Docker, SELinux, Consul, Registrator

Wednesday, 04. 29. 2015  –  Category: sw

Dear Google,

On RHEL / CentOS SELinux can get in the way of setting up a progrium/consul / gliderlabs/registrator network:

  • consul needs somewhere to store persistent state on the host, and SELinux won’t allow the container to write to arbitrary locations
  • registrator needs access to /var/run/docker.sock to monitor container events

The first is easy: add the required svirt_sandbox_file_t on the host to whatever mount you’re passing to consul for /data


# chcon -Rt svirt_sandbox_file_t /var/lib/consul

The second needs a custom SELinux policy, and the policycoreutils-python RPM to compile it:


# cat > docker-socket.te <<EOT
module docker-socket 1.0;
 
require {
        type docker_var_run_t;
        type docker_t;
        type svirt_lxc_net_t;
        class sock_file write;
        class unix_stream_socket connectto;
}
 
#============= svirt_lxc_net_t ==============
allow svirt_lxc_net_t docker_t:unix_stream_socket connectto;
allow svirt_lxc_net_t docker_var_run_t:sock_file write;
EOT

# checkmodule -M -m -o docker-socket.mod docker-socket.te
# semodule_package -m docker-socket.mod -o docker-socket.pp
# semodule -i docker-socket.pp

Comments are closed.