-
-
Notifications
You must be signed in to change notification settings - Fork 1.8k
Description
Apologies in advance, I am struggling to comprehend how SELinux categories are supposed to work.
I have an Oracle Linux 8 box, on which I'm using podman with docker-compose to bring up a Spigot server with a few spiget plugins. It seems that when I stop the container, make changes to my docker-compose.yml, and start it again, the container gets permission denied on the first plugin version.json file. (I haven't 100% nailed down what reproduces it yet.) I tracked down the issue and determined that all files downloaded from spiget have SELinux categories on them:
-rw-rw-r--. 1 20003 root system_u:object_r:container_file_t:s0:c40,c562 17870 Apr 22 05:54 83661.jar
-rw-rw-r--. 1 20003 root system_u:object_r:container_file_t:s0:c40,c562 29256 Apr 22 05:54 86391.jar
-rw-rw-r--. 1 20003 root system_u:object_r:container_file_t:s0:c40,c562 85928 Apr 22 05:54 91537.jar
-rw-rw-r--. 1 20003 root system_u:object_r:container_file_t:s0:c40,c562 2219573 Apr 22 05:54 97320.jar
drwxrwxr-x. 5 20003 root system_u:object_r:container_file_t:s0 199 Apr 22 05:54 BedWars1058
drwxrwxr-x. 2 20003 root system_u:object_r:container_file_t:s0 24 Apr 22 05:54 bStats
drwxrwxr-x. 2 20003 root system_u:object_r:container_file_t:s0 24 Apr 22 05:54 PluginMetrics
-rw-r--r--. 2 root root unconfined_u:object_r:container_file_t:s0 10464701 Dec 7 05:56 slimeworldmanager-plugin-2.2.1.jar
Note the :c40,c562 on the top 4, and the lack thereof on the 3 folders below (created by the container) and the bottom plugin (created manually). This is confirmed to most likely be the issue by audit2why:
# Possible cause is the source level (s0:c30,c433) and target level (s0:c40,c562) are different.
Unfortunately, I was not able to determine what causes files to be created with or without categories.
Please let me know if you need more information, or if I should have filed this under itzg/docker-minecraft-server instead.