I have a Docker container that should read logs, including those from the host itself. So I mount the volume /var/log using the z flag. This changes the SELinux context on the files inside /var/log which prevents my usual processer from accessing these files, the end result being that I am unable to log in locally:
kernel: type=1400 audit(14958482): avc: denied { open } for pid=12345 comm="agetty" name="/var/log/wtmp" dev="dm-6" ino=134 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=file
What's the best practice here? Turning off SELinux, while it gets rid of the issue, is not an option.
restorecon -R /var/logcan fix the no-login issue, as it will return all the labels under that tree to their default.The longer term fix is to modify the SELinux policy to allow Docker containers to read the contents of /var/log. https://wiki.gentoo.org/wiki/SELinux/Tutorials/Creating_your_own_policy_module_file is one example on how to do this. If you put everything back and attempt the read again, you can use
audit2allow -rto generate the necessary policy for you.If you are running Chef you can use https://supermarket.chef.io/cookbooks/selinux_policy/versions/0.3.0 to do it as well.
(And kudos for not going the just-disable-it route)