[Gluster-users] selinux context

Ryan Eschinger ryanesc at gmail.com
Wed Nov 25 20:22:16 UTC 2015


We are trying to use GlusterFS storage for volumes mounted in Docker
containers on Centos 7 with SELinux enforcing. By default, I get
`Permission denied` errors when trying to write to a mounted volume:

```
sudo docker run -it --rm -v /mnt/container-volumes/:/log/:rw ubuntu bash -c
'echo date >> /log/volume-test.log'
bash: /log/volume-test.log: Permission denied
```

I thought we might be able to address this by changing the SELinux context
on the GlusterFS directory (see
http://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/),
but we get the following errors:

```
$ sudo chcon -Rt svirt_sandbox_file_t /mnt/container-volumes/
chcon: failed to change context of ‘internal_op’ to
‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not supported
chcon: failed to change context of ‘.trashcan’ to
‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not supported
chcon: failed to change context of ‘/mnt/container-volumes/’ to
‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not supported
```

Note that the `:z` Docker volume option also generates the same error:

```
sudo docker run -it --rm -v /mnt/container-volumes/:/log/:z ubuntu bash -c
'echo date >> /log/volume-test.log'
Error response from daemon: operation not supported
```

Next, I tried setting the context on the GlusterFS mount:

```
$ sudo mount -t glusterfs fs.glusterfs.service.consul:/container-volumes
/mnt/container-volumes -o
context="system_u:object_r:svirt_sandbox_file_t:s0"
Invalid option: context
```

This looks similar to the question asked in
http://www.gluster.org/pipermail/gluster-users.old/2015-January/020014.html
but it was never answered.

I looked around in the docs and on the mailing list archives but couldn't
find a way to solve this. Does anyone know how we can configure GlusterFS
so that we can change the SELinux context? Is this supported? Am I missing
any steps? Is there any other way of tackling this problem (short of
setting SELinux to permissive mode)?

I'd appreciate any help! Let me know if there is any other information I
could provide.

CentOS Linux release 7.1.1503
glusterfs 3.7.6

(For the full context, you can see this issue:
https://github.com/CiscoCloud/microservices-infrastructure/issues/867#issuecomment-159689603
)

Thanks!
Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.gluster.org/pipermail/gluster-users/attachments/20151125/24e4dfcc/attachment.html>


More information about the Gluster-users mailing list