Skip to content

Commit

Permalink
Added SELinux section to the readme
Browse files Browse the repository at this point in the history 
Signed-off-by: Juanjo Alvarez <juanjo@sourced.tech>
  • Loading branch information
@dennwc
Juanjo Alvarez authored and dennwc committed Feb 28, 2018
1 parent 759d00e commit e4d35a4
Show file tree
Hide file tree
Showing 3 changed files with 33 additions and 5 deletions.
30 changes: 30 additions & 0 deletions README.md
View file
Expand Up @@ -62,6 +62,36 @@ and an example contained in the docker image:
docker exec -it bblfshd bblfshctl parse /opt/bblfsh/etc/examples/python.py
```

## SELinux

If your system has SELinux enabled (is the default in Fedora, Red Hat, CentOS
and many others) you need to compile and load a policy module before running the
bblfshd Docker image or running driver containers will fail with a `permission
denied` message in the logs.

To do this, run these commands from the project root:

```bash
cd selinux/
sh compile.sh
semodule -i bblfshd.pp
```

If you were already running an instance of bblfshd, you will need to delete the
container (`docker rm -f bblfshd`) and run it again (`docker run...`).

Once the module has been loaded with `semodule` the change should persist even
if you reboot. If you want to permanently remove this module run `semodule -d bblfshd`.

Alternatively, you could set SELinux to permissive module with:

```
echo 1 > /sys/fs/selinux/enforce
```

(doing this on production systems which usually have SELinux enabled by default
should be strongly discouraged).

## Development

If you wish to work on *bblfshd* , you'll first need [Go](http://www.golang.org)
Expand Down
4 changes: 2 additions & 2 deletions runtime/runtime.go
View file
Expand Up @@ -196,8 +196,8 @@ func Bootstrap() {
factory, _ := libcontainer.New("")
if err := factory.StartInitialization(); err != nil {
panic("error bootstraping container " +
"(hint: if SELinux is enabled, compile and load the policy module " +
"in the selinux/ directory in the bblfshd repo): " + err)
"(hint: if SELinux is enabled, compile and load the policy module " +
"in this repo's selinux/ directory): " + err)
}
panic("--this line should have never been executed, congratulations--")
}
Expand Down
4 changes: 1 addition & 3 deletions selinux/compile.sh
View file
Expand Up @@ -2,6 +2,4 @@

checkmodule -M -m -o bblfshd.mod bblfshd.te && \
semodule_package -o bblfshd.pp -m bblfshd.mod && \
echo 'Module compiled, load it with semodule -i bblfshd.pp'

# enable with: semodule -i bblfshd.pp
echo 'Module compiled, load it with "semodule -i bblfshd.pp"'

0 comments on commit e4d35a4

Please sign in to comment.