Skip to content
This repository has been archived by the owner on Jul 19, 2018. It is now read-only.

SELinux support #35

Open
jboero opened this issue May 23, 2017 · 5 comments
Open

SELinux support #35

jboero opened this issue May 23, 2017 · 5 comments
Labels
accepted documentation

Comments

@jboero
Copy link

jboero commented May 23, 2017

No error and no output with setenforce=1 SELinux on Fedora 25. Anybody else success with SELinux? Targeted/enforcing mode.
@jboero
Copy link
Author

jboero commented May 23, 2017

Note @johnmccabe has pointed out this works in enforcing selinux with --privileged flag.

@johnmccabe
Copy link
Contributor

johnmccabe commented May 23, 2017
edited
Loading

Thanks @jboero, we'll update the docs - regarding the lack of communication in the event of failure theres some work ongoing to address that at the moment (off the back of the API version mismatch updates).

@johnmccabe
Copy link
Contributor

@jboero if you get a chance can you share the output you get with the --debug flag also set

@johnmccabe
Copy link
Contributor

nvm, set it up here

[root@t7ad0yz0nuk83h6 ~]# docker run --rm  -v /var/run/docker.sock:/var/run/docker.sock puppet/lumogon scan --debug
[lumogon] 2017/06/07 15:03:13.716271 [Analytics] Initializing Google Analytics: scan
[lumogon] 2017/06/07 15:03:13.716319 [Docker Adapter] Creating container runtime client: Docker
[lumogon] 2017/06/07 15:03:13.717037 [Scheduler] Creating scheduler
[lumogon] 2017/06/07 15:03:13.717075 [Docker Adapter] Creating container runtime client: Docker
[lumogon] 2017/06/07 15:03:13.717081 [Scheduler] Running
[lumogon] 2017/06/07 15:03:13.717100 [Scheduler] Creating context with timeout [60]
[lumogon] 2017/06/07 15:03:13.717349 [Analytics] Submitting event to Google Analytics
[lumogon] 2017/06/07 15:03:13.718508 [Docker Adapter] Error listing running containers: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.27/containers/json?limit=0: dial unix /var/run/docker.sock: connect: permission denied
[lumogon] 2017/06/07 15:03:13.718537 [Targets] Unable to list containers, error: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.27/containers/json?limit=0: dial unix /var/run/docker.sock: connect: permission denied
Unable to normalise target containers: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.27/containers/json?limit=0: dial unix /var/run/docker.sock: connect: permission denied.
Exiting...[root@t7ad0yz0nuk83h6 ~]# docker run --rm  -v /var/run/docker.sock:/var/run/docker.sock puppet/lumogon version
Client:
 Version:      20170524205424-0.2.0-27-ge10ec0d
 Git commit:   e10ec0df4c031da28e3972915ffd868731af4ce6
 Built:        2017-05-24 08:54:24 UTC

@todd-a-jacobs
Copy link

For whatever it's worth, SELinux bind mounts with Docker often work by appending the poorly-documented :z option to the target. However, -v /var/run/docker.sock:/var/run/docker.sock:z also doesn't work. Lumogon exits silently, and even turning on scan --debug results in a lack of useful information. In my case, on RHEL 7.4 with SELinux I don't even get a "permission denied" error.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
accepted documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@johnmccabe @todd-a-jacobs @jboero