When you try to use the PHP Docker Script from my previous post on a Linux distribution that uses SELinux (like Fedora), you might experience some problems.
Basically the Container will not have access to any of the required volumes like:
- your project files
/etc/passwd
/etc/group
~/.cache/composer
~/.config/composer
~/.ssh
- the SSH agent socket
Is SELinux to blame?
To find out if your permission problems are really caused by SELinux you can temporarily disable access blocking:
sudo setenforce 0
When the files are accessible now, you know it’s SELinux. Make sure you turn on enforcing after you’re done testing:
sudo setenforce 1
The Z-flag
You could try to add the Z
flag to the volume mapping but this is not recommended!
With the Z-flag set Docker will change the SELinux context of the files inside that volume (similar to a chcon
call).
This might be OK for your project files but is highly discouraged for system files like /etc/passwd
.
Detecting the problems
SELinux has a very extensive log at /var/log/audit/audit.log
. It will log most of the time to this file when access was denied or granted.
In the case of my Docker container some of the problems did not show up in the audit log. To make sure all problems are logged you can use this command:
sudo semodule --disable_dontaudit --build
semodule man page
-D –disable_dontaudit
Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt
Analyse the log
The log entries you are interested in look like this:
type=AVC msg=audit(1573154170.047:519): avc: denied { read } for pid=37461 comm=„bash“ name=„passwd“ dev=„dm-1“ ino=1879487 scontext=system_u:system_r:container_t:s0:c61,c1013 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0
Excerpt from the audit.log
Important here are these parts:
- the request was
denied
scontext
containscontainer_t
- a request was made to a file Composer needs to access
audit2allow to the rescue!
Now we can start fixing the problems using audit2allow
.
This tool analyses all failed entries of the SELinux audit log and generates a configuration that allows them.
First you copy all related audit log lines into a new file (let’s call it allow.log
).
After that you pass the contents of the file to audit2allow and let it build a module:
cat allow.log | audit2allow -M containermods
Finally you need to load active the build module.
sudo semodule -i containermods.pp
This change is permanent and will survive reboots.
And repeat and repeat and…
You will most likely have to repeat the steps described above multiple times until everything is working smoothly. This means:
- watch the audit log
- try running the Composer command
- append the related denied lines to
allow.log
- call
audit2allow
and load the module - repeat