hi guys.
I've just started fiddling with podman and something what I
thought would be a well covered topic turns out to be rather
thinly covered (unless I failed to find more).
I'm hoping someone could point to place where it's
thoroughly covered or can shed more light on possible best
practices for 'container volumes and host fcontext'
It's fcontext labels and security options for containers.
Maybe it's just "mariadb" which I'm trying?.. hmm..
I'm on Centos8.
Here is an example of my troublesome container:
-> $ podman run -d --restart=always --pod=nist --volume
/srv/containers/var/lib/mysql:/var/lib/mysql --volume
/srv/containers/etc/my.cnf.d:/etc/my.cnf.d
--security-opt=label=disable ...
I also did:
-> $ semanage fcontext -a -e /var/lib/containers /srv/containers
and that's "container_var_lib_t"
I expected that would do the trick yet host's journal log is
swarmed with:
SELinux is preventing /usr/sbin/mariadbd from read access on
the file plugin.frm.
-> $ sealert -l 094ffe8a-89d5-4f7b-99fc-e7488896b255
SELinux is preventing /usr/sbin/mariadbd from read access on
the file plugin.frm.
***** Plugin catchall (100. confidence) suggests
**************************
If you believe that mariadbd should be allowed read access
on the plugin.frm file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'mysqld' --raw | audit2allow -M my-mysqld
# semodule -X 300 -i my-mysqld.pp
Additional Information:
Source Context system_u:system_r:container_t:s0:c144,c589
Target Context system_u:object_r:mysqld_db_t:s0
Target Objects plugin.frm [ file ]
Source mysqld
Source Path /usr/sbin/mariadbd
Port <Unknown>
Host c8kubernode1.private.openshift.c8
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name c8kubernode1.private.openshift.c8
Platform Linux
c8kubernode1.private.openshift.c8
4.18.0-240.1.1.el8_3.x86_64
#1 SMP Thu Nov 19
17:20:08 UTC 2020 x86_64 x86_64
Alert Count 6780
First Seen 2021-01-09 10:00:43 EST
Last Seen 2021-01-09 10:25:57 EST
Local ID 094ffe8a-89d5-4f7b-99fc-e7488896b255
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx