Skip to content
This repository has been archived by the owner on Nov 9, 2020. It is now read-only.

permission issues with vfile shared volume when selinux is enabled #2094

Open
lowshoe opened this issue Feb 12, 2019 · 0 comments
Open

permission issues with vfile shared volume when selinux is enabled #2094

lowshoe opened this issue Feb 12, 2019 · 0 comments

Comments

@lowshoe
Copy link

lowshoe commented Feb 12, 2019

trying to access a vfile shared volume with selinux enabled on the host gives a "permission denied" error:

Host Details

OS

[root@myhost ~]# hostnamectl
   Static hostname: myhostname
         Icon name: computer-vm
           Chassis: vm
        Machine ID: c50c255dc9744165a5a9055c03c786ae
           Boot ID: bddc446070d6416298236b0dc64a3fdd
    Virtualization: vmware
  Operating System: Oracle Linux Server 7.6
       CPE OS Name: cpe:/o:oracle:linux:7:6:server
            Kernel: Linux 4.14.35-1844.1.3.el7uek.x86_64
      Architecture: x86-64

SELinux

[root@myhost ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

Docker

[root@myhost ~]# docker --version
Docker version 18.09.1-ol, build c3ab8a8

Steps to repoduce

  1. install the vfile plugin and create a shared volume with the vfile plugin:
    docker volume create --driver=vfile --name=SharedVol -o size=1gb
  2. start a container with the new created shared volume:
docker run --rm -it -v SharedVol:/mnt/myvol --name centos centos

[root@1800173fe001 /]# mount | grep myvol
//127.0.0.1/vfileshare on /mnt/myvol type cifs (rw,relatime,vers=3.0,cache=strict,username=vfile,domain=,uid=0,noforceuid,gid=0,noforcegid,addr=127.0.0.1,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=1048576,wsize=1048576,echo_interval=60,actimeo=1)

[root@1800173fe001 /]# ls -lZ /mnt/
drwxr-xr-x. root root system_u:object_r:cifs_t:s0      myvol

Result

When trying to access the mounted volume inside the container i get a "permission denied" error:

[root@1800173fe001 /]# ls -l /mnt/myvol/
ls: cannot open directory /mnt/myvol/: Permission denied

these are the relevant log entries on the host:

Feb 12 14:01:20 myhost kernel: vmw_pvscsi: msg type: 0x0 - MSG RING: 25/24 (5) 
Feb 12 14:01:20 myhost kernel: vmw_pvscsi: msg: device added at scsi0:1:0
Feb 12 14:01:20 myhost kernel: scsi 1:0:1:0: Direct-Access     VMware   Virtual disk     1.0  PQ: 0 ANSI: 2
Feb 12 14:01:20 myhost kernel: sd 1:0:1:0: [sdb] 2097152 512-byte logical blocks: (1.07 GB/1.00 GiB)
Feb 12 14:01:20 myhost kernel: sd 1:0:1:0: [sdb] Write Protect is off
Feb 12 14:01:20 myhost kernel: sd 1:0:1:0: [sdb] Mode Sense: 61 00 00 00
Feb 12 14:01:20 myhost kernel: sd 1:0:1:0: [sdb] Cache data unavailable
Feb 12 14:01:20 myhost kernel: sd 1:0:1:0: [sdb] Assuming drive cache: write through
Feb 12 14:01:20 myhost kernel: sd 1:0:1:0: Attached scsi generic sg2 type 0
Feb 12 14:01:20 myhost kernel: sd 1:0:1:0: [sdb] Attached SCSI disk
Feb 12 14:01:20 myhost kernel: EXT4-fs (sdb): mounted filesystem with ordered data mode. Opts: (null)
Feb 12 14:01:20 myhost containerd[22745]: time="2019-02-12T14:01:20.556771966+01:00" level=info msg="shim containerd-shim started" address="/containerd-shim/moby/d41d0c6686a06d5d53a3eb3d3a9891c066efb626feed43b70f9749706fa25f9d/shim.sock" debug=false pi$=7908
Feb 12 14:01:20 myhost kernel: SELinux: mount invalid.  Same superblock, different security settings for (dev mqueue, type mqueue)
Feb 12 14:01:21 myhost kernel: eth0: renamed from veth30402e9
Feb 12 14:01:21 myhost kernel: br0: port 3(veth7) entered blocking state
Feb 12 14:01:21 myhost kernel: br0: port 3(veth7) entered forwarding state
Feb 12 14:01:21 myhost kernel: eth1: renamed from vethac09d6f
Feb 12 14:01:21 myhost kernel: docker_gwbridge: port 2(vethb835037) entered blocking state
Feb 12 14:01:21 myhost kernel: docker_gwbridge: port 2(vethb835037) entered forwarding state
Feb 12 14:01:21 myhost NetworkManager[5189]: <info>  [1549976481.5088] device (vethb835037): carrier: link connected
Feb 12 14:01:22 myhost firewalld[5186]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -m ipvs --ipvs -d 10.255.0.0/16 -j SNAT --to-source 10.255.0.2' failed: iptables: No chain/target/match by that name.
Feb 12 14:01:26 myhost kernel: CIFS VFS: ioctl error in smb2_get_dfs_refer rc=-2
Feb 12 14:01:26 myhost containerd[22745]: time="2019-02-12T14:01:26.594717105+01:00" level=info msg="shim containerd-shim started" address="/containerd-shim/moby/7374022a3d91158f74e4e4a192b6c933a69e518623c015cf3ab959d1c0163052/shim.sock" debug=false pid
=8103myhost
Feb 12 14:01:26 myhost kernel: SELinux: mount invalid.  Same superblock, different security settings for (dev mqueue, type mqueue)

when disabling SELinux on the host, everything is working as expected.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lowshoe