RHEL8でSELinux=EnforcingでPodman

  • 投稿日:
  • by
  • カテゴリ:

まあ、こんなコマンドでmariadb-10.4をSELinuxをEnforcingしてるRHEL8上で動かしたい、と。

$ sudo podman run --name mariadb_01 -v /data/mariadb:/var/lib/mysql -e MYSQL_ROOT_PASSWORD=root_pass -d mariadb:10.4

実行してログを見ると、

$ sudo podman logs d80
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
find: '/var/lib/mysql/': Permission denied

まあ、そうですわな。

$ sudo grep preventing /var/log/messages
Jul  8 12:57:11 riotestrhel8 setroubleshoot[26736]: SELinux is preventing /usr/sbin/mysqld from write access on the directory mariadb. For complete SELinux messages run: sealert -l 1a5b17b0-e8a5-40c7-8217-4fa52f6ca285
Jul  8 12:57:11 riotestrhel8 platform-python[26736]: SELinux is preventing /usr/sbin/mysqld from write access on the directory mariadb.
#012
#012*****  Plugin catchall_labels (83.8 confidence) suggests   *******************
#012
#012If you want to allow mysqld to have write access on the mariadb directory
#012Then you need to change the label on mariadb
#012Do
#012# semanage fcontext -a -t FILE_TYPE 'mariadb'
#012where FILE_TYPE is one of the following: cgroup_t, container_file_t, container_var_lib_t, fusefs_t, nfs_t, svirt_home_t, tmpfs_t, virt_home_t.
#012Then execute:
#012restorecon -v 'mariadb'
#012
#012
#012*****  Plugin catchall (17.1 confidence) suggests   **************************
#012
#012If you believe that mysqld should be allowed write access on the mariadb directory by default.
#012Then you should report this as a bug.
#012You can generate a local policy module to allow this access.
#012Do
#012allow this access for now by executing:
#012# ausearch -c 'mysqld' --raw | audit2allow -M my-mysqld
#012# semodule -X 300 -i my-mysqld.pp
#012

ですよねぇ。

$ sudo semanage fcontext -a -t cgroup_t '/data/mariadb'
$ semanage fcontext -l  | grep mariadb
/data/mariadb                                      all files          system_u:object_r:cgroup_t:s0 
/usr/lib/systemd/system/mariadb.*                  regular file       system_u:object_r:mysqld_unit_file_t:s0 
/var/log/mariadb(/.*)?                             all files          system_u:object_r:mysqld_log_t:s0 
/var/run/mariadb(/.*)?                             all files          system_u:object_r:mysqld_var_run_t:s0 
$ sudo chcon system_u:object_r:cgroup_t:s0 /data/mariadb

といった感じで。

何が気になっていたかというと、DockerだとSELinuxの設定はちょっと面倒なことになるんだけど、Podmanだと「普通に」SELinuxを管理すれば良いのかな?ということ。普通にやりましょう、ということでしたw
これはPodmanの利点かも。