Comments (6)
rhatdan
commented on July 18, 2024
We virt_use_samba already works.
from container-selinux.
jcwebservices
commented on July 18, 2024
It's mounted as samba_share_t with fcontext.
[jcastillo2nd@helm ~]$ stat /opt/share/
File: '/opt/share/'
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: fd01h/64769d Inode: 2 Links: 27
Access: (0755/drwxr-xr-x) Uid: ( 1000/jcastillo2nd) Gid: ( 1000/jcastillo2nd)
Context: system_u:object_r:samba_share_t:s0
Access: 2017-02-01 17:44:16.102088526 +0000
Modify: 2017-02-01 11:21:46.796247164 +0000
Change: 2017-02-01 17:44:16.101088502 +0000
Birth: -
Make sure we go the bool going:
[jcastillo2nd@helm Dockerfiles]$ sudo semanage boolean --list | grep virt_use_samba
virt_use_samba (on , on) Allow virt to use samba
Going to start up the container:
[jcastillo2nd@helm Dockerfiles]$ sudo docker run -d -v /opt/share:/opt/share -ti fedora:25 bash
ff8d832b218f6b0b89dcb3ee68b13f30d9c33c07a672de4eca3dabaae6646c09
Quick verification of processes:
system_u:system_r:container_runtime_t:s0 root 697 0.0 0.1 289256 8272 ? Ssl 19:07 0:00 /usr/libexec/docker/docker-containerd-current --listen unix:///run/containerd.sock --shim /usr/libexec/docker/docker-containerd-shim-current --start-timeout 2m
system_u:system_r:container_runtime_t:s0 root 1111 0.0 0.0 124672 2736 ? Sl 19:10 0:00 \_ /usr/libexec/docker/docker-containerd-shim-current ff8d832b218f6b0b89dcb3ee68b13f30d9c33c07a672de4eca3dabaae6646c09 /var/run/docker/libcontainerd/ff8d832b218f6b0b89dcb3ee68b13f30d9c33c07a672de4eca3dabaae6646c09 /usr/libexec/docker/docker-runc-current
system_u:system_r:container_t:s0:c246,c510 root 1125 0.0 0.0 12584 3568 pts/1 Ss+ 19:10 0:00 \_ bash
With a tail of audit.log going for denies, try to touch a file.
[jcastillo2nd@helm Dockerfiles]$ sudo docker attach ff8d
^C
[root@ff8d832b218f /]# touch /opt/share/test
touch: cannot touch '/opt/share/test': Permission denied
[root@ff8d832b218f /]# ls -l /opt/share/
ls: cannot open directory '/opt/share/': Permission denied
And this is what I'm seeing in the audit log tail:
[jcastillo2nd@helm ~]$ sudo tail -n 0 -f /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1485976511.058:287): avc: denied { write } for pid=1438 comm="touch" name="/" dev="dm-1" ino=2 scontext=system_u:system_r:container_t:s0:c246,c510 tcontext=system_u:object_r:samba_share_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1485976525.519:289): avc: denied { read } for pid=1440 comm="ls" name="/" dev="dm-1" ino=2 scontext=system_u:system_r:container_t:s0:c246,c510 tcontext=system_u:object_r:samba_share_t:s0 tclass=dir permissive=0
I am pretty sure that virt_use_samba is not working for the container policies here, or am I mistaken on something here?
[jcastillo2nd@helm Dockerfiles]$ sudo dnf info selinux-policy
Last metadata expiration check: 2:35:14 ago on Wed Feb 1 16:45:48 2017.
Installed Packages
Name : selinux-policy
Arch : noarch
Epoch : 0
Version : 3.13.1
Release : 225.6.fc25
Size : 20 k
Repo : @System
From repo : updates
Summary : SELinux policy configuration
URL : http://github.com/TresysTechnology/refpolicy/wiki
License : GPLv2+
Description : SELinux Base package for SELinux Reference Policy - modular.
: Based off of reference policy: Checked out revision 2.20091117
from container-selinux.
rhatdan
commented on July 18, 2024
samba_share_t is local storage being shared with others via samba. Remove samba/windows file systems being shared into a container would be cifs_t. Which would be allowed with this boolean.
Are you trying to put samba into a container to share it elsewhere?
from container-selinux.
jcwebservices
commented on July 18, 2024
I'll switch over the context to cifs_t for that and test further. I'm mapping a volume for a docker container that is provided through a cifs mount and shared through samba with non linux systems on the network. If samba can read/write to cifs_t and container can read/write to cifs_t ( provided the permissions/ownership are all good ) that should resolve the issue.
from container-selinux.
rhatdan
commented on July 18, 2024
No that will not work either. If you want a share that can be read by both then use :Z for the volume mount into the container and then set a boolean for samba to share all content.
samba_export_all_ro
or
samba_export_all_r2
from container-selinux.
jcwebservices
commented on July 18, 2024
Thanks for the info. That indeed does work out.
from container-selinux.
Related Issues (20)
- SELinux blocks ansible from doing DNF updates with the nsenter connection plugin HOT 8
- Branch protection for main branch HOT 3
- gating tests? HOT 2
- iptables-restore cannot read file from inside a container HOT 6
- allow user_u to work with containers HOT 8
- Packit: Use packit for bumping official fedora package HOT 1
- CI: check for long-running relabels HOT 1
- [packit] Propose downstream failed for release v2.213.0 HOT 3
- Issues on Fedora (container-selinux-2.211.1) with container_domain_template HOT 5
- Issue on RHEL with iscsiadm on v2.205 HOT 4
- user_namespace { create } rule not working HOT 11
- Concern with use of dac_override in home_container.cil HOT 3
- `avc: denied { shutdown }` when using socket activation with rootless podman quadlet HOT 3
- dri_device_t cannot be accessed correctly by pods using device plugins. HOT 12
- Add support for `rpm --verify` HOT 2
- container_init_t does not possess ptrace process context HOT 13
- CRI-O CI broken due to SELinux AVC Denials with latest runc (main branch) build HOT 20
- systemd crashes while attempting to start under container_user_r role HOT 11
- /etc/kubernetes filetrans? HOT 1
- container_user_u issues related to `podmansh` HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from container-selinux.