On 1/9/21 9:20 PM, lejeczek wrote:
hi guys.
I've just started fiddling with podman and something what I thought
would be a well covered topic turns out to be rather thinly covered
(unless I failed to find more).
I'm hoping someone could point to place where it's thoroughly covered
or can shed more light on possible best practices for 'container
volumes and host fcontext'
It's fcontext labels and security options for containers.
Maybe it's just "mariadb" which I'm trying?.. hmm..
I'm on Centos8.
Here is an example of my troublesome container:
-> $ podman run -d --restart=always --pod=nist --volume
/srv/containers/var/lib/mysql:/var/lib/mysql --volume
/srv/containers/etc/my.cnf.d:/etc/my.cnf.d
--security-opt=label=disable ...
I also did:
-> $ semanage fcontext -a -e /var/lib/containers /srv/containers
and that's "container_var_lib_t"
I expected that would do the trick yet host's journal log is swarmed
with:
SELinux is preventing /usr/sbin/mariadbd from read access on the file
plugin.frm.
-> $ sealert -l 094ffe8a-89d5-4f7b-99fc-e7488896b255
SELinux is preventing /usr/sbin/mariadbd from read access on the file
plugin.frm.
***** Plugin catchall (100. confidence) suggests
**************************
If you believe that mariadbd should be allowed read access on the
plugin.frm file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'mysqld' --raw | audit2allow -M my-mysqld
# semodule -X 300 -i my-mysqld.pp
Additional Information:
Source Context system_u:system_r:container_t:s0:c144,c589
Target Context system_u:object_r:mysqld_db_t:s0
Target Objects plugin.frm [ file ]
Source mysqld
Source Path /usr/sbin/mariadbd
Port <Unknown>
Host c8kubernode1.private.openshift.c8
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name c8kubernode1.private.openshift.c8
Platform Linux c8kubernode1.private.openshift.c8
4.18.0-240.1.1.el8_3.x86_64 #1 SMP Thu
Nov 19
17:20:08 UTC 2020 x86_64 x86_64
Alert Count 6780
First Seen 2021-01-09 10:00:43 EST
Last Seen 2021-01-09 10:25:57 EST
Local ID 094ffe8a-89d5-4f7b-99fc-e7488896b255
_______________________________________________
My solution for similar issues ( in CentOS 7 but I suspect the labels
are identical or similar ) was to run "semanage fcontext -l " and
place the container volumes below /var/lib/docker/
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx