Betriebssystem Code Werkzeuge

PHP, Docker, SELinux

When you try to use the PHP Docker Script from my previous post on a Linux distribution that uses SELinux (like Fedora), you might experience some problems.

Basically the Container will not have access to any of the required volumes like:

  • your project files
  • /etc/passwd
  • /etc/group
  • ~/.cache/composer
  • ~/.config/composer
  • ~/.ssh
  • the SSH agent socket

Is SELinux to blame?

To find out if your permission problems are really caused by SELinux you can temporarily disable access blocking:

sudo setenforce 0

When the files are accessible now, you know it’s SELinux. Make sure you turn on enforcing after you’re done testing:

sudo setenforce 1

The Z-flag

You could try to add the Z flag to the volume mapping but this is not recommended!

With the Z-flag set Docker will change the SELinux context of the files inside that volume (similar to a chcon call).

This might be OK for your project files but is highly discouraged for system files like /etc/passwd.

Detecting the problems

SELinux has a very extensive log at /var/log/audit/audit.log. It will log most of the time to this file when access was denied or granted.

In the case of my Docker container some of the problems did not show up in the audit log. To make sure all problems are logged you can use this command:

sudo semodule --disable_dontaudit --build

-D –disable_dontaudit
Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt

semodule man page

Analyse the log

The log entries you are interested in look like this:

type=AVC msg=audit(1573154170.047:519): avc: denied { read } for pid=37461 comm=„bash“ name=„passwd“ dev=„dm-1“ ino=1879487 scontext=system_u:system_r:container_t:s0:c61,c1013 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0

Excerpt from the audit.log

Important here are these parts:

  • the request was denied
  • scontext contains container_t
  • a request was made to a file Composer needs to access

audit2allow to the rescue!

Now we can start fixing the problems using audit2allow.

This tool analyses all failed entries of the SELinux audit log and generates a configuration that allows them.

First you copy all related audit log lines into a new file (let’s call it allow.log).

After that you pass the contents of the file to audit2allow and let it build a module:

cat allow.log | audit2allow -M containermods

Finally you need to load active the build module.

sudo semodule -i containermods.pp

This change is permanent and will survive reboots.

And repeat and repeat and…

You will most likely have to repeat the steps described above multiple times until everything is working smoothly. This means:

  • watch the audit log
  • try running the Composer command
  • append the related denied lines to allow.log
  • call audit2allow and load the module
  • repeat

Von Alexander Stehlik

(TYPO3-)Entwickler aus Leidenschaft