Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[infra] Add SELinux Option to Docker Volume Mount #10382

Closed
wants to merge 2 commits into from
Closed

[infra] Add SELinux Option to Docker Volume Mount #10382

wants to merge 2 commits into from

Conversation

0x34d
Copy link
Contributor

@0x34d 0x34d commented May 24, 2023
edited
Loading

This PR updates the Docker volume mount command to use the :z option, necessary for systems with SELinux in enforcing mode, like Fedora, CentOS, and RHEL. The :z option assigns a SELinux context that allows multiple containers to access the volume. This change does not affect systems where SELinux is not enabled, such as most Debian and Ubuntu systems.

Written by : ChatGPT-4

Fix : #10352

@0x34d
[infra] Add SELinux Option to Docker Volume Mount
95330a9 
This PR adds the `:Z` option to the Docker volume mount in the command. This is necessary on systems where Security-Enhanced Linux (SELinux) is in enforcing mode, which includes Fedora, CentOS, and Red Hat Enterprise Linux (RHEL).

SELinux adds an additional layer of access controls on top of the standard Linux permission checks. When a Docker volume is mounted, if the correct SELinux context is not assigned to the volume, the Docker container may not be able to access the files as expected, leading to permission denied errors. The `:Z` option automatically assigns the correct SELinux context to the volume, allowing the Docker container to access the files.

Please note that the `:Z` option is ignored on systems where SELinux is not enabled, including most Debian and Ubuntu systems, so this change should not adversely affect Docker commands on these systems.
evverx
evverx reviewed May 25, 2023
View reviewed changes
infra/helper.py Outdated Show resolved Hide resolved
@0x34d
Copy link
Contributor Author

0x34d commented May 26, 2023

Just an update.

When :z is used, I don't need to change the SELinux permissions all the time for every option. However, when :Z is used, I find myself needing to adjust the SELinux permissions constantly with Docker.

Here are the commands I'm using:
Note: Up until now, nothing has been changed.

python infra/helper.py build_image unit
python infra/helper.py build_fuzzers unit --engine libfuzzer --sanitizer address
python infra/helper.py check_build unit --engine libfuzzer --sanitizer address

When changes occur with :z in _check_fuzzer_exists, reproduce functions also work:

python infra/helper.py run_fuzzer    unit --engine libfuzzer --sanitizer address Fuzz_http
python infra/helper.py reproduce     unit Fuzz_http build/out/unit/crash-a7c9c6f807b20089754c3f70ccb93eff328020ce

However, when changes are made with :Z in _check_fuzzer_exists, reproduce does not work:

python infra/helper.py run_fuzzer    unit --engine libfuzzer --sanitizer address Fuzz_http
python infra/helper.py reproduce     unit Fuzz_http build/out/unit/crash-a7c9c6f807b20089754c3f70ccb93eff328020ce

ERROR:__main__:unit does not seem to exist. Please run build_fuzzers first.

@0x34d 0x34d closed this May 26, 2023
@0x34d 0x34d deleted the fedora-support branch July 17, 2023 10:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@evverx evverx evverx left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[infra] Support RPM-based distributions with SELinux enabled
2 participants
@0x34d @evverx