Selinux

This page is compiled from my experiences of researching the bare minimum to make stuff work. Since SELinux is made to be secure, this approach might create security vulnerabilities if you don’t know what you are doing. Resources Introduction to SELinux (GitHub blog) Locate the problem In this example. My nginx installation is unable to access a file called test.txt. This is the journal log: Sep 22 20:01:32 hermes.iix.se audit[23928]: AVC avc: denied { read } for pid=23928 comm="nginx" name="test.txt" dev="vda1" ino=271350 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=0 The first thing we do is to asking audit whats up. this is usually done by piping the audit log to audit2why. If you don’t have audit, the logs should be in the /var/log/messages instead. ...

I have docker container which wants access to a drive on its host, which in turn is mounted with cifs from a server on the local network. If you mount it normally with a -v host:container and try to access it from the container, you get an access denied. If you try the old classic SE-Linux-friendly -v host:container:Z, it will look like this from the container: root@c3ada26b1d90:/# l /data/* /data/backup: ls: cannot access '/data/backup/config.json': Permission denied 27177a66e938a02ae784c0bc9ccd74751a32c00f4fcaee22ef1d78894c70553a-stdin| config.json init-stdin| 27177a66e938a02ae784c0bc9ccd74751a32c00f4fcaee22ef1d78894c70553a-stdout| init-stderr| init-stdout| To make it work, you have to change the SE-Linux-type from cifs_t to something more container-y. In your /etc/fstab, you can mount it like this: ...