Docker/SELinux working together?
> > > >
> > > > Everything works after running:
> > > > $ sudo setenforce 0
> > > > inside ADB so it is almost definitely SELinux related issue.
> > > >
> > > >
> > > > Thanks,
> > > > Tomas Nozicka
> > > >
> > > >
> > > > [1] - http://www.projectatomic.io/blog/2015/06/using-volumes-wi
> > > > th-d
> > > > ocke
> > > > r-can-cause-problems-with-selinux/
> > > >
> > > > _______________________________________________
> > > > Container-tools mailing list
> > > > [email protected]
> > > > https://www.redhat.com/mailman/listinfo/container-tools
> > > What AVC's are you seeing. The problem is sshfs does not support
> > > SELinux labels, so you
> > > can not set them to share within the container. We could attempt
> > > to
> > > mount the
> > > sshfs with a context mount, if sshfs works that way.
> > >
> > > mount ... context="system_u:object_r:svirt_sandbox_file_t:s0"
> > >
> > > Or we can add rules to svirt_sandbox_file_t to allow it to manage
> > > sshfs_t
_______________________________________________
Container-tools mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/container-tools
