1:20 p.m.
hi guys.
I've just started fiddling with podman and something what I
thought would be a well covered topic turns out to be rather
thinly covered (unless I failed to find more).
I'm hoping someone could point to place where it's
thoroughly covered or can shed more light on possible best
practices for 'container volumes and host fcontext'
It's fcontext labels and security options for containers.
Maybe it's just "mariadb" which I'm trying?.. hmm..
I'm on Centos8.
Here is an example of my troublesome container:
-> $ podman run -d --restart=always --pod=nist --volume
/srv/containers/var/lib/mysql:/var/lib/mysql --volume
/srv/containers/etc/my.cnf.d:/etc/my.cnf.d
--security-opt=label=disable ...
I also did:
-> $ semanage fcontext -a -e /var/lib/containers /srv/containers
and that's "container_var_lib_t"
I expected that would do the trick yet host's journal log is
swarmed with:
SELinux is preventing /usr/sbin/mariadbd from read access on
the file plugin.frm.
-> $ sealert -l 094ffe8a-89d5-4f7b-99fc-e7488896b255
SELinux is preventing /usr/sbin/mariadbd from read access on
the file plugin.frm.
***** Plugin catchall (100. confidence) suggests
**************************
If you believe that mariadbd should be allowed read access
on the plugin.frm file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'mysqld' --raw | audit2allow -M my-mysqld
# semodule -X 300 -i my-mysqld.pp
Additional Information:
Source Context system_u:system_r:container_t:s0:c144,c589
Target Context system_u:object_r:mysqld_db_t:s0
Target Objects plugin.frm [ file ]
Source mysqld
Source Path /usr/sbin/mariadbd
Port <Unknown>
Host c8kubernode1.private.openshift.c8
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name c8kubernode1.private.openshift.c8
Platform Linux
c8kubernode1.private.openshift.c8
4.18.0-240.1.1.el8_3.x86_64
#1 SMP Thu Nov 19
17:20:08 UTC 2020 x86_64 x86_64
Alert Count 6780
First Seen 2021-01-09 10:00:43 EST
Last Seen 2021-01-09 10:25:57 EST
Local ID 094ffe8a-89d5-4f7b-99fc-e7488896b255
10:47 a.m.
On 1/9/21 9:20 PM, lejeczek wrote:
hi guys.
I've just started fiddling with podman and something what I thought
would be a well covered topic turns out to be rather thinly covered
(unless I failed to find more).
I'm hoping someone could point to place where it's thoroughly covered
or can shed more light on possible best practices for 'container
volumes and host fcontext'
It's fcontext labels and security options for containers.
Maybe it's just "mariadb" which I'm trying?.. hmm..
I'm on Centos8.
Here is an example of my troublesome container:
-> $ podman run -d --restart=always --pod=nist --volume
/srv/containers/var/lib/mysql:/var/lib/mysql --volume
/srv/containers/etc/my.cnf.d:/etc/my.cnf.d
--security-opt=label=disable ...
I also did:
-> $ semanage fcontext -a -e /var/lib/containers /srv/containers
and that's "container_var_lib_t"
I expected that would do the trick yet host's journal log is swarmed
with:
SELinux is preventing /usr/sbin/mariadbd from read access on the file
plugin.frm.
-> $ sealert -l 094ffe8a-89d5-4f7b-99fc-e7488896b255
SELinux is preventing /usr/sbin/mariadbd from read access on the file
plugin.frm.
***** Plugin catchall (100. confidence) suggests
**************************
If you believe that mariadbd should be allowed read access on the
plugin.frm file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'mysqld' --raw | audit2allow -M my-mysqld
# semodule -X 300 -i my-mysqld.pp
Additional Information:
Source Context system_u:system_r:container_t:s0:c144,c589
Target Context system_u:object_r:mysqld_db_t:s0
Target Objects plugin.frm [ file ]
Source mysqld
Source Path /usr/sbin/mariadbd
Port <Unknown>
Host c8kubernode1.private.openshift.c8
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name c8kubernode1.private.openshift.c8
Platform Linux c8kubernode1.private.openshift.c8
4.18.0-240.1.1.el8_3.x86_64 #1 SMP Thu
Nov 19
17:20:08 UTC 2020 x86_64 x86_64
Alert Count 6780
First Seen 2021-01-09 10:00:43 EST
Last Seen 2021-01-09 10:25:57 EST
Local ID 094ffe8a-89d5-4f7b-99fc-e7488896b255
_______________________________________________
My solution for similar issues ( in CentOS 7 but I suspect the labels
are identical or similar ) was to run "semanage fcontext -l " and
place the container volumes below /var/lib/docker/
4:56 a.m.
Hi,
I think what you're looking for is udica (It will create custom policy for your
container).
Please have a look at this article by Lukas Vrabec for more info, including a short guide
how to use udica
https://fedoramagazine.org/use-udica-to-build-selinux-policy-for-containers/
1194
days inactive
1196
days old
selinux@lists.fedoraproject.org
2 comments
3 participants
participants (3)
-
lejeczek -
Manuel Wolfshant -
Vit Mojzis