Here is my SELinux output both from the host and container. I’m getting a lot “?” characters on the host, when I think I should be seeing the user, role and type label defined. I’ve googled around based on those results and not finding
anything.
I’ve tried to restorecon -R -v on those volumes and nothing changed.
Volume Mounts
host: /opt/nexus
container: /nexus-data
host: /data/storage
container: /storage
From the host
[usera@hosta /]$ sudo ls -alZ /opt/nexus
[sudo] password for usera:
total 24
drwxr-x--- 15 755 nexus ? 254 Oct 5 14:48 .
drwxr-xr-x. 13 nexus nexus system_u:object_r:usr_t:s0 214 Oct 4 10:13 ..
drwxr-xr-x 3 root root ? 21 Oct 4 10:37 blobs
drwxr-xr-x 323 root root ? 8192 Oct 5 14:48 cache
drwxr-xr-x 6 root root ? 113 Oct 4 10:37 db
drwxr-xr-x 3 root root ? 36 Oct 4 11:11 elasticsearch
drwxr-xr-x 3 root root ? 45 Oct 5 14:30 etc
drwxr-xr-x 2 root root ? 6 Oct 4 10:36 generated-bundles
drwxr-xr-x 2 root root ? 33 Oct 4 10:36 instances
drwxr-xr-x 3 root root ? 19 Oct 4 10:36 javaprefs
-rw-r--r-- 1 root root ? 1 Oct 5 14:48 karaf.pid
drwxr-xr-x 3 root root ? 18 Oct 4 10:37 keystores
-rw-r--r-- 1 root root ? 14 Oct 5 14:48 lock
drwxr-xr-x 4 root root ? 220 Oct 5 20:00 log
drwxr-xr-x 2 root root ? 6 Oct 4 10:37 orient
-rw-r--r-- 1 root root ? 5 Oct 5 14:48 port
drwxr-xr-x 2 root root ? 6 Oct 4 10:37 restore-from-backup
drwxr-xr-x 8 root root ? 261 Oct 5 14:48 tmp
[usera@hosta /]$ sudo ls -alZ /data/storage
total 24
drwxr-xr-x 2 200 200 ? 172 Oct 5 13:00 .
drwxr-x--- 3 nexus nexus ? 21 Aug 26 13:41 ..
-rw-r----- 1 root root ? 1992 Oct 5 13:00 ISSUINGCA-CORP_intermediate_cert.cer
-rw-r--r-- 1 root root ? 6582 Oct 5 13:03 nexus-hosta.enclave.jks
-rw-r--r-- 1 root root ? 1221 Oct 5 12:42 nexus-hosta.enclave.pem
-rw-r----- 1 root root ? 2532 Oct 5 13:00 nexus-hosta_server_crt.cer
-rw-r----- 1 root root ? 1302 Oct 5 13:00 ROOTCA-CORP.cer
From the container
[root@6ca25b429eb1 /]# sestatus
bash: sestatus: command not found
[root@6ca25b429eb1 /]# whereis selinux
selinux: /etc/selinux /usr/libexec/selinux
[root@6ca25b429eb1 /]# ls -al /etc/selinux
total 4
drwxr-xr-x 1 root root 6 Oct 6 13:49 .
drwxr-xr-x 1 root root 21 Mar 4 2021 ..
-rw-r--r-- 1 root root 2425 Jun 29 2020 semanage.conf
[root@6ca25b429eb1 /]# ls -alZ /nexus-data
total 24
drwxr-x--- 15 755 1005 ? 254 Oct 5 18:48 .
drwxr-xr-x 1 root root ? 77 Oct 5 14:12 ..
drwxr-xr-x 3 root root ? 21 Oct 4 14:37 blobs
drwxr-xr-x 323 root root ? 8192 Oct 5 18:48 cache
drwxr-xr-x 6 root root ? 113 Oct 4 14:37 db
drwxr-xr-x 3 root root ? 36 Oct 4 15:11 elasticsearch
drwxr-xr-x 3 root root ? 45 Oct 5 18:30 etc
drwxr-xr-x 2 root root ? 6 Oct 4 14:36 generated-bundles
drwxr-xr-x 2 root root ? 33 Oct 4 14:36 instances
drwxr-xr-x 3 root root ? 19 Oct 4 14:36 javaprefs
-rw-r--r-- 1 root root ? 1 Oct 5 18:48 karaf.pid
drwxr-xr-x 3 root root ? 18 Oct 4 14:37 keystores
-rw-r--r-- 1 root root ? 14 Oct 5 18:48 lock
drwxr-xr-x 4 root root ? 220 Oct 6 00:00 log
drwxr-xr-x 2 root root ? 6 Oct 4 14:37 orient
-rw-r--r-- 1 root root ? 5 Oct 5 18:48 port
drwxr-xr-x 2 root root ? 6 Oct 4 14:37 restore-from-backup
drwxr-xr-x 8 root root ? 261 Oct 5 18:48 tmp
[root@6ca25b429eb1 /]# ls -laZ /storage
total 24
drwxr-xr-x 2 nexus nexus ? 172 Oct 5 17:00 .
drwxr-xr-x 1 root root ? 77 Oct 5 14:12 ..
-rw-r----- 1 root root ? 1992 Oct 5 17:00 ISSUINGCA-CORP_intermediate_cert.cer
-rw-r----- 1 root root ? 1302 Oct 5 17:00 ROOTCA-CORP.cer
-rw-r--r-- 1 root root ? 6582 Oct 5 17:03 nexus-hosta.enclave.jks
-rw-r--r-- 1 root root ? 1221 Oct 5 16:42 nexus-hosta.enclave.pem
-rw-r----- 1 root root ? 2532 Oct 5 17:00 nexus-hosta_server_crt.cer
Thanks again
From: Leon N <leon9923@gmail.com>
Sent: Wednesday, October 6, 2021 8:29 AM
To: Miller, Christopher (NE) <Christopher.Miller@gd-ms.com>
Cc: dwalsh@redhat.com; podman mailing list <podman@lists.podman.io>
Subject: Re: [Podman] Re: permissions issues to host filesystem when running rootless Vs rootful and question on opening port on container/host
|
External E-mail
--- CAUTION: This email originated from outside GDMS. Do not click links or open attachments unless you recognize the sender and know the content is safe.
|
Hey,
These would be run on the host
You can also change the restorecon parameters to restore the contexts for the storage you mounted
sudo restorecon -R -v <path to storage>
Doing
ls -laZ on the storage you mount in the container, will also give everyone here insights on the selinux contexts
Regards,
Leon
On Wed, 6 Oct, 2021, 17:43
Christopher.Miller@gd-ms.com, <Christopher.Miller@gd-ms.com> wrote:
Sorry I’m not clear where I want to run these commands, on the host or the container?
thanks
From: Daniel Walsh <dwalsh@redhat.com>
Sent: Tuesday, October 5, 2021 7:10 PM
To: podman@lists.podman.io
Subject: [Podman] Re: permissions issues to host filesystem when running rootless Vs rootful and question on opening port on container/host
I am guessing this is an SELinux issue. Perhaps sudo restorecon -R -v /var/lib/containers
Might fix it.
You can run `sudo ausearch -m avc -ts recent`
After it fails to see if SELinux is involved.
_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io