rest-server
rest-server copied to clipboard
restic
SELinux Issues
After upgrading to latest Redhat 7.5 release I cannot start my restic/rest-server docker container. Seems to be some SE Linux issues. Maybe I'm missing something in my docker setup.
docker-compose up Starting rest_srv ... done Attaching to rest_srv rest_srv | Error relocating /lib/ld-musl-x86_64.so.1: RELRO protection failed: Permission denied rest_srv | Error relocating /entrypoint.sh: RELRO protection failed: Permission denied rest_srv exited with code 127
tail audit.log type=PROCTITLE msg=audit(1527685116.086:3277): proctitle=2F7573722F7362696E2F69707461626C6573002D2D77616974002D74006E6174002D4900444F434B45525F504F5354524F5554494E47002D73003132372E302E302E3131002D7000746370002D2D73706F7274003333303231002D6A00534E4154002D2D746F2D736F75726365003A3533 type=AVC msg=audit(1527685116.187:3278): avc: denied { read } for pid=16615 comm="entrypoint.sh" path="/lib/ld-musl-x86_64.so.1" dev="dm-2" ino=669806 **scontext=system_u:system_r:container_t:**s0:c462,c865 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file type=SYSCALL msg=audit(1527685116.187:3278): arch=c000003e syscall=10 success=no exit=-13 a0=7f5f76db6000 a1=1000 a2=1 a3=7f5f76b401bb items=0 ppid=16596 pid=16615 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="entrypoint.sh" exe="/bin/busybox" subj=system_u:system_r:container_t:s0:c462,c865 key=(null) type=PROCTITLE msg=audit(1527685116.187:3278): proctitle=2F62696E2F7368002F656E747279706F696E742E7368 type=AVC msg=audit(1527685116.187:3279): avc: denied { read } for pid=16615 comm="entrypoint.sh" path="/bin/busybox" dev="dm-2" ino=266240 scontext=system_u:system_r:container_t:s0:c462,c865 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file type=SYSCALL msg=audit(1527685116.187:3279): arch=c000003e syscall=10 success=no exit=-13 a0=56308595f000 a1=4000 a2=1 a3=5630856a22d4 items=0 ppid=16596 pid=16615 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="entrypoint.sh" exe="/bin/busybox" subj=system_u:system_r:container_t:s0:c462,c865 key=(null) type=PROCTITLE msg=audit(1527685116.187:3279): proctitle=2F62696E2F7368002F656E747279706F696E742E7368
Looks like the restic docker container files need to have container_t context?
Audit2allow gives me this but Not sure how to change context on the docker image filesystem.
module test_rule 1.0;
require { type unlabeled_t; type container_t; class file { execute_no_trans open read }; }
#============= container_t ==============
#!!!! The file '/usr/bin/rest-server' is mislabeled on your system. #!!!! Fix with $ restorecon -R -v /usr/bin/rest-server allow container_t unlabeled_t:file execute_no_trans;
#!!!! This avc is allowed in the current policy allow container_t unlabeled_t:file { open read };
Thanks for the comment, I don't use SELinux and I don't have any idea what we should do here. Any advice?
I found a work around.
If you add
security_opt: - label:disable
To your docker-compose.yml
It will disable the selinux labeling checking. Probably not secure, but it will work without totally turning off or disabling SELINUX on the entire host
This directive allows you to define it per container