-
-
Notifications
You must be signed in to change notification settings - Fork 609
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker volumes inaccessible if selinux is enforcing #4165
Comments
Thanks for the patch! Can you link to some documentation on what adding the |
Yep: https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label Basically, z and Z were added so that Docker can automatically add appropriate selinux labels to the files in the designated volume when the container is started. We want z rather than Z since Z will label the files to only be accessible to a single container, which won't work. |
I appreciate the extra details. According to that documentation:
Based on that, I'd prefer not to the patch. I'm curious, what is it that SELinux is enforcing that prohibits executing those files on the mount? Also, have you tried using docker-compose's |
Setting Z is definitely not what we want here and won't even work for the boulder tests. Setting z or Z also won't do anything on a system that does not have SELinux set to enforcing. That's apparently most people using this boulder test harness, since this hasn't come up before. So, the impact should be minimal, but docker-compose would work out of the box for people who do have SELinux set to enforcing and that is something I personally support. :) I'm on Fedora 29 here and when I pull down from GitHub the context is: If the context is not changed, running
The I really do think there is very little risk of disruption by this change, but the benefit may also be seen as unnecessary and not warrant any risk. If you choose not to accept the patch, at least this will be recorded here for anyone else enforcing SELinux to know how to fix it. ¯_(ツ)_/¯ |
Thanks, that helps. I understand some more of the problem now, but I'm still not confident that I understand the SELinux rules well enough to judge whether this is the right fix, and as you mentioned, this isn't something we're running into most of the time, so I'm going to defer this until we have more immediate need. When that happens, this issue will serve as useful documentation. :-) |
The current docker-compose.yml attempts to mount volumes without selinux labelling. If selinux is set to enforcing, the containers will report permission denied attempting to execute the entrypoint scripts at test/entrypoint-netaccess.sh and test/entrypoint.sh.
The solution is just to add :z at the end of the volume paths and Docker will perform the labeling automatically. Adding this is a simple change that didn't appear to cause other issues in my testing. PR incoming.
The text was updated successfully, but these errors were encountered: