If you try to bind mount a directory into a container under Red Hat you might have problems with selinux. The directory will be unreadable from inside the container. Unless you add a z
/Z
volume option.
But what I don't understand is why I can't see corresponding errors in /var/log/audit/audit.log
. Indeed after:
sudo semodule --disable_dontaudit --build
they start getting logged:
type=AVC msg=audit(1624806449.148:2225): avc: denied { read } for pid=34576
comm="ls" name="a" dev="xvda2" ino=8546053
scontext=system_u:system_r:container_t:s0:c48,c319
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0
But which rule disables logging? I can see:
$ sesearch --dontaudit | grep container_t
dontaudit container_t container_t:capability audit_write; [ virt_sandbox_use_netlink ]:False
dontaudit container_t container_t:capability { fsetid net_admin sys_module };
dontaudit container_t container_t:capability2 block_suspend;
dontaudit container_t container_t:dir { add_name write };
dontaudit container_t container_t:file create;
dontaudit container_t container_t:netlink_audit_socket { append bind connect create getattr getopt ioctl lock nlmsg_read nlmsg_relay read setattr setopt shutdown write }; [ virt_sandbox_use_netlink ]:False
dontaudit container_t container_t:udp_socket listen;
Is it one of those? Or some other one?
I'm running a Red Hat instance on AWS:
Red Hat Enterprise Linux 8 with High Availability - ami-06ec8443c2a35b0ba
0 Answers