Toasty asked:
I have a folder shared out via Samba, and a Docker container which I would like to give access to said folder by adding it as a volume to the Docker container (yes, I know that’s not portable).
SELinux blocks the container from accessing the folder since the folder and its contents are labeled as samba_share_t, not svirt_sandbox_file_t
I know that the smbd_t domain has access to a number of SELinux labels (e.g. httpd_sys_content_t, though sesearch -s smbd_t --allow provides a full list), but svirt_sandbox_file_t is not one of them.
I see a few ways around this problem:
-
Access the samba share from the container over the network (not desirable as that requires samba to be installed in the container, and there’s network overhead)
-
Relabel the folder and its contents as
svirt_sandbox_file_t(which prevents Samba from accessing the folder) -
Relabel the folder and its contents as
public_content_rw_t(but that also gives access to a number of other services which I don’t want to have access to this folder) -
Create a policy to give
svirt_lxc_net_taccess to thesamba_share_tlabel (generated by audit2allow, but that gives any container access to any file/folder labeled as samba_share_t)
The other option I can think of is to create my own SELinux role with its own label that gives access only to Samba and svirt (which I haven’t done before, but am willing to try).
Am I missing something here? Is there an easier way to do this?
My answer:
You should be able to set the appropriate SELinux boolean, virt_sandbox_use_samba.
setsebool -P virt_sandbox_use_samba 1
View the full question and any other answers on Server Fault.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.