Re: containers - fcontext labels for bind mount volumes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 1/9/21 9:20 PM, lejeczek wrote:
hi guys.

I've just started fiddling with podman and something what I thought would be a well covered topic turns out to be rather thinly covered (unless I failed to find more). I'm hoping someone could point to place where it's thoroughly covered or can shed more light on possible best practices for 'container volumes and host fcontext'
It's fcontext labels and security options for containers.
Maybe it's just "mariadb" which I'm trying?.. hmm..
I'm on Centos8.
Here is an example of my troublesome container:

-> $ podman run -d --restart=always --pod=nist --volume /srv/containers/var/lib/mysql:/var/lib/mysql --volume /srv/containers/etc/my.cnf.d:/etc/my.cnf.d --security-opt=label=disable ...

I also did:

-> $ semanage fcontext -a -e /var/lib/containers /srv/containers

and that's "container_var_lib_t"

I expected that would do the trick yet host's journal log is swarmed with:

SELinux is preventing /usr/sbin/mariadbd from read access on the file plugin.frm.

-> $ sealert -l 094ffe8a-89d5-4f7b-99fc-e7488896b255
SELinux is preventing /usr/sbin/mariadbd from read access on the file plugin.frm.

*****  Plugin catchall (100. confidence) suggests **************************

If you believe that mariadbd should be allowed read access on the plugin.frm file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'mysqld' --raw | audit2allow -M my-mysqld
# semodule -X 300 -i my-mysqld.pp


Additional Information:
Source Context system_u:system_r:container_t:s0:c144,c589
Target Context                system_u:object_r:mysqld_db_t:s0
Target Objects                plugin.frm [ file ]
Source                        mysqld
Source Path                   /usr/sbin/mariadbd
Port                          <Unknown>
Host                          c8kubernode1.private.openshift.c8
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     c8kubernode1.private.openshift.c8
Platform                      Linux c8kubernode1.private.openshift.c8
                              4.18.0-240.1.1.el8_3.x86_64 #1 SMP Thu Nov 19
                              17:20:08 UTC 2020 x86_64 x86_64
Alert Count                   6780
First Seen                    2021-01-09 10:00:43 EST
Last Seen                     2021-01-09 10:25:57 EST
Local ID 094ffe8a-89d5-4f7b-99fc-e7488896b255
_______________________________________________


My solution for similar issues ( in CentOS 7 but I suspect the labels are identical or similar ) was to run  "semanage fcontext -l  " and  place the container volumes below /var/lib/docker/


_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux