SE Linux

[9034725985]

Update: Please leave this ticket open if it is ok. Still working on it. Can't get sites inside data to show up in v hosts php

I need to do more work on this.

If you encounter a bug and something does not work, make sure you have done the following and check those boxes before submitting an issue - thank you!

I think we need to specify rw for SE Linux somewhere?

• Pull latest dockers (e.g.: docker pull cytopia/<used_docker>) before running docker-compose up
• Specify used docker versions (php, web and database)
• Attach logs for php, mysql and webserver (found in log/ directory)
• Start with debug mode and attach docker-compose output (.env setting DEBUG_COMPOSE_ENTRYPOINT=1)
• Never use different mysql|mariadb versions on the same HOST_PATH_MYSQL_DATADIR on existing database files. Different mysql|mariadb versions might upgrade/corrupt existing database files. If you have done that already, start with a different path of HOST_PATH_MYSQL_DATADIR (to an empty directory) and try again.

Please also specify the following info:

• Which operating system are you at (Linux, OSX or Windows)
• docker version
• docker-compose version

[cytopia]

Looks like a lot of permission problems.

I think we need to specify rw for SE Linux somewhere?

What does that mean?

How does it behave when u disable SE?

[9034725985]

Works as far as I can tell without SE Linux

Update: I didn't test actually adding a project iirc so working correctly only refers to the dashboard. Will work on this more later.

Removing extra bash output

[cytopia]

OK, then it is a permission issue with SE Linux. Unfortunately I have never used it myself and have no idea how that works. For now I can only make a note in the documentation. If you want to dig into SE Linux and find something, please let me know.

[science695]

This article talks about how to audit selinux security for an application:
http://robinbowes.com/article.php/20060206181015320

[EarlRamirez]

what is the output of ausearch -m avc -ts recent?

[rhatdan]

If the compose is volume mounting content into the container, then make sure you are either lableing the content correctly by adding a :Z or :z to the volume mount. If you need to share content on the host which will be used both outsize and inside the container, you can disable SELinux container separation with the --security-opt label:disable option.

[9034725985]

Hi @EarlRamirez here's what I saw with SE Linux enabled:

[kus@localhost devilbox]$ sudo ausearch -m avc -ts recent
----
time->Fri May 11 03:35:19 2018
type=AVC msg=audit(1526024119.640:1052): avc:  denied  { write } for  pid=13291 comm="touch" name="php-fpm.access" dev="dm-2" ino=20186094 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
----
time->Fri May 11 03:35:19 2018
type=AVC msg=audit(1526024119.640:1053): avc:  denied  { write } for  pid=13291 comm="touch" name="php-fpm.access" dev="dm-2" ino=20186094 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
----
time->Fri May 11 03:35:34 2018
type=AVC msg=audit(1526024134.654:1074): avc:  denied  { write } for  pid=13564 comm="openssl" name="devilbox-ca.key" dev="dm-2" ino=20186096 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0

Here's what I saw after I disabled SE Linux and ran docker-compose up again

[kus@localhost devilbox]$ sudo ausearch -m avc -ts recent
----
time->Fri May 11 03:35:19 2018
type=AVC msg=audit(1526024119.640:1052): avc:  denied  { write } for  pid=13291 comm="touch" name="php-fpm.access" dev="dm-2" ino=20186094 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
----
time->Fri May 11 03:35:19 2018
type=AVC msg=audit(1526024119.640:1053): avc:  denied  { write } for  pid=13291 comm="touch" name="php-fpm.access" dev="dm-2" ino=20186094 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
----
time->Fri May 11 03:35:34 2018
type=AVC msg=audit(1526024134.654:1074): avc:  denied  { write } for  pid=13564 comm="openssl" name="devilbox-ca.key" dev="dm-2" ino=20186096 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
----
time->Fri May 11 03:40:35 2018
type=AVC msg=audit(1526024435.517:1160): avc:  denied  { setattr } for  pid=14206 comm="chown" name="php-fpm.access" dev="dm-2" ino=20186094 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:35 2018
type=AVC msg=audit(1526024435.517:1161): avc:  denied  { setattr } for  pid=14206 comm="chown" name="php-fpm-7.2" dev="dm-2" ino=20185893 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:39 2018
type=AVC msg=audit(1526024439.628:1210): avc:  denied  { read } for  pid=14595 comm="openssl" name="devilbox-ca.crt" dev="dm-2" ino=20186097 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:39 2018
type=AVC msg=audit(1526024439.629:1211): avc:  denied  { open } for  pid=14595 comm="openssl" path="/ca/devilbox-ca.crt" dev="dm-2" ino=20186097 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:39 2018
type=AVC msg=audit(1526024439.665:1212): avc:  denied  { write } for  pid=14595 comm="openssl" name="devilbox-ca.srl" dev="dm-2" ino=20186098 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:39 2018
type=AVC msg=audit(1526024439.752:1213): avc:  denied  { setattr } for  pid=14625 comm="chown" name="devilbox-ca.crt" dev="dm-2" ino=20186097 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:39 2018
type=AVC msg=audit(1526024439.752:1214): avc:  denied  { setattr } for  pid=14625 comm="chown" name=".keepme" dev="dm-2" ino=20185630 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:39 2018
type=AVC msg=audit(1526024439.752:1215): avc:  denied  { setattr } for  pid=14625 comm="chown" name="ca" dev="dm-2" ino=20185629 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:44 2018
type=AVC msg=audit(1526024444.400:1272): avc:  denied  { setattr } for  pid=15246 comm="chown" name="backups" dev="dm-2" ino=20185624 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:43 2018
type=AVC msg=audit(1526024443.606:1267): avc:  denied  { setattr } for  pid=15187 comm="chown" name="pg_replslot" dev="dm-2" ino=20186120 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:43 2018
type=AVC msg=audit(1526024443.606:1268): avc:  denied  { setattr } for  pid=15187 comm="chown" name="pg_ident.conf" dev="dm-2" ino=20186139 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:43 2018
type=AVC msg=audit(1526024443.749:1269): avc:  denied  { setattr } for  pid=15182 comm="chown" name="diagnostic.data" dev="dm-2" ino=20187054 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:43 2018
type=AVC msg=audit(1526024443.754:1270): avc:  denied  { setattr } for  pid=15207 comm="chown" name="" dev="pipefs" ino=206322 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:system_r:container_runtime_t:s0 tclass=fifo_file permissive=1
----
time->Fri May 11 03:40:44 2018
type=AVC msg=audit(1526024444.161:1271): avc:  denied  { setattr } for  pid=15221 comm="chown" name="mysql" dev="dm-2" ino=20186103 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:44 2018
type=AVC msg=audit(1526024444.405:1273): avc:  denied  { setattr } for  pid=15248 comm="chown" name="www" dev="dm-2" ino=20185894 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:43 2018
type=AVC msg=audit(1526024443.463:1266): avc:  denied  { setattr } for  pid=15182 comm="chown" name="storage.bson" dev="dm-2" ino=20186483 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:48 2018
type=AVC msg=audit(1526024448.822:1275): avc:  denied  { open } for  pid=14708 comm="postgres" path="/var/lib/postgresql/data/pgdata/postgresql.conf" dev="dm-2" ino=20186128 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:48 2018
type=AVC msg=audit(1526024448.822:1274): avc:  denied  { read } for  pid=14708 comm="postgres" name="postgresql.conf" dev="dm-2" ino=20186128 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:49 2018
type=AVC msg=audit(1526024449.859:1276): avc:  denied  { write } for  pid=14708 comm="postgres" name="9.6" dev="dm-2" ino=20185904 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:49 2018
type=AVC msg=audit(1526024449.859:1277): avc:  denied  { add_name } for  pid=14708 comm="postgres" name="postmaster.pid" scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:49 2018
type=AVC msg=audit(1526024449.859:1278): avc:  denied  { create } for  pid=14708 comm="postgres" name="postmaster.pid" scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:49 2018
type=AVC msg=audit(1526024449.885:1279): avc:  denied  { write } for  pid=14708 comm="postgres" path="/var/lib/postgresql/data/pgdata/postmaster.pid" dev="dm-2" ino=20188510 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:51 2018
type=AVC msg=audit(1526024451.473:1281): avc:  denied  { associate } for  pid=15309 comm="httpd" name="2" scontext=system_u:object_r:container_t:s0:c774,c913 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1
----
time->Fri May 11 03:40:52 2018
type=AVC msg=audit(1526024452.611:1288): avc:  denied  { unlink } for  pid=14708 comm="postgres" name="0000" dev="dm-2" ino=20186130 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:51 2018
type=AVC msg=audit(1526024451.473:1280): avc:  denied  { add_name } for  pid=15309 comm="httpd" name="2" scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:system_r:container_t:s0:c774,c913 tclass=dir permissive=1
----
time->Fri May 11 03:40:51 2018
type=AVC msg=audit(1526024451.474:1282): avc:  denied  { write } for  pid=15309 comm="httpd" name="apache-2.4" dev="dm-2" ino=20185895 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:51 2018
type=AVC msg=audit(1526024451.474:1283): avc:  denied  { add_name } for  pid=15309 comm="httpd" name="defaultlocalhost-error.log" scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:51 2018
type=AVC msg=audit(1526024451.474:1284): avc:  denied  { create } for  pid=15309 comm="httpd" name="defaultlocalhost-error.log" scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:51 2018
type=AVC msg=audit(1526024451.480:1285): avc:  denied  { append } for  pid=15309 comm="httpd" name="defaultlocalhost-error.log" dev="dm-2" ino=20186099 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:51 2018
type=AVC msg=audit(1526024451.480:1286): avc:  denied  { open } for  pid=15309 comm="httpd" path="/var/log/apache-2.4/defaultlocalhost-error.log" dev="dm-2" ino=20186099 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:52 2018
type=AVC msg=audit(1526024452.611:1287): avc:  denied  { remove_name } for  pid=14708 comm="postgres" name="0000" dev="dm-2" ino=20186130 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:55 2018
type=AVC msg=audit(1526024455.357:1290): avc:  denied  { add_name } for  pid=15307 comm="mysqld" name="91eb6adef70a.lower-test" scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:55 2018
type=AVC msg=audit(1526024455.357:1291): avc:  denied  { create } for  pid=15307 comm="mysqld" name="91eb6adef70a.lower-test" scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:55 2018
type=AVC msg=audit(1526024455.357:1289): avc:  denied  { write } for  pid=15307 comm="mysqld" name="mariadb-10.1" dev="dm-2" ino=20185900 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:55 2018
type=AVC msg=audit(1526024455.357:1292): avc:  denied  { read write open } for  pid=15307 comm="mysqld" path="/var/lib/mysql/91eb6adef70a.lower-test" dev="dm-2" ino=20187119 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:55 2018
type=AVC msg=audit(1526024455.358:1293): avc:  denied  { remove_name } for  pid=15307 comm="mysqld" name="91eb6adef70a.lower-test" dev="dm-2" ino=20187119 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:55 2018
type=AVC msg=audit(1526024455.358:1294): avc:  denied  { unlink } for  pid=15307 comm="mysqld" name="91eb6adef70a.lower-test" dev="dm-2" ino=20187119 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:55 2018
type=AVC msg=audit(1526024455.647:1295): avc:  denied  { rename } for  pid=15459 comm="postgres" name="db_0.tmp" dev="dm-2" ino=20187119 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:56 2018
type=AVC msg=audit(1526024456.750:1296): avc:  denied  { setattr } for  pid=15472 comm="chown" name="ib_logfile0" dev="dm-2" ino=20186168 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:56 2018
type=AVC msg=audit(1526024456.752:1297): avc:  denied  { setattr } for  pid=15472 comm="chown" name="mysql" dev="dm-2" ino=20186135 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:59 2018
type=AVC msg=audit(1526024459.301:1304): avc:  denied  { remove_name } for  pid=14674 comm="mongod" name="WiredTigerPreplog.0000000001" dev="dm-2" ino=20186436 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:59 2018
type=AVC msg=audit(1526024459.301:1305): avc:  denied  { unlink } for  pid=14674 comm="mongod" name="WiredTigerPreplog.0000000001" dev="dm-2" ino=20186436 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:59 2018
type=AVC msg=audit(1526024459.402:1306): avc:  denied  { add_name } for  pid=14674 comm="mongod" name="WiredTigerTmplog.0000000001" scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:40:59 2018
type=AVC msg=audit(1526024459.402:1307): avc:  denied  { create } for  pid=14674 comm="mongod" name="WiredTigerTmplog.0000000001" scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:59 2018
type=AVC msg=audit(1526024459.667:1308): avc:  denied  { rename } for  pid=14674 comm="mongod" name="WiredTigerTmplog.0000000001" dev="dm-2" ino=20186436 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:59 2018
type=AVC msg=audit(1526024459.714:1309): avc:  denied  { map } for  pid=14805 comm="mysqld" path="/var/lib/mysql/tc.log" dev="dm-2" ino=20186437 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:57 2018
type=AVC msg=audit(1526024457.481:1298): avc:  denied  { read write } for  pid=14674 comm="mongod" name="mongod.lock" dev="dm-2" ino=20186133 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:57 2018
type=AVC msg=audit(1526024457.481:1299): avc:  denied  { open } for  pid=14674 comm="mongod" path="/data/db/mongod.lock" dev="dm-2" ino=20186133 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:57 2018
type=AVC msg=audit(1526024457.482:1300): avc:  denied  { lock } for  pid=14674 comm="mongod" path="/data/db/mongod.lock" dev="dm-2" ino=20186133 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:57 2018
type=AVC msg=audit(1526024457.769:1301): avc:  denied  { append } for  pid=14805 comm="mysqld" name="error.log" dev="dm-2" ino=20186132 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:57 2018
type=AVC msg=audit(1526024457.854:1302): avc:  denied  { lock } for  pid=14805 comm="mysqld" path="/var/lib/mysql/aria_log_control" dev="dm-2" ino=20186147 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:40:59 2018
type=AVC msg=audit(1526024459.301:1303): avc:  denied  { write } for  pid=14674 comm="mongod" name="journal" dev="dm-2" ino=20186134 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:41:05 2018
type=AVC msg=audit(1526024465.999:1310): avc:  denied  { append } for  pid=14674 comm="ftdc" path="/data/db/diagnostic.data/metrics.2018-05-11T07-41-05Z-00000" dev="dm-2" ino=20186430 scontext=system_u:system_r:container_t:s0:c79,c575 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:41:08 2018
type=AVC msg=audit(1526024468.798:1311): avc:  denied  { write } for  pid=15514 comm="php-fpm" name="php-fpm-7.2" dev="dm-2" ino=20185893 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:41:08 2018
type=AVC msg=audit(1526024468.798:1312): avc:  denied  { add_name } for  pid=15514 comm="php-fpm" name="php-fpm.error" scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:41:08 2018
type=AVC msg=audit(1526024468.798:1313): avc:  denied  { create } for  pid=15514 comm="php-fpm" name="php-fpm.error" scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:41:08 2018
type=AVC msg=audit(1526024468.798:1314): avc:  denied  { append } for  pid=15514 comm="php-fpm" name="php-fpm.error" dev="dm-2" ino=20186095 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:41:08 2018
type=AVC msg=audit(1526024468.798:1315): avc:  denied  { open } for  pid=15514 comm="php-fpm" path="/var/log/php/php-fpm.error" dev="dm-2" ino=20186095 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:33 2018
type=AVC msg=audit(1526024553.852:1317): avc:  denied  { open } for  pid=15741 comm="php-fpm" path="/var/www/default/htdocs/index.php" dev="dm-2" ino=20054290 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:33 2018
type=AVC msg=audit(1526024553.852:1318): avc:  denied  { map } for  pid=15741 comm="php-fpm" path="/var/www/default/htdocs/index.php" dev="dm-2" ino=20054290 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:34 2018
type=AVC msg=audit(1526024554.670:1319): avc:  denied  { read } for  pid=16632 comm="postgres" name="pg_filenode.map" dev="dm-2" ino=20186427 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:34 2018
type=AVC msg=audit(1526024554.670:1320): avc:  denied  { open } for  pid=16632 comm="postgres" path="/var/lib/postgresql/data/pgdata/global/pg_filenode.map" dev="dm-2" ino=20186427 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:34 2018
type=AVC msg=audit(1526024554.776:1321): avc:  denied  { write } for  pid=16632 comm="postgres" name="2676" dev="dm-2" ino=20186270 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:33 2018
type=AVC msg=audit(1526024553.852:1316): avc:  denied  { read } for  pid=15741 comm="php-fpm" name="index.php" dev="dm-2" ino=20054290 scontext=system_u:system_r:container_t:s0:c581,c880 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:35 2018
type=AVC msg=audit(1526024555.415:1322): avc:  denied  { read } for  pid=16593 comm="httpd" name="status.json" dev="dm-2" ino=20054245 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:35 2018
type=AVC msg=audit(1526024555.415:1323): avc:  denied  { open } for  pid=16593 comm="httpd" path="/var/www/default/api/devilbox-api/status.json" dev="dm-2" ino=20054245 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:37 2018
type=AVC msg=audit(1526024557.511:1324): avc:  denied  { map } for  pid=16593 comm="httpd" path="/var/www/default/htdocs/vendor/font-awesome/font-awesome.min.css" dev="dm-2" ino=20054317 scontext=system_u:system_r:container_t:s0:c774,c913 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:55 2018
type=AVC msg=audit(1526024575.718:1325): avc:  denied  { create } for  pid=15459 comm="postgres" name="global.tmp" scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:55 2018
type=AVC msg=audit(1526024575.718:1326): avc:  denied  { rename } for  pid=15459 comm="postgres" name="db_0.tmp" dev="dm-2" ino=20188533 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:42:55 2018
type=AVC msg=audit(1526024575.718:1327): avc:  denied  { unlink } for  pid=15459 comm="postgres" name="db_0.stat" dev="dm-2" ino=20188536 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:43:27 2018
type=AVC msg=audit(1526024607.553:1333): avc:  denied  { write } for  pid=15455 comm="postgres" name="pg_clog" dev="dm-2" ino=20186107 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:43:27 2018
type=AVC msg=audit(1526024607.553:1334): avc:  denied  { add_name } for  pid=15455 comm="postgres" name="0000" scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:43:28 2018
type=AVC msg=audit(1526024608.765:1335): avc:  denied  { remove_name } for  pid=15459 comm="postgres" name="db_12407.tmp" dev="dm-2" ino=20188530 scontext=system_u:system_r:container_t:s0:c688,c875 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:43:32 2018
type=AVC msg=audit(1526024612.611:1349): avc:  denied  { write } for  pid=14805 comm="mysqld" name="mariadb-10.1" dev="dm-2" ino=20185900 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:43:32 2018
type=AVC msg=audit(1526024612.610:1348): avc:  denied  { lock } for  pid=14805 comm="mysqld" path="/var/lib/mysql/aria_log_control" dev="dm-2" ino=20186147 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Fri May 11 03:43:32 2018
type=AVC msg=audit(1526024612.611:1350): avc:  denied  { remove_name } for  pid=14805 comm="mysqld" name="tc.log" dev="dm-2" ino=20186437 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
----
time->Fri May 11 03:43:32 2018
type=AVC msg=audit(1526024612.611:1351): avc:  denied  { unlink } for  pid=14805 comm="mysqld" name="tc.log" dev="dm-2" ino=20186437 scontext=system_u:system_r:container_t:s0:c58,c992 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
[kus@localhost devilbox]$ 

Full terminal output

https://paste.fedoraproject.org/paste/bEpQhW7IZQNBIhJHiXxjKA/raw

[EarlRamirez]

I would mount the volumes for the containers as described at @rhatdan for php-fpm I would enable httpd_network_connect 1 using setsebool -P httpd_network_connect 1

[9034725985]

Thank you, I used setsebool -P httpd_can_network_connect 1 and blindly applied :z everywhere I could and devilbox loads fine now.

Is it ok to add :z or :ro,z everywhere? Adding z shouldn't break anything, right?

Here's my full paste

https://paste.fedoraproject.org/paste/cLK8uW3uwaxzBz5oz7gDRQ/raw

Thank you!

[rhatdan]

The boolean will have no effect. It is concerned with a confined apache web service ,not with process running in containers. The :z and :Z fix the issue. But be care ful with them.

I talk about this in this blog.

https://danwalsh.livejournal.com/78940.html

[9034725985]

Thank you @rhatdan

Specifically, is there a reason to not add z to the volumes here? I am thinking about submitting a pull request once I get it running...

[rhatdan]

:z would be ignored on non SELinux boxes.

[EarlRamirez]

@rhatdan thanks for clearing things up, I had a similar issue on a KVM guest and that boolean worked, once again thanks again for the clarification @rhatdan