[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[atomic-devel] SELinux labelling when running Pulp in containers

To help improve the local dev experience for a project I'm working on
that uses Pulp, I've been looking at making it easier to get a local
dev instance of that up and running in containers.

Building on Michael Hrivnak's previous work, I got Pulp fully
containerised in
(with a couple of messy hacks to work around the inability to change
mount points or the owning user when mounting volumes via

However, I've only managed to get it working under "setenforce 0" -
SELinux complains otherwise. After bringing this up internally, I
realised I should start a thread here with the relevant setroubleshoot
details. (Containerising Pulp for local development serves as a
precursor to getting it running on Atomic Host, so this seems like the
most appropriate upstream list to provide feedback on the challenges I
encountered with it).

For reference, the containers involved in running Pulp locally are:

* pulp_data - just owns the data volumes
* pulp_db - MongoDB container
* pulp_qpid - Qpid message broker
* pulp_beat - (I don't actually know what this does...)
* pulp_resource_manager - (ditto...)
* pulp_worker[12] - celery worker nodes (I believe)
* pulpapi - web service for main REST API
* crane - Docker registry service

The first 3 containers have no dependencies, the others all mount
volumes from pulp_data, and have network links to pulp_db and
pulp_qpid. All the containers also mount "/dev/log:Z" from the host.

Running "sudo _localdev/start_pulp.sh" under SELinux, only the
database and QPid containers start properly - the later ones which
need to link network interfaces to those containers all fail.

The setroubleshoot message that seems relevant (both by time and content) is:

SELinux is preventing nm-dispatcher from read access on the lnk_file
log. For complete SELinux messages. run sealert -l

And the additional information from sealert:
Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:svirt_sandbox_file_t:s0:c88,c647
Target Objects                log [ lnk_file ]
Source                        nm-dispatcher
Source Path                   nm-dispatcher
Port                          <Unknown>
Host                          thechalk
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-128.12.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing

Raw Audit Messages
type=AVC msg=audit(1441238305.121:883): avc:  denied  { read } for
pid=5928 comm="nm-dispatcher" name="log" dev="devtmpfs"
ino=10641 scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c88,c647 tclas
s=lnk_file permissive=0

Hash: nm-dispatcher,NetworkManager_t,svirt_sandbox_file_t,lnk_file,read


P.S. There's also a secondary failure that appears to stem from
failing to record the above alert properly: "could not write
/var/lib/setroubleshoot/setroubleshoot_database.xml: [Errno 13]
Permission denied:

Nick Coghlan   |   ncoghlan gmail com   |   Brisbane, Australia

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]