hi guys.
I've just started fiddling with podman and something what I thought would be a well covered topic turns out to be rather thinly covered (unless I failed to find more). I'm hoping someone could point to place where it's thoroughly covered or can shed more light on possible best practices for 'container volumes and host fcontext' It's fcontext labels and security options for containers. Maybe it's just "mariadb" which I'm trying?.. hmm.. I'm on Centos8. Here is an example of my troublesome container:
-> $ podman run -d --restart=always --pod=nist --volume /srv/containers/var/lib/mysql:/var/lib/mysql --volume /srv/containers/etc/my.cnf.d:/etc/my.cnf.d --security-opt=label=disable ...
I also did:
-> $ semanage fcontext -a -e /var/lib/containers /srv/containers
and that's "container_var_lib_t"
I expected that would do the trick yet host's journal log is swarmed with:
SELinux is preventing /usr/sbin/mariadbd from read access on the file plugin.frm.
-> $ sealert -l 094ffe8a-89d5-4f7b-99fc-e7488896b255 SELinux is preventing /usr/sbin/mariadbd from read access on the file plugin.frm.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that mariadbd should be allowed read access on the plugin.frm file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'mysqld' --raw | audit2allow -M my-mysqld # semodule -X 300 -i my-mysqld.pp
Additional Information: Source Context system_u:system_r:container_t:s0:c144,c589 Target Context system_u:object_r:mysqld_db_t:s0 Target Objects plugin.frm [ file ] Source mysqld Source Path /usr/sbin/mariadbd Port <Unknown> Host c8kubernode1.private.openshift.c8 Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch Local Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name c8kubernode1.private.openshift.c8 Platform Linux c8kubernode1.private.openshift.c8 4.18.0-240.1.1.el8_3.x86_64 #1 SMP Thu Nov 19 17:20:08 UTC 2020 x86_64 x86_64 Alert Count 6780 First Seen 2021-01-09 10:00:43 EST Last Seen 2021-01-09 10:25:57 EST Local ID 094ffe8a-89d5-4f7b-99fc-e7488896b255
On 1/9/21 9:20 PM, lejeczek wrote:
hi guys.
I've just started fiddling with podman and something what I thought would be a well covered topic turns out to be rather thinly covered (unless I failed to find more). I'm hoping someone could point to place where it's thoroughly covered or can shed more light on possible best practices for 'container volumes and host fcontext' It's fcontext labels and security options for containers. Maybe it's just "mariadb" which I'm trying?.. hmm.. I'm on Centos8. Here is an example of my troublesome container:
-> $ podman run -d --restart=always --pod=nist --volume /srv/containers/var/lib/mysql:/var/lib/mysql --volume /srv/containers/etc/my.cnf.d:/etc/my.cnf.d --security-opt=label=disable ...
I also did:
-> $ semanage fcontext -a -e /var/lib/containers /srv/containers
and that's "container_var_lib_t"
I expected that would do the trick yet host's journal log is swarmed with:
SELinux is preventing /usr/sbin/mariadbd from read access on the file plugin.frm.
-> $ sealert -l 094ffe8a-89d5-4f7b-99fc-e7488896b255 SELinux is preventing /usr/sbin/mariadbd from read access on the file plugin.frm.
***** Plugin catchall (100. confidence) suggests
If you believe that mariadbd should be allowed read access on the plugin.frm file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'mysqld' --raw | audit2allow -M my-mysqld # semodule -X 300 -i my-mysqld.pp
Additional Information: Source Context system_u:system_r:container_t:s0:c144,c589 Target Context system_u:object_r:mysqld_db_t:s0 Target Objects plugin.frm [ file ] Source mysqld Source Path /usr/sbin/mariadbd Port <Unknown> Host c8kubernode1.private.openshift.c8 Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch Local Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name c8kubernode1.private.openshift.c8 Platform Linux c8kubernode1.private.openshift.c8 4.18.0-240.1.1.el8_3.x86_64 #1 SMP Thu Nov 19 17:20:08 UTC 2020 x86_64 x86_64 Alert Count 6780 First Seen 2021-01-09 10:00:43 EST Last Seen 2021-01-09 10:25:57 EST Local ID 094ffe8a-89d5-4f7b-99fc-e7488896b255 _______________________________________________
My solution for similar issues ( in CentOS 7 but I suspect the labels are identical or similar ) was to run "semanage fcontext -l " and place the container volumes below /var/lib/docker/
Hi, I think what you're looking for is udica (It will create custom policy for your container). Please have a look at this article by Lukas Vrabec for more info, including a short guide how to use udica https://fedoramagazine.org/use-udica-to-build-selinux-policy-for-containers/
selinux@lists.fedoraproject.org
-
lejeczek -
Manuel Wolfshant -
Vit Mojzis