If I run this avc through audit2allow it tells me
audit2allow -i /tmp/t
#============= svirt_lxc_net_t ==============
#!!!! This avc can be allowed using the boolean 'virt_sandbox_use_fusefs'
allow svirt_lxc_net_t fusefs_t:dir write;
So turn on this boolean and it should work.
setsebool -P virt_sandbox_use_fusefs 1
On 04/12/2016 03:47 AM, Tomas Nozicka wrote:
$ sudo ausearch -m avc -ts recent
----
time->Tue Apr 12 03:43:58 2016
type=SYSCALL msg=audit(1460447038.315:1316): arch=c000003e syscall=83
success=no exit=-13 a0=7ffcc351cf42 a1=1ff a2=1ff a3=7ffcc351be30
items=0 ppid=8949 pid=15718 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="mkdir"
exe="/usr/bin/mkdir"
subj=system_u:system_r:svirt_lxc_net_t:s0:c179,c826 key=(null)
type=AVC msg=audit(1460447038.315:1316): avc: denied { write }
for pid=15718 comm="mkdir" name="/" dev="fuse" ino=1
scontext=system_u:system_r:svirt_lxc_net_t:s0:c179,c826
tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
On Po, 2016-04-11 at 13:58 -0400, Daniel J Walsh wrote:
Show me ausearch -m avc -ts recent
On 04/11/2016 01:28 PM, Tomáš Nožička wrote:
# aureport -a
AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
11. 11.4.2016 10:50:01 mkdir
system_u:system_r:svirt_lxc_net_t:s0:c148,c427 83 dir write
system_u:object_r:fusefs_t:s0 denied 1437
12. 11.4.2016 13:16:28 mkdir
system_u:system_r:svirt_lxc_net_t:s0:c293,c618 83 dir write
system_u:object_r:fusefs_t:s0 denied 1558
13. 11.4.2016 13:16:56 mkdir
system_u:system_r:svirt_lxc_net_t:s0:c333,c590 83 dir write
system_u:object_r:fusefs_t:s0 denied 1574
On Po, 2016-04-11 at 10:37 -0400, Daniel J Walsh wrote:
On 04/11/2016 10:25 AM, Tomáš Nožička wrote:
Hi,
I have been playing with vagrant-sshfs to build persistent
storage
for
docker registry inside ADB box but I have encountered SELinux
issue.
Steps to reproduce:
$ Add sshfs folder into Vagrantfile
config.vm.synced_folder "/home/tnozicka/tmp/registry-
data",
"/var/lib/registry", type: "sshfs"
$ vagrant up
$ vagrant ssh
$ docker run -it --rm -v /var/lib/registry:/var/lib/registry
centos:7
bash -c 'mkdir /var/lib/registry/new-dir'
(fails [and should] since /var/lib/registry does not have the
right
SELinux context)
$ docker run -it --rm -v
/var/lib/registry:/var/lib/registry:Z
centos:7 bash -c 'mkdir /var/lib/registry/new-dir'
(FAILS with: Error response from daemon: operation not
supported)
The later one (:Z) works for ordinary folders, but it is
failing
with
the one mounted by sshfs :( I tried to fix SELinux with:
$ sudo chcon -Rt svirt_sandbox_file_t /var/lib/registry
chcon: failed to change context of ‘docker’ to
‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not
supported
chcon: failed to change context of ‘/var/lib/registry’ to
‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not
supported
but without success. Does anybody have any ideas how to get
sshfs
and
Docker/SELinux working together?
Everything works after running:
$ sudo setenforce 0
inside ADB so it is almost definitely SELinux related issue.
Thanks,
Tomas Nozicka
[1] - http://www.projectatomic.io/blog/2015/06/using-volumes-wi
th-d
ocke
r-can-cause-problems-with-selinux/
_______________________________________________
Container-tools mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/container-tools
What AVC's are you seeing. The problem is sshfs does not support
SELinux labels, so you
can not set them to share within the container. We could attempt
to
mount the
sshfs with a context mount, if sshfs works that way.
mount ... context="system_u:object_r:svirt_sandbox_file_t:s0"
Or we can add rules to svirt_sandbox_file_t to allow it to manage
sshfs_t
_______________________________________________
Container-tools mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/container-tools
