selinux context

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

We are trying to use GlusterFS storage for volumes mounted in Docker containers on Centos 7 with SELinux enforcing. By default, I get `Permission denied` errors when trying to write to a mounted volume:

```
sudo docker run -it --rm -v /mnt/container-volumes/:/log/:rw ubuntu bash -c 'echo date >> /log/volume-test.log'
bash: /log/volume-test.log: Permission denied
```

I thought we might be able to address this by changing the SELinux context on the GlusterFS directory (see http://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/), but we get the following errors:

```
$ sudo chcon -Rt svirt_sandbox_file_t /mnt/container-volumes/
chcon: failed to change context of ‘internal_op’ to ‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not supported
chcon: failed to change context of ‘.trashcan’ to ‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not supported
chcon: failed to change context of ‘/mnt/container-volumes/’ to ‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not supported
```

Note that the `:z` Docker volume option also generates the same error:

```
sudo docker run -it --rm -v /mnt/container-volumes/:/log/:z ubuntu bash -c 'echo date >> /log/volume-test.log'
Error response from daemon: operation not supported
```

Next, I tried setting the context on the GlusterFS mount:

```
$ sudo mount -t glusterfs fs.glusterfs.service.consul:/container-volumes /mnt/container-volumes -o context="system_u:object_r:svirt_sandbox_file_t:s0"
Invalid option: context
```

This looks similar to the question asked in http://www.gluster.org/pipermail/gluster-users.old/2015-January/020014.html but it was never answered.

I looked around in the docs and on the mailing list archives but couldn't find a way to solve this. Does anyone know how we can configure GlusterFS so that we can change the SELinux context? Is this supported? Am I missing any steps? Is there any other way of tackling this problem (short of setting SELinux to permissive mode)?

I'd appreciate any help! Let me know if there is any other information I could provide.

CentOS Linux release 7.1.1503
glusterfs 3.7.6

(For the full context, you can see this issue: https://github.com/CiscoCloud/microservices-infrastructure/issues/867#issuecomment-159689603)

Thanks!
Ryan 
_______________________________________________
Gluster-users mailing list
Gluster-users@xxxxxxxxxxx
http://www.gluster.org/mailman/listinfo/gluster-users
[Index of Archives]     [Gluster Development]     [Linux Filesytems Development]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux