"secondary" root fs with autolabeling - how?
by lejeczek
hi guys
I wonder if it possible to make a mount point or it's
sub-folder to mimic fcontext of the "/" itself and have
"restorecond" do labeling?
This what I wonder must not be a new notion, eg
- have a mount point /devel and duplicate partial structure
of "/" inside, usually it would be "var", "usr", "run" and
lastly have "restorecond" do the fcontext labeling, eg.
/devel/var/www/html etc.
Would anybody have any thoughts to share?
many thanks, L.
2 years, 10 months
- 2
- 1
Re: Moving selinux policy for glusterfs into glusterfs-selinux
package
by Vit Mojzis
Hi,
thanks for letting us know.
The repo looks good to me.
Do you already have a build we could test?
Vit
On 1/21/21 12:08 PM, Rinku Kothiya wrote:
> +
>
> On Thu, Jan 21, 2021 at 3:52 PM Rinku Kothiya <rkothiya(a)redhat.com
> <mailto:rkothiya@redhat.com>> wrote:
>
> Hi Team,
>
> We want to move the selinux policies to gluster products, so that
> we can better align the policies and face less permission problems.
>
> The repository for glusterfs-selinux policy can be found here.
> https://github.com/gluster/glusterfs-selinux
> <https://github.com/gluster/glusterfs-selinux>
>
> Regards
> Rinku
>
2 years, 10 months
- 1
- 0
containers - fcontext labels for bind mount volumes
by lejeczek
hi guys.
I've just started fiddling with podman and something what I
thought would be a well covered topic turns out to be rather
thinly covered (unless I failed to find more).
I'm hoping someone could point to place where it's
thoroughly covered or can shed more light on possible best
practices for 'container volumes and host fcontext'
It's fcontext labels and security options for containers.
Maybe it's just "mariadb" which I'm trying?.. hmm..
I'm on Centos8.
Here is an example of my troublesome container:
-> $ podman run -d --restart=always --pod=nist --volume
/srv/containers/var/lib/mysql:/var/lib/mysql --volume
/srv/containers/etc/my.cnf.d:/etc/my.cnf.d
--security-opt=label=disable ...
I also did:
-> $ semanage fcontext -a -e /var/lib/containers /srv/containers
and that's "container_var_lib_t"
I expected that would do the trick yet host's journal log is
swarmed with:
SELinux is preventing /usr/sbin/mariadbd from read access on
the file plugin.frm.
-> $ sealert -l 094ffe8a-89d5-4f7b-99fc-e7488896b255
SELinux is preventing /usr/sbin/mariadbd from read access on
the file plugin.frm.
***** Plugin catchall (100. confidence) suggests
**************************
If you believe that mariadbd should be allowed read access
on the plugin.frm file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'mysqld' --raw | audit2allow -M my-mysqld
# semodule -X 300 -i my-mysqld.pp
Additional Information:
Source Context system_u:system_r:container_t:s0:c144,c589
Target Context system_u:object_r:mysqld_db_t:s0
Target Objects plugin.frm [ file ]
Source mysqld
Source Path /usr/sbin/mariadbd
Port <Unknown>
Host c8kubernode1.private.openshift.c8
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name c8kubernode1.private.openshift.c8
Platform Linux
c8kubernode1.private.openshift.c8
4.18.0-240.1.1.el8_3.x86_64
#1 SMP Thu Nov 19
17:20:08 UTC 2020 x86_64 x86_64
Alert Count 6780
First Seen 2021-01-09 10:00:43 EST
Last Seen 2021-01-09 10:25:57 EST
Local ID 094ffe8a-89d5-4f7b-99fc-e7488896b255
2 years, 10 months
- 3
- 2
- ← Newer
- 1
- Older →