New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SE Linux #255

Closed
9034725985 opened this Issue May 7, 2018 · 13 comments

Comments

Projects
None yet
5 participants
@9034725985
Contributor

9034725985 commented May 7, 2018

Update: Please leave this ticket open if it is ok. Still working on it. Can't get sites inside data to show up in v hosts php

I need to do more work on this.

If you encounter a bug and something does not work, make sure you have done the following and check those boxes before submitting an issue - thank you!

I think we need to specify rw for SE Linux somewhere?

  • Pull latest dockers (e.g.: docker pull cytopia/<used_docker>) before running docker-compose up
  • Specify used docker versions (php, web and database)
  • Attach logs for php, mysql and webserver (found in log/ directory)
  • Start with debug mode and attach docker-compose output (.env setting DEBUG_COMPOSE_ENTRYPOINT=1)
  • Never use different mysql|mariadb versions on the same HOST_PATH_MYSQL_DATADIR on existing database files. Different mysql|mariadb versions might upgrade/corrupt existing database files. If you have done that already, start with a different path of HOST_PATH_MYSQL_DATADIR (to an empty directory) and try again.

Please also specify the following info:

  • Which operating system are you at (Linux, OSX or Windows)
  • docker version
  • docker-compose version
@cytopia

This comment has been minimized.

Show comment
Hide comment
@cytopia

cytopia May 7, 2018

Owner

Looks like a lot of permission problems.

I think we need to specify rw for SE Linux somewhere?

What does that mean?

How does it behave when u disable SE?

Owner

cytopia commented May 7, 2018

Looks like a lot of permission problems.

I think we need to specify rw for SE Linux somewhere?

What does that mean?

How does it behave when u disable SE?

@9034725985

This comment has been minimized.

Show comment
Hide comment
@9034725985

9034725985 May 8, 2018

Contributor

Works as far as I can tell without SE Linux

screenshot from 2018-05-08 07-39-27

Update: I didn't test actually adding a project iirc so working correctly only refers to the dashboard. Will work on this more later.

Removing extra bash output

Contributor

9034725985 commented May 8, 2018

Works as far as I can tell without SE Linux

screenshot from 2018-05-08 07-39-27

Update: I didn't test actually adding a project iirc so working correctly only refers to the dashboard. Will work on this more later.

Removing extra bash output

@cytopia

This comment has been minimized.

Show comment
Hide comment
@cytopia

cytopia May 10, 2018

Owner

OK, then it is a permission issue with SE Linux. Unfortunately I have never used it myself and have no idea how that works. For now I can only make a note in the documentation. If you want to dig into SE Linux and find something, please let me know.

Owner

cytopia commented May 10, 2018

OK, then it is a permission issue with SE Linux. Unfortunately I have never used it myself and have no idea how that works. For now I can only make a note in the documentation. If you want to dig into SE Linux and find something, please let me know.

@science695

This comment has been minimized.

Show comment
Hide comment
@science695

science695 May 10, 2018

This article talks about how to audit selinux security for an application:
http://robinbowes.com/article.php/20060206181015320

science695 commented May 10, 2018

This article talks about how to audit selinux security for an application:
http://robinbowes.com/article.php/20060206181015320

@EarlRamirez

This comment has been minimized.

Show comment
Hide comment
@EarlRamirez

EarlRamirez May 10, 2018

what is the output of ausearch -m avc -ts recent?

EarlRamirez commented May 10, 2018

what is the output of ausearch -m avc -ts recent?

@rhatdan

This comment has been minimized.

Show comment
Hide comment
@rhatdan

rhatdan May 11, 2018

If the compose is volume mounting content into the container, then make sure you are either lableing the content correctly by adding a :Z or :z to the volume mount. If you need to share content on the host which will be used both outsize and inside the container, you can disable SELinux container separation with the --security-opt label:disable option.

rhatdan commented May 11, 2018

If the compose is volume mounting content into the container, then make sure you are either lableing the content correctly by adding a :Z or :z to the volume mount. If you need to share content on the host which will be used both outsize and inside the container, you can disable SELinux container separation with the --security-opt label:disable option.

@9034725985

This comment has been minimized.

Show comment
Hide comment
@9034725985

9034725985 May 11, 2018

Contributor

Hi @EarlRamirez here's what I saw with SE Linux enabled:

[kus@localhost devilbox]$ sudo ausearch -m avc -ts recent
----
time->Fri May 11 03:35:19 2018
type=AVC msg=audit(1526024119.640:1052): avc:  denied  { write } for  pid=13291 comm="touch" name="php-fpm.access" dev="dm-2" ino=20186094 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
----
time->Fri May 11 03:35:19 2018
type=AVC msg=audit(1526024119.640:1053): avc:  denied  { write } for  pid=13291 comm="touch" name="php-fpm.access" dev="dm-2" ino=20186094 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
----
time->Fri May 11 03:35:34 2018
type=AVC msg=audit(1526024134.654:1074): avc:  denied  { write } for  pid=13564 comm="openssl" name="devilbox-ca.key" dev="dm-2" ino=20186096 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0

Here's what I saw after I disabled SE Linux and ran docker-compose up again

[kus@localhost devilbox]$ sudo ausearch -m avc -ts recent
----
time->Fri May 11 03:35:19 2018
type=AVC msg=audit(1526024119.640:1052): avc:  denied  { write } for  pid=13291 comm="touch" name="php-fpm.access" dev="dm-2" ino=20186094 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
----
time->Fri May 11 03:35:19 2018
type=AVC msg=audit(1526024119.640:1053): avc:  denied  { write } for  pid=13291 comm="touch" name="php-fpm.access" dev="dm-2" ino=20186094 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
----
time->Fri May 11 03:35:34 2018
type=AVC msg=audit(1526024134.654:1074): avc:  denied  { write } for  pid=13564 comm="openssl" name="devilbox-ca.key" dev="dm-2" ino=20186096 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
----
time->Fri May 11 03:40:35 2018
type=AVC msg=audit(1526024435.517:1160): avc:  denied  { setattr } for  pid=14206 comm="chown" name="php-fpm.access" dev="dm-2" ino=20186094 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:35 2018
type=AVC msg=audit(1526024435.517:1161): avc:  denied  { setattr } for  pid=14206 comm="chown" name="php-fpm-7.2" dev="dm-2" ino=20185893 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:39 2018
type=AVC msg=audit(1526024439.628:1210): avc:  denied  { read } for  pid=14595 comm="openssl" name="devilbox-ca.crt" dev="dm-2" ino=20186097 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:39 2018
type=AVC msg=audit(1526024439.629:1211): avc:  denied  { open } for  pid=14595 comm="openssl" path="/ca/devilbox-ca.crt" dev="dm-2" ino=20186097 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:39 2018
type=AVC msg=audit(1526024439.665:1212): avc:  denied  { write } for  pid=14595 comm="openssl" name="devilbox-ca.srl" dev="dm-2" ino=20186098 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:39 2018
type=AVC msg=audit(1526024439.752:1213): avc:  denied  { setattr } for  pid=14625 comm="chown" name="devilbox-ca.crt" dev="dm-2" ino=20186097 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:39 2018
type=AVC msg=audit(1526024439.752:1214): avc:  denied  { setattr } for  pid=14625 comm="chown" name=".keepme" dev="dm-2" ino=20185630 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:39 2018
type=AVC msg=audit(1526024439.752:1215): avc:  denied  { setattr } for  pid=14625 comm="chown" name="ca" dev="dm-2" ino=20185629 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:44 2018
type=AVC msg=audit(1526024444.400:1272): avc:  denied  { setattr } for  pid=15246 comm="chown" name="backups" dev="dm-2" ino=20185624 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:43 2018
type=AVC msg=audit(1526024443.606:1267): avc:  denied  { setattr } for  pid=15187 comm="chown" name="pg_replslot" dev="dm-2" ino=20186120 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:43 2018
type=AVC msg=audit(1526024443.606:1268): avc:  denied  { setattr } for  pid=15187 comm="chown" name="pg_ident.conf" dev="dm-2" ino=20186139 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:43 2018
type=AVC msg=audit(1526024443.749:1269): avc:  denied  { setattr } for  pid=15182 comm="chown" name="diagnostic.data" dev="dm-2" ino=20187054 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:43 2018
type=AVC msg=audit(1526024443.754:1270): avc:  denied  { setattr } for  pid=15207 comm="chown" name="" dev="pipefs" ino=206322 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:system_r:container_runtime_t:s0 tclass=fifo_file permissive=1
----
time->Fri May 11 03:40:44 2018
type=AVC msg=audit(1526024444.161:1271): avc:  denied  { setattr } for  pid=15221 comm="chown" name="mysql" dev="dm-2" ino=20186103 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:44 2018
type=AVC msg=audit(1526024444.405:1273): avc:  denied  { setattr } for  pid=15248 comm="chown" name="www" dev="dm-2" ino=20185894 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:43 2018
type=AVC msg=audit(1526024443.463:1266): avc:  denied  { setattr } for  pid=15182 comm="chown" name="storage.bson" dev="dm-2" ino=20186483 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:48 2018
type=AVC msg=audit(1526024448.822:1275): avc:  denied  { open } for  pid=14708 comm="postgres" path="/var/lib/postgresql/data/pgdata/postgresql.conf" dev="dm-2" ino=20186128 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:48 2018
type=AVC msg=audit(1526024448.822:1274): avc:  denied  { read } for  pid=14708 comm="postgres" name="postgresql.conf" dev="dm-2" ino=20186128 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:49 2018
type=AVC msg=audit(1526024449.859:1276): avc:  denied  { write } for  pid=14708 comm="postgres" name="9.6" dev="dm-2" ino=20185904 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:49 2018
type=AVC msg=audit(1526024449.859:1277): avc:  denied  { add_name } for  pid=14708 comm="postgres" name="postmaster.pid" scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:49 2018
type=AVC msg=audit(1526024449.859:1278): avc:  denied  { create } for  pid=14708 comm="postgres" name="postmaster.pid" scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:49 2018
type=AVC msg=audit(1526024449.885:1279): avc:  denied  { write } for  pid=14708 comm="postgres" path="/var/lib/postgresql/data/pgdata/postmaster.pid" dev="dm-2" ino=20188510 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:51 2018
type=AVC msg=audit(1526024451.473:1281): avc:  denied  { associate } for  pid=15309 comm="httpd" name="2" scontext=system_u:object_r:container_t:s0:c774,c913 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1
----
time->Fri May 11 03:40:52 2018
type=AVC msg=audit(1526024452.611:1288): avc:  denied  { unlink } for  pid=14708 comm="postgres" name="0000" dev="dm-2" ino=20186130 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:51 2018
type=AVC msg=audit(1526024451.473:1280): avc:  denied  { add_name } for  pid=15309 comm="httpd" name="2" scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:system_r:container_t:s0:c774,c913 tclass=dir permissive=1
----
time->Fri May 11 03:40:51 2018
type=AVC msg=audit(1526024451.474:1282): avc:  denied  { write } for  pid=15309 comm="httpd" name="apache-2.4" dev="dm-2" ino=20185895 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:51 2018
type=AVC msg=audit(1526024451.474:1283): avc:  denied  { add_name } for  pid=15309 comm="httpd" name="defaultlocalhost-error.log" scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:51 2018
type=AVC msg=audit(1526024451.474:1284): avc:  denied  { create } for  pid=15309 comm="httpd" name="defaultlocalhost-error.log" scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:51 2018
type=AVC msg=audit(1526024451.480:1285): avc:  denied  { append } for  pid=15309 comm="httpd" name="defaultlocalhost-error.log" dev="dm-2" ino=20186099 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:51 2018
type=AVC msg=audit(1526024451.480:1286): avc:  denied  { open } for  pid=15309 comm="httpd" path="/var/log/apache-2.4/defaultlocalhost-error.log" dev="dm-2" ino=20186099 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:52 2018
type=AVC msg=audit(1526024452.611:1287): avc:  denied  { remove_name } for  pid=14708 comm="postgres" name="0000" dev="dm-2" ino=20186130 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:55 2018
type=AVC msg=audit(1526024455.357:1290): avc:  denied  { add_name } for  pid=15307 comm="mysqld" name="91eb6adef70a.lower-test" scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:55 2018
type=AVC msg=audit(1526024455.357:1291): avc:  denied  { create } for  pid=15307 comm="mysqld" name="91eb6adef70a.lower-test" scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:55 2018
type=AVC msg=audit(1526024455.357:1289): avc:  denied  { write } for  pid=15307 comm="mysqld" name="mariadb-10.1" dev="dm-2" ino=20185900 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:55 2018
type=AVC msg=audit(1526024455.357:1292): avc:  denied  { read write open } for  pid=15307 comm="mysqld" path="/var/lib/mysql/91eb6adef70a.lower-test" dev="dm-2" ino=20187119 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:55 2018
type=AVC msg=audit(1526024455.358:1293): avc:  denied  { remove_name } for  pid=15307 comm="mysqld" name="91eb6adef70a.lower-test" dev="dm-2" ino=20187119 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:55 2018
type=AVC msg=audit(1526024455.358:1294): avc:  denied  { unlink } for  pid=15307 comm="mysqld" name="91eb6adef70a.lower-test" dev="dm-2" ino=20187119 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:55 2018
type=AVC msg=audit(1526024455.647:1295): avc:  denied  { rename } for  pid=15459 comm="postgres" name="db_0.tmp" dev="dm-2" ino=20187119 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:56 2018
type=AVC msg=audit(1526024456.750:1296): avc:  denied  { setattr } for  pid=15472 comm="chown" name="ib_logfile0" dev="dm-2" ino=20186168 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:56 2018
type=AVC msg=audit(1526024456.752:1297): avc:  denied  { setattr } for  pid=15472 comm="chown" name="mysql" dev="dm-2" ino=20186135 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:59 2018
type=AVC msg=audit(1526024459.301:1304): avc:  denied  { remove_name } for  pid=14674 comm="mongod" name="WiredTigerPreplog.0000000001" dev="dm-2" ino=20186436 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:59 2018
type=AVC msg=audit(1526024459.301:1305): avc:  denied  { unlink } for  pid=14674 comm="mongod" name="WiredTigerPreplog.0000000001" dev="dm-2" ino=20186436 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:59 2018
type=AVC msg=audit(1526024459.402:1306): avc:  denied  { add_name } for  pid=14674 comm="mongod" name="WiredTigerTmplog.0000000001" scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:59 2018
type=AVC msg=audit(1526024459.402:1307): avc:  denied  { create } for  pid=14674 comm="mongod" name="WiredTigerTmplog.0000000001" scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:59 2018
type=AVC msg=audit(1526024459.667:1308): avc:  denied  { rename } for  pid=14674 comm="mongod" name="WiredTigerTmplog.0000000001" dev="dm-2" ino=20186436 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:59 2018
type=AVC msg=audit(1526024459.714:1309): avc:  denied  { map } for  pid=14805 comm="mysqld" path="/var/lib/mysql/tc.log" dev="dm-2" ino=20186437 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:57 2018
type=AVC msg=audit(1526024457.481:1298): avc:  denied  { read write } for  pid=14674 comm="mongod" name="mongod.lock" dev="dm-2" ino=20186133 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:57 2018
type=AVC msg=audit(1526024457.481:1299): avc:  denied  { open } for  pid=14674 comm="mongod" path="/data/db/mongod.lock" dev="dm-2" ino=20186133 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:57 2018
type=AVC msg=audit(1526024457.482:1300): avc:  denied  { lock } for  pid=14674 comm="mongod" path="/data/db/mongod.lock" dev="dm-2" ino=20186133 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:57 2018
type=AVC msg=audit(1526024457.769:1301): avc:  denied  { append } for  pid=14805 comm="mysqld" name="error.log" dev="dm-2" ino=20186132 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:57 2018
type=AVC msg=audit(1526024457.854:1302): avc:  denied  { lock } for  pid=14805 comm="mysqld" path="/var/lib/mysql/aria_log_control" dev="dm-2" ino=20186147 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:59 2018
type=AVC msg=audit(1526024459.301:1303): avc:  denied  { write } for  pid=14674 comm="mongod" name="journal" dev="dm-2" ino=20186134 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:41:05 2018
type=AVC msg=audit(1526024465.999:1310): avc:  denied  { append } for  pid=14674 comm="ftdc" path="/data/db/diagnostic.data/metrics.2018-05-11T07-41-05Z-00000" dev="dm-2" ino=20186430 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:41:08 2018
type=AVC msg=audit(1526024468.798:1311): avc:  denied  { write } for  pid=15514 comm="php-fpm" name="php-fpm-7.2" dev="dm-2" ino=20185893 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:41:08 2018
type=AVC msg=audit(1526024468.798:1312): avc:  denied  { add_name } for  pid=15514 comm="php-fpm" name="php-fpm.error" scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:41:08 2018
type=AVC msg=audit(1526024468.798:1313): avc:  denied  { create } for  pid=15514 comm="php-fpm" name="php-fpm.error" scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:41:08 2018
type=AVC msg=audit(1526024468.798:1314): avc:  denied  { append } for  pid=15514 comm="php-fpm" name="php-fpm.error" dev="dm-2" ino=20186095 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:41:08 2018
type=AVC msg=audit(1526024468.798:1315): avc:  denied  { open } for  pid=15514 comm="php-fpm" path="/var/log/php/php-fpm.error" dev="dm-2" ino=20186095 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:33 2018
type=AVC msg=audit(1526024553.852:1317): avc:  denied  { open } for  pid=15741 comm="php-fpm" path="/var/www/default/htdocs/index.php" dev="dm-2" ino=20054290 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:33 2018
type=AVC msg=audit(1526024553.852:1318): avc:  denied  { map } for  pid=15741 comm="php-fpm" path="/var/www/default/htdocs/index.php" dev="dm-2" ino=20054290 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:34 2018
type=AVC msg=audit(1526024554.670:1319): avc:  denied  { read } for  pid=16632 comm="postgres" name="pg_filenode.map" dev="dm-2" ino=20186427 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:34 2018
type=AVC msg=audit(1526024554.670:1320): avc:  denied  { open } for  pid=16632 comm="postgres" path="/var/lib/postgresql/data/pgdata/global/pg_filenode.map" dev="dm-2" ino=20186427 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:34 2018
type=AVC msg=audit(1526024554.776:1321): avc:  denied  { write } for  pid=16632 comm="postgres" name="2676" dev="dm-2" ino=20186270 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:33 2018
type=AVC msg=audit(1526024553.852:1316): avc:  denied  { read } for  pid=15741 comm="php-fpm" name="index.php" dev="dm-2" ino=20054290 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:35 2018
type=AVC msg=audit(1526024555.415:1322): avc:  denied  { read } for  pid=16593 comm="httpd" name="status.json" dev="dm-2" ino=20054245 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:35 2018
type=AVC msg=audit(1526024555.415:1323): avc:  denied  { open } for  pid=16593 comm="httpd" path="/var/www/default/api/devilbox-api/status.json" dev="dm-2" ino=20054245 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:37 2018
type=AVC msg=audit(1526024557.511:1324): avc:  denied  { map } for  pid=16593 comm="httpd" path="/var/www/default/htdocs/vendor/font-awesome/font-awesome.min.css" dev="dm-2" ino=20054317 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:55 2018
type=AVC msg=audit(1526024575.718:1325): avc:  denied  { create } for  pid=15459 comm="postgres" name="global.tmp" scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:55 2018
type=AVC msg=audit(1526024575.718:1326): avc:  denied  { rename } for  pid=15459 comm="postgres" name="db_0.tmp" dev="dm-2" ino=20188533 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:55 2018
type=AVC msg=audit(1526024575.718:1327): avc:  denied  { unlink } for  pid=15459 comm="postgres" name="db_0.stat" dev="dm-2" ino=20188536 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:43:27 2018
type=AVC msg=audit(1526024607.553:1333): avc:  denied  { write } for  pid=15455 comm="postgres" name="pg_clog" dev="dm-2" ino=20186107 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:43:27 2018
type=AVC msg=audit(1526024607.553:1334): avc:  denied  { add_name } for  pid=15455 comm="postgres" name="0000" scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:43:28 2018
type=AVC msg=audit(1526024608.765:1335): avc:  denied  { remove_name } for  pid=15459 comm="postgres" name="db_12407.tmp" dev="dm-2" ino=20188530 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:43:32 2018
type=AVC msg=audit(1526024612.611:1349): avc:  denied  { write } for  pid=14805 comm="mysqld" name="mariadb-10.1" dev="dm-2" ino=20185900 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:43:32 2018
type=AVC msg=audit(1526024612.610:1348): avc:  denied  { lock } for  pid=14805 comm="mysqld" path="/var/lib/mysql/aria_log_control" dev="dm-2" ino=20186147 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:43:32 2018
type=AVC msg=audit(1526024612.611:1350): avc:  denied  { remove_name } for  pid=14805 comm="mysqld" name="tc.log" dev="dm-2" ino=20186437 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:43:32 2018
type=AVC msg=audit(1526024612.611:1351): avc:  denied  { unlink } for  pid=14805 comm="mysqld" name="tc.log" dev="dm-2" ino=20186437 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
[kus@localhost devilbox]$ 

Full terminal output

https://paste.fedoraproject.org/paste/bEpQhW7IZQNBIhJHiXxjKA/raw

Contributor

9034725985 commented May 11, 2018

Hi @EarlRamirez here's what I saw with SE Linux enabled:

[kus@localhost devilbox]$ sudo ausearch -m avc -ts recent
----
time->Fri May 11 03:35:19 2018
type=AVC msg=audit(1526024119.640:1052): avc:  denied  { write } for  pid=13291 comm="touch" name="php-fpm.access" dev="dm-2" ino=20186094 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
----
time->Fri May 11 03:35:19 2018
type=AVC msg=audit(1526024119.640:1053): avc:  denied  { write } for  pid=13291 comm="touch" name="php-fpm.access" dev="dm-2" ino=20186094 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
----
time->Fri May 11 03:35:34 2018
type=AVC msg=audit(1526024134.654:1074): avc:  denied  { write } for  pid=13564 comm="openssl" name="devilbox-ca.key" dev="dm-2" ino=20186096 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0

Here's what I saw after I disabled SE Linux and ran docker-compose up again

[kus@localhost devilbox]$ sudo ausearch -m avc -ts recent
----
time->Fri May 11 03:35:19 2018
type=AVC msg=audit(1526024119.640:1052): avc:  denied  { write } for  pid=13291 comm="touch" name="php-fpm.access" dev="dm-2" ino=20186094 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
----
time->Fri May 11 03:35:19 2018
type=AVC msg=audit(1526024119.640:1053): avc:  denied  { write } for  pid=13291 comm="touch" name="php-fpm.access" dev="dm-2" ino=20186094 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
----
time->Fri May 11 03:35:34 2018
type=AVC msg=audit(1526024134.654:1074): avc:  denied  { write } for  pid=13564 comm="openssl" name="devilbox-ca.key" dev="dm-2" ino=20186096 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
----
time->Fri May 11 03:40:35 2018
type=AVC msg=audit(1526024435.517:1160): avc:  denied  { setattr } for  pid=14206 comm="chown" name="php-fpm.access" dev="dm-2" ino=20186094 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:35 2018
type=AVC msg=audit(1526024435.517:1161): avc:  denied  { setattr } for  pid=14206 comm="chown" name="php-fpm-7.2" dev="dm-2" ino=20185893 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:39 2018
type=AVC msg=audit(1526024439.628:1210): avc:  denied  { read } for  pid=14595 comm="openssl" name="devilbox-ca.crt" dev="dm-2" ino=20186097 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:39 2018
type=AVC msg=audit(1526024439.629:1211): avc:  denied  { open } for  pid=14595 comm="openssl" path="/ca/devilbox-ca.crt" dev="dm-2" ino=20186097 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:39 2018
type=AVC msg=audit(1526024439.665:1212): avc:  denied  { write } for  pid=14595 comm="openssl" name="devilbox-ca.srl" dev="dm-2" ino=20186098 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:39 2018
type=AVC msg=audit(1526024439.752:1213): avc:  denied  { setattr } for  pid=14625 comm="chown" name="devilbox-ca.crt" dev="dm-2" ino=20186097 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:39 2018
type=AVC msg=audit(1526024439.752:1214): avc:  denied  { setattr } for  pid=14625 comm="chown" name=".keepme" dev="dm-2" ino=20185630 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:39 2018
type=AVC msg=audit(1526024439.752:1215): avc:  denied  { setattr } for  pid=14625 comm="chown" name="ca" dev="dm-2" ino=20185629 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:44 2018
type=AVC msg=audit(1526024444.400:1272): avc:  denied  { setattr } for  pid=15246 comm="chown" name="backups" dev="dm-2" ino=20185624 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:43 2018
type=AVC msg=audit(1526024443.606:1267): avc:  denied  { setattr } for  pid=15187 comm="chown" name="pg_replslot" dev="dm-2" ino=20186120 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:43 2018
type=AVC msg=audit(1526024443.606:1268): avc:  denied  { setattr } for  pid=15187 comm="chown" name="pg_ident.conf" dev="dm-2" ino=20186139 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:43 2018
type=AVC msg=audit(1526024443.749:1269): avc:  denied  { setattr } for  pid=15182 comm="chown" name="diagnostic.data" dev="dm-2" ino=20187054 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:43 2018
type=AVC msg=audit(1526024443.754:1270): avc:  denied  { setattr } for  pid=15207 comm="chown" name="" dev="pipefs" ino=206322 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:system_r:container_runtime_t:s0 tclass=fifo_file permissive=1
----
time->Fri May 11 03:40:44 2018
type=AVC msg=audit(1526024444.161:1271): avc:  denied  { setattr } for  pid=15221 comm="chown" name="mysql" dev="dm-2" ino=20186103 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:44 2018
type=AVC msg=audit(1526024444.405:1273): avc:  denied  { setattr } for  pid=15248 comm="chown" name="www" dev="dm-2" ino=20185894 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:43 2018
type=AVC msg=audit(1526024443.463:1266): avc:  denied  { setattr } for  pid=15182 comm="chown" name="storage.bson" dev="dm-2" ino=20186483 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:48 2018
type=AVC msg=audit(1526024448.822:1275): avc:  denied  { open } for  pid=14708 comm="postgres" path="/var/lib/postgresql/data/pgdata/postgresql.conf" dev="dm-2" ino=20186128 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:48 2018
type=AVC msg=audit(1526024448.822:1274): avc:  denied  { read } for  pid=14708 comm="postgres" name="postgresql.conf" dev="dm-2" ino=20186128 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:49 2018
type=AVC msg=audit(1526024449.859:1276): avc:  denied  { write } for  pid=14708 comm="postgres" name="9.6" dev="dm-2" ino=20185904 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:49 2018
type=AVC msg=audit(1526024449.859:1277): avc:  denied  { add_name } for  pid=14708 comm="postgres" name="postmaster.pid" scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:49 2018
type=AVC msg=audit(1526024449.859:1278): avc:  denied  { create } for  pid=14708 comm="postgres" name="postmaster.pid" scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:49 2018
type=AVC msg=audit(1526024449.885:1279): avc:  denied  { write } for  pid=14708 comm="postgres" path="/var/lib/postgresql/data/pgdata/postmaster.pid" dev="dm-2" ino=20188510 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:51 2018
type=AVC msg=audit(1526024451.473:1281): avc:  denied  { associate } for  pid=15309 comm="httpd" name="2" scontext=system_u:object_r:container_t:s0:c774,c913 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1
----
time->Fri May 11 03:40:52 2018
type=AVC msg=audit(1526024452.611:1288): avc:  denied  { unlink } for  pid=14708 comm="postgres" name="0000" dev="dm-2" ino=20186130 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:51 2018
type=AVC msg=audit(1526024451.473:1280): avc:  denied  { add_name } for  pid=15309 comm="httpd" name="2" scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:system_r:container_t:s0:c774,c913 tclass=dir permissive=1
----
time->Fri May 11 03:40:51 2018
type=AVC msg=audit(1526024451.474:1282): avc:  denied  { write } for  pid=15309 comm="httpd" name="apache-2.4" dev="dm-2" ino=20185895 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:51 2018
type=AVC msg=audit(1526024451.474:1283): avc:  denied  { add_name } for  pid=15309 comm="httpd" name="defaultlocalhost-error.log" scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:51 2018
type=AVC msg=audit(1526024451.474:1284): avc:  denied  { create } for  pid=15309 comm="httpd" name="defaultlocalhost-error.log" scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:51 2018
type=AVC msg=audit(1526024451.480:1285): avc:  denied  { append } for  pid=15309 comm="httpd" name="defaultlocalhost-error.log" dev="dm-2" ino=20186099 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:51 2018
type=AVC msg=audit(1526024451.480:1286): avc:  denied  { open } for  pid=15309 comm="httpd" path="/var/log/apache-2.4/defaultlocalhost-error.log" dev="dm-2" ino=20186099 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:52 2018
type=AVC msg=audit(1526024452.611:1287): avc:  denied  { remove_name } for  pid=14708 comm="postgres" name="0000" dev="dm-2" ino=20186130 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:55 2018
type=AVC msg=audit(1526024455.357:1290): avc:  denied  { add_name } for  pid=15307 comm="mysqld" name="91eb6adef70a.lower-test" scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:55 2018
type=AVC msg=audit(1526024455.357:1291): avc:  denied  { create } for  pid=15307 comm="mysqld" name="91eb6adef70a.lower-test" scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:55 2018
type=AVC msg=audit(1526024455.357:1289): avc:  denied  { write } for  pid=15307 comm="mysqld" name="mariadb-10.1" dev="dm-2" ino=20185900 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:55 2018
type=AVC msg=audit(1526024455.357:1292): avc:  denied  { read write open } for  pid=15307 comm="mysqld" path="/var/lib/mysql/91eb6adef70a.lower-test" dev="dm-2" ino=20187119 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:55 2018
type=AVC msg=audit(1526024455.358:1293): avc:  denied  { remove_name } for  pid=15307 comm="mysqld" name="91eb6adef70a.lower-test" dev="dm-2" ino=20187119 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:55 2018
type=AVC msg=audit(1526024455.358:1294): avc:  denied  { unlink } for  pid=15307 comm="mysqld" name="91eb6adef70a.lower-test" dev="dm-2" ino=20187119 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:55 2018
type=AVC msg=audit(1526024455.647:1295): avc:  denied  { rename } for  pid=15459 comm="postgres" name="db_0.tmp" dev="dm-2" ino=20187119 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:56 2018
type=AVC msg=audit(1526024456.750:1296): avc:  denied  { setattr } for  pid=15472 comm="chown" name="ib_logfile0" dev="dm-2" ino=20186168 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:56 2018
type=AVC msg=audit(1526024456.752:1297): avc:  denied  { setattr } for  pid=15472 comm="chown" name="mysql" dev="dm-2" ino=20186135 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:59 2018
type=AVC msg=audit(1526024459.301:1304): avc:  denied  { remove_name } for  pid=14674 comm="mongod" name="WiredTigerPreplog.0000000001" dev="dm-2" ino=20186436 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:59 2018
type=AVC msg=audit(1526024459.301:1305): avc:  denied  { unlink } for  pid=14674 comm="mongod" name="WiredTigerPreplog.0000000001" dev="dm-2" ino=20186436 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:59 2018
type=AVC msg=audit(1526024459.402:1306): avc:  denied  { add_name } for  pid=14674 comm="mongod" name="WiredTigerTmplog.0000000001" scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:59 2018
type=AVC msg=audit(1526024459.402:1307): avc:  denied  { create } for  pid=14674 comm="mongod" name="WiredTigerTmplog.0000000001" scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:59 2018
type=AVC msg=audit(1526024459.667:1308): avc:  denied  { rename } for  pid=14674 comm="mongod" name="WiredTigerTmplog.0000000001" dev="dm-2" ino=20186436 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:59 2018
type=AVC msg=audit(1526024459.714:1309): avc:  denied  { map } for  pid=14805 comm="mysqld" path="/var/lib/mysql/tc.log" dev="dm-2" ino=20186437 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:57 2018
type=AVC msg=audit(1526024457.481:1298): avc:  denied  { read write } for  pid=14674 comm="mongod" name="mongod.lock" dev="dm-2" ino=20186133 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:57 2018
type=AVC msg=audit(1526024457.481:1299): avc:  denied  { open } for  pid=14674 comm="mongod" path="/data/db/mongod.lock" dev="dm-2" ino=20186133 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:57 2018
type=AVC msg=audit(1526024457.482:1300): avc:  denied  { lock } for  pid=14674 comm="mongod" path="/data/db/mongod.lock" dev="dm-2" ino=20186133 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:57 2018
type=AVC msg=audit(1526024457.769:1301): avc:  denied  { append } for  pid=14805 comm="mysqld" name="error.log" dev="dm-2" ino=20186132 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:57 2018
type=AVC msg=audit(1526024457.854:1302): avc:  denied  { lock } for  pid=14805 comm="mysqld" path="/var/lib/mysql/aria_log_control" dev="dm-2" ino=20186147 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:59 2018
type=AVC msg=audit(1526024459.301:1303): avc:  denied  { write } for  pid=14674 comm="mongod" name="journal" dev="dm-2" ino=20186134 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:41:05 2018
type=AVC msg=audit(1526024465.999:1310): avc:  denied  { append } for  pid=14674 comm="ftdc" path="/data/db/diagnostic.data/metrics.2018-05-11T07-41-05Z-00000" dev="dm-2" ino=20186430 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:41:08 2018
type=AVC msg=audit(1526024468.798:1311): avc:  denied  { write } for  pid=15514 comm="php-fpm" name="php-fpm-7.2" dev="dm-2" ino=20185893 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:41:08 2018
type=AVC msg=audit(1526024468.798:1312): avc:  denied  { add_name } for  pid=15514 comm="php-fpm" name="php-fpm.error" scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:41:08 2018
type=AVC msg=audit(1526024468.798:1313): avc:  denied  { create } for  pid=15514 comm="php-fpm" name="php-fpm.error" scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:41:08 2018
type=AVC msg=audit(1526024468.798:1314): avc:  denied  { append } for  pid=15514 comm="php-fpm" name="php-fpm.error" dev="dm-2" ino=20186095 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:41:08 2018
type=AVC msg=audit(1526024468.798:1315): avc:  denied  { open } for  pid=15514 comm="php-fpm" path="/var/log/php/php-fpm.error" dev="dm-2" ino=20186095 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:33 2018
type=AVC msg=audit(1526024553.852:1317): avc:  denied  { open } for  pid=15741 comm="php-fpm" path="/var/www/default/htdocs/index.php" dev="dm-2" ino=20054290 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:33 2018
type=AVC msg=audit(1526024553.852:1318): avc:  denied  { map } for  pid=15741 comm="php-fpm" path="/var/www/default/htdocs/index.php" dev="dm-2" ino=20054290 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:34 2018
type=AVC msg=audit(1526024554.670:1319): avc:  denied  { read } for  pid=16632 comm="postgres" name="pg_filenode.map" dev="dm-2" ino=20186427 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:34 2018
type=AVC msg=audit(1526024554.670:1320): avc:  denied  { open } for  pid=16632 comm="postgres" path="/var/lib/postgresql/data/pgdata/global/pg_filenode.map" dev="dm-2" ino=20186427 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:34 2018
type=AVC msg=audit(1526024554.776:1321): avc:  denied  { write } for  pid=16632 comm="postgres" name="2676" dev="dm-2" ino=20186270 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:33 2018
type=AVC msg=audit(1526024553.852:1316): avc:  denied  { read } for  pid=15741 comm="php-fpm" name="index.php" dev="dm-2" ino=20054290 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:35 2018
type=AVC msg=audit(1526024555.415:1322): avc:  denied  { read } for  pid=16593 comm="httpd" name="status.json" dev="dm-2" ino=20054245 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:35 2018
type=AVC msg=audit(1526024555.415:1323): avc:  denied  { open } for  pid=16593 comm="httpd" path="/var/www/default/api/devilbox-api/status.json" dev="dm-2" ino=20054245 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:37 2018
type=AVC msg=audit(1526024557.511:1324): avc:  denied  { map } for  pid=16593 comm="httpd" path="/var/www/default/htdocs/vendor/font-awesome/font-awesome.min.css" dev="dm-2" ino=20054317 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:55 2018
type=AVC msg=audit(1526024575.718:1325): avc:  denied  { create } for  pid=15459 comm="postgres" name="global.tmp" scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:55 2018
type=AVC msg=audit(1526024575.718:1326): avc:  denied  { rename } for  pid=15459 comm="postgres" name="db_0.tmp" dev="dm-2" ino=20188533 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:55 2018
type=AVC msg=audit(1526024575.718:1327): avc:  denied  { unlink } for  pid=15459 comm="postgres" name="db_0.stat" dev="dm-2" ino=20188536 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:43:27 2018
type=AVC msg=audit(1526024607.553:1333): avc:  denied  { write } for  pid=15455 comm="postgres" name="pg_clog" dev="dm-2" ino=20186107 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:43:27 2018
type=AVC msg=audit(1526024607.553:1334): avc:  denied  { add_name } for  pid=15455 comm="postgres" name="0000" scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:43:28 2018
type=AVC msg=audit(1526024608.765:1335): avc:  denied  { remove_name } for  pid=15459 comm="postgres" name="db_12407.tmp" dev="dm-2" ino=20188530 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:43:32 2018
type=AVC msg=audit(1526024612.611:1349): avc:  denied  { write } for  pid=14805 comm="mysqld" name="mariadb-10.1" dev="dm-2" ino=20185900 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:43:32 2018
type=AVC msg=audit(1526024612.610:1348): avc:  denied  { lock } for  pid=14805 comm="mysqld" path="/var/lib/mysql/aria_log_control" dev="dm-2" ino=20186147 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:43:32 2018
type=AVC msg=audit(1526024612.611:1350): avc:  denied  { remove_name } for  pid=14805 comm="mysqld" name="tc.log" dev="dm-2" ino=20186437 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:43:32 2018
type=AVC msg=audit(1526024612.611:1351): avc:  denied  { unlink } for  pid=14805 comm="mysqld" name="tc.log" dev="dm-2" ino=20186437 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
[kus@localhost devilbox]$ 

Full terminal output

https://paste.fedoraproject.org/paste/bEpQhW7IZQNBIhJHiXxjKA/raw

@EarlRamirez

This comment has been minimized.

Show comment
Hide comment
@EarlRamirez

EarlRamirez May 12, 2018

I would mount the volumes for the containers as described at @rhatdan for php-fpm I would enable httpd_network_connect 1 using setsebool -P httpd_network_connect 1

EarlRamirez commented May 12, 2018

I would mount the volumes for the containers as described at @rhatdan for php-fpm I would enable httpd_network_connect 1 using setsebool -P httpd_network_connect 1

@9034725985

This comment has been minimized.

Show comment
Hide comment
@9034725985

9034725985 May 12, 2018

Contributor

Thank you, I used setsebool -P httpd_can_network_connect 1 and blindly applied :z everywhere I could and devilbox loads fine now.

Is it ok to add :z or :ro,z everywhere? Adding z shouldn't break anything, right?

Here's my full paste

https://paste.fedoraproject.org/paste/cLK8uW3uwaxzBz5oz7gDRQ/raw

Thank you!

Contributor

9034725985 commented May 12, 2018

Thank you, I used setsebool -P httpd_can_network_connect 1 and blindly applied :z everywhere I could and devilbox loads fine now.

Is it ok to add :z or :ro,z everywhere? Adding z shouldn't break anything, right?

Here's my full paste

https://paste.fedoraproject.org/paste/cLK8uW3uwaxzBz5oz7gDRQ/raw

Thank you!

@rhatdan

This comment has been minimized.

Show comment
Hide comment
@rhatdan

rhatdan May 14, 2018

The boolean will have no effect. It is concerned with a confined apache web service ,not with process running in containers. The :z and :Z fix the issue. But be care ful with them.

I talk about this in this blog.

https://danwalsh.livejournal.com/78940.html

rhatdan commented May 14, 2018

The boolean will have no effect. It is concerned with a confined apache web service ,not with process running in containers. The :z and :Z fix the issue. But be care ful with them.

I talk about this in this blog.

https://danwalsh.livejournal.com/78940.html

@9034725985

This comment has been minimized.

Show comment
Hide comment
@9034725985

9034725985 May 16, 2018

Contributor

Thank you @rhatdan

Specifically, is there a reason to not add z to the volumes here? I am thinking about submitting a pull request once I get it running...

Contributor

9034725985 commented May 16, 2018

Thank you @rhatdan

Specifically, is there a reason to not add z to the volumes here? I am thinking about submitting a pull request once I get it running...

@rhatdan

This comment has been minimized.

Show comment
Hide comment
@rhatdan

rhatdan May 16, 2018

:z would be ignored on non SELinux boxes.

rhatdan commented May 16, 2018

:z would be ignored on non SELinux boxes.

@EarlRamirez

This comment has been minimized.

Show comment
Hide comment
@EarlRamirez

EarlRamirez May 21, 2018

@rhatdan thanks for clearing things up, I had a similar issue on a KVM guest and that boolean worked, once again thanks again for the clarification @rhatdan

EarlRamirez commented May 21, 2018

@rhatdan thanks for clearing things up, I had a similar issue on a KVM guest and that boolean worked, once again thanks again for the clarification @rhatdan

@9034725985 9034725985 referenced this issue Jun 8, 2018

Merged

add z to everything #289

1 of 1 task complete

@cytopia cytopia self-assigned this Jul 17, 2018

cytopia added a commit that referenced this issue Aug 11, 2018

@cytopia cytopia closed this in 39f7dc1 Aug 11, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment