[Container-tools] vagrant-sshfs vs. Docker/SELinux
Daniel J Walsh
dwalsh at redhat.com
Mon Apr 11 17:58:11 UTC 2016
Show me ausearch -m avc -ts recent
On 04/11/2016 01:28 PM, Tomáš Nožička wrote:
> # aureport -a
>
> AVC Report
> ========================================================
> # date time comm subj syscall class permission obj event
> ========================================================
> 11. 11.4.2016 10:50:01 mkdir
> system_u:system_r:svirt_lxc_net_t:s0:c148,c427 83 dir write
> system_u:object_r:fusefs_t:s0 denied 1437
> 12. 11.4.2016 13:16:28 mkdir
> system_u:system_r:svirt_lxc_net_t:s0:c293,c618 83 dir write
> system_u:object_r:fusefs_t:s0 denied 1558
> 13. 11.4.2016 13:16:56 mkdir
> system_u:system_r:svirt_lxc_net_t:s0:c333,c590 83 dir write
> system_u:object_r:fusefs_t:s0 denied 1574
>
>
> On Po, 2016-04-11 at 10:37 -0400, Daniel J Walsh wrote:
>> On 04/11/2016 10:25 AM, Tomáš Nožička wrote:
>>> Hi,
>>>
>>> I have been playing with vagrant-sshfs to build persistent storage
>>> for
>>> docker registry inside ADB box but I have encountered SELinux
>>> issue.
>>>
>>> Steps to reproduce:
>>> $ Add sshfs folder into Vagrantfile
>>> config.vm.synced_folder "/home/tnozicka/tmp/registry-data",
>>> "/var/lib/registry", type: "sshfs"
>>> $ vagrant up
>>> $ vagrant ssh
>>> $ docker run -it --rm -v /var/lib/registry:/var/lib/registry
>>> centos:7
>>> bash -c 'mkdir /var/lib/registry/new-dir'
>>> (fails [and should] since /var/lib/registry does not have the right
>>> SELinux context)
>>>
>>> $ docker run -it --rm -v /var/lib/registry:/var/lib/registry:Z
>>> centos:7 bash -c 'mkdir /var/lib/registry/new-dir'
>>> (FAILS with: Error response from daemon: operation not supported)
>>>
>>> The later one (:Z) works for ordinary folders, but it is failing
>>> with
>>> the one mounted by sshfs :( I tried to fix SELinux with:
>>> $ sudo chcon -Rt svirt_sandbox_file_t /var/lib/registry
>>> chcon: failed to change context of ‘docker’ to
>>> ‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not
>>> supported
>>> chcon: failed to change context of ‘/var/lib/registry’ to
>>> ‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not
>>> supported
>>>
>>> but without success. Does anybody have any ideas how to get sshfs
>>> and
>>> Docker/SELinux working together?
>>>
>>> Everything works after running:
>>> $ sudo setenforce 0
>>> inside ADB so it is almost definitely SELinux related issue.
>>>
>>>
>>> Thanks,
>>> Tomas Nozicka
>>>
>>>
>>> [1] - http://www.projectatomic.io/blog/2015/06/using-volumes-with-d
>>> ocke
>>> r-can-cause-problems-with-selinux/
>>>
>>> _______________________________________________
>>> Container-tools mailing list
>>> Container-tools at redhat.com
>>> https://www.redhat.com/mailman/listinfo/container-tools
>> What AVC's are you seeing. The problem is sshfs does not support
>> SELinux labels, so you
>> can not set them to share within the container. We could attempt to
>> mount the
>> sshfs with a context mount, if sshfs works that way.
>>
>> mount ... context="system_u:object_r:svirt_sandbox_file_t:s0"
>>
>> Or we can add rules to svirt_sandbox_file_t to allow it to manage
>> sshfs_t
More information about the Container-tools
mailing list