Re: [atomic-devel] SELinux labelling when running Pulp in containers

[Nick Coghlan <ncoghlan gmail com>]

On 3 September 2015 at 21:56, Daniel J Walsh <dwalsh redhat com> wrote:
> Remove the :Z from this line.  You don't want to relabel /dev/log on the
> host.
>
> MOUNTS="--volumes-from pulp_data -v /dev/log:/dev/log:Z"
>
> You should only be relabeling content specific to the container.
>
> restorecon -F /dev/log
>
> on the host should fix this label.

Thanks. With that fixed, I saw a few new errors that appear to be
related to the volumes exported by the data container:

1x "SELinux is preventing httpd from read access on the file pulp_python.conf"
4x "SELinux is preventing celery from read access on the file server.conf"

Reading http://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/
suggested to me that they all needed the "chcon -Rt
svirt_sandbox_file_t" applied.

The ":z" suffix doesn't work for a volume export (Docker think it's a
mount point for a host volume), and "<export path>::z" isn't valid
syntax, so I tried reading the list of mounts from docker inspect and
setting the context with chcon. While "ls -lZ" showed the context had
been changed, I still got the SELinux error messages and the
containers didn't start.

At this point, I think Mark's approach of letting Kubernetes deal with
the security context management is likely to be a better way to go.

Regards,
Nick.

-- 
Nick Coghlan   |   ncoghlan gmail com   |   Brisbane, Australia