[Container-tools] vagrant-sshfs vs. Docker/SELinux
Dusty Mabe
dusty at dustymabe.com
Mon Apr 11 22:33:34 UTC 2016
On 04/11/2016 10:37 AM, Daniel J Walsh wrote:
>
>
> On 04/11/2016 10:25 AM, Tomáš Nožička wrote:
>> Hi,
>>
>> I have been playing with vagrant-sshfs to build persistent storage for
>> docker registry inside ADB box but I have encountered SELinux issue.
>>
>> Steps to reproduce:
>> $ Add sshfs folder into Vagrantfile
>> config.vm.synced_folder "/home/tnozicka/tmp/registry-data",
>> "/var/lib/registry", type: "sshfs"
>> $ vagrant up
>> $ vagrant ssh
>> $ docker run -it --rm -v /var/lib/registry:/var/lib/registry centos:7
>> bash -c 'mkdir /var/lib/registry/new-dir'
>> (fails [and should] since /var/lib/registry does not have the right
>> SELinux context)
>>
>> $ docker run -it --rm -v /var/lib/registry:/var/lib/registry:Z
>> centos:7 bash -c 'mkdir /var/lib/registry/new-dir'
>> (FAILS with: Error response from daemon: operation not supported)
>>
>> The later one (:Z) works for ordinary folders, but it is failing with
>> the one mounted by sshfs :( I tried to fix SELinux with:
>> $ sudo chcon -Rt svirt_sandbox_file_t /var/lib/registry
>> chcon: failed to change context of ‘docker’ to
>> ‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not supported
>> chcon: failed to change context of ‘/var/lib/registry’ to
>> ‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not supported
>>
>> but without success. Does anybody have any ideas how to get sshfs and
>> Docker/SELinux working together?
>>
>> Everything works after running:
>> $ sudo setenforce 0
>> inside ADB so it is almost definitely SELinux related issue.
>>
>>
>> Thanks,
>> Tomas Nozicka
>>
>>
>> [1] - http://www.projectatomic.io/blog/2015/06/using-volumes-with-docke
>> r-can-cause-problems-with-selinux/
>>
>> _______________________________________________
>> Container-tools mailing list
>> Container-tools at redhat.com
>> https://www.redhat.com/mailman/listinfo/container-tools
> What AVC's are you seeing. The problem is sshfs does not support
> SELinux labels, so you
> can not set them to share within the container. We could attempt to
> mount the
> sshfs with a context mount, if sshfs works that way.
>
> mount ... context="system_u:object_r:svirt_sandbox_file_t:s0"
Something like this was added some time ago but there is no release
with it included as of yet:
https://github.com/libfuse/libfuse/commit/c52cafc81ced83fbd5cc7edf4ef5f7cb57b82729
>
> Or we can add rules to svirt_sandbox_file_t to allow it to manage sshfs_t
>
> _______________________________________________
> Container-tools mailing list
> Container-tools at redhat.com
> https://www.redhat.com/mailman/listinfo/container-tools
>
More information about the Container-tools
mailing list