search

factoriotools / factorio-docker

Factorio headless server in a Docker container
https://hub.docker.com/r/factoriotools/factorio/
MIT License
909 stars 220 forks source link

Container Fails with SELinux Enabled on CentOS 7 #97

Closed seifer44 closed 6 years ago

seifer44 commented 6 years ago

I'm having trouble with trying to get this container to run with SELinux enabled on my CentOS 7 machine.

I'm attempting to have my save files under /var/lib/docker/persistent-volumes/factorio.

[root@seifer-server ~]# ls -laZ /var/lib/docker/persistent-volumes/factorio/
drwxr-xr-x.  845  845 system_u:object_r:container_var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:container_var_lib_t:s0 ..
[root@seifer-server ~]# audit2allow -i /tmp/tmp.txt

#============= svirt_lxc_net_t ==============
allow svirt_lxc_net_t container_var_lib_t:dir create;
allow svirt_lxc_net_t container_var_lib_t:file { create open read rename setattr write };

I create a custom SELinux module with those attributes above from audit2allow. These were captured when SELinux was in Permissive mode, and a new container was started with a fresh persistent volume.

When SELinix is re-enabled, the container fails to start. Here is a fresh container, with the persistent directory empty:

+ set -e
+ id
uid=845(factorio) gid=845(factorio)
+ SAVES=/factorio/saves
+ CONFIG=/factorio/config
+ mkdir -p /factorio/saves
+ mkdir -p /factorio/mods
+ mkdir -p /factorio/config
+ [ ! -f /factorio/config/rconpw ]
+ pwgen 15 1
+ echo ow9Rai8eil7iboh
+ [ ! -f /factorio/config/server-settings.json ]
+ cp /opt/factorio/data/server-settings.example.json /factorio/config/server-settings.json
+ [ ! -f /factorio/config/map-gen-settings.json ]
+ cp /opt/factorio/data/map-gen-settings.example.json /factorio/config/map-gen-settings.json
+ [ ! -f /factorio/config/map-settings.json ]
+ cp /opt/factorio/data/map-settings.example.json /factorio/config/map-settings.json
+ find -L /factorio/saves -iname *.zip -mindepth 1 -print
+ grep -q .
+ /opt/factorio/bin/x64/factorio --create /factorio/saves/_autosave1.zip --map-gen-settings /factorio/config/map-gen-settings.json --map-settings /factorio/config/map-settings.json
   0.000 2017-12-20 04:41:46; Factorio 0.16.6 (build 34439, linux64, headless)
   0.000 Operating system: Linux
   0.000 Program arguments: "/opt/factorio/bin/x64/factorio" "--create" "/factorio/saves/_autosave1.zip" "--map-gen-settings" "/factorio/config/map-gen-settings.json" "--map-settings" "/factorio/config/map-settings.json"
   0.000 Read data path: /opt/factorio/data
   0.000 Write data path: /opt/factorio [10054/10222MB]
   0.001 Binaries path: /opt/factorio/bin
   0.067 System info: [CPU: AMD A6-3650 APU with Radeon(tm) HD Graphics, 4 cores, RAM: 15374MB]
   0.087 Running in headless mode
   0.158 Loading mod core 0.0.0 (data.lua)
   0.260 Loading mod base 0.16.6 (data.lua)
   0.794 Loading mod base 0.16.6 (data-updates.lua)
   0.895 Checksum for core: 1649222139
   0.895 Checksum of base: 1679652734
   1.346 Info PlayerData.cpp:67: Local player-data.json unavailable
   1.346 Info PlayerData.cpp:72: Cloud player-data.json unavailable
   1.397 Custom inputs active: 0
   1.410 Factorio initialised
   1.411 Info Main.cpp:758: Creating new map /factorio/saves/_autosave1.zip
   6.668 Info BlueprintLibrary.cpp:53: Loaded external blueprint storage: playerIndex = 65535, nextRecordID = 0; timestamp = 0; records:
   6.669 Info BlueprintLibrary.cpp:53: Loaded external blueprint storage: playerIndex = 65535, nextRecordID = 0; timestamp = 0; records:
   6.995 Loading Level.dat: 814242 bytes.
   6.997 Info Scenario.cpp:135: Map version 0.16.6-0
   7.080 Info BlueprintLibrary.cpp:232: Loaded library shelves:
   7.080 Info BlueprintLibrary.cpp:798: Game shelf: playerIndex = 65535, nextRecordID = 0; timestamp = 0; records:
   7.082 Info BlueprintLibrary.cpp:53: Loaded external blueprint storage: playerIndex = 65535, nextRecordID = 0; timestamp = 0; records:
   7.105 Checksum for script /opt/factorio/temp/currently-playing/control.lua: 2309010108
Done.
   7.370 Info GlobalContext.cpp:661: Waiting for child processes to exit:
   7.401 Goodbye
+ cat /factorio/config/rconpw
+ exec /opt/factorio/bin/x64/factorio --port 34197 --start-server-load-latest --server-settings /factorio/config/server-settings.json --server-whitelist /factorio/config/server-whitelist.json --server-banlist /factorio/config/server-banlist.json --rcon-port 27015 --rcon-password ow9Rai8eil7iboh --server-id /factorio/config/server-id.json
   0.000 2017-12-20 04:41:54; Factorio 0.16.6 (build 34439, linux64, headless)
   0.000 Operating system: Linux
   0.000 Program arguments: "/opt/factorio/bin/x64/factorio" "--port" "34197" "--start-server-load-latest" "--server-settings" "/factorio/config/server-settings.json" "--server-whitelist" "/factorio/config/server-whitelist.json" "--server-banlist" "/factorio/config/server-banlist.json" "--rcon-port" "27015" "--rcon-password" "ow9Rai8eil7iboh" "--server-id" "/factorio/config/server-id.json"
   0.000 Read data path: /opt/factorio/data
   0.000 Write data path: /opt/factorio [10054/10222MB]
   0.000 Binaries path: /opt/factorio/bin
   0.032 System info: [CPU: AMD A6-3650 APU with Radeon(tm) HD Graphics, 4 cores, RAM: 15374MB]
   0.032 Running in headless mode
   0.036 Error Util.cpp:49: filesystem error: status: Permission denied [/factorio/mods/mod-list.json]
+ set -e
+ id
uid=845(factorio) gid=845(factorio)
+ SAVES=/factorio/saves
+ CONFIG=/factorio/config
+ mkdir -p /factorio/saves
+ mkdir -p /factorio/mods
+ mkdir -p /factorio/config
+ [ ! -f /factorio/config/rconpw ]
+ pwgen 15 1
+ echo imaax6aiNiex4ud
+ [ ! -f /factorio/config/server-settings.json ]
+ cp /opt/factorio/data/server-settings.example.json /factorio/config/server-settings.json
cp: can't stat '/factorio/config/server-settings.json': Permission denied
+ set -e
+ id
uid=845(factorio) gid=845(factorio)
+ SAVES=/factorio/saves
+ CONFIG=/factorio/config
+ mkdir -p /factorio/saves
+ mkdir -p /factorio/mods
+ mkdir -p /factorio/config
+ [ ! -f /factorio/config/rconpw ]
+ pwgen 15 1
+ echo rias8ieNa9Shoh3
+ [ ! -f /factorio/config/server-settings.json ]
+ cp /opt/factorio/data/server-settings.example.json /factorio/config/server-settings.json
cp: can't stat '/factorio/config/server-settings.json': Permission denied
+ set -e
+ id
+ SAVES=/factorio/saves
+ CONFIG=/factorio/config
+ mkdir -p /factorio/saves
+ mkdir -p /factorio/mods
+ mkdir -p /factorio/config
+ [ ! -f /factorio/config/rconpw ]
uid=845(factorio) gid=845(factorio)
+ pwgen 15 1
+ echo onie5Fier1Gohp6
+ [ ! -f /factorio/config/server-settings.json ]
+ cp /opt/factorio/data/server-settings.example.json /factorio/config/server-settings.json
cp: can't stat '/factorio/config/server-settings.json': Permission denied
+ set -e
+ id
+ SAVES=/factorio/saves
+ CONFIG=/factorio/config
+ mkdir -p /factorio/saves
uid=845(factorio) gid=845(factorio)
+ mkdir -p /factorio/mods
+ mkdir -p /factorio/config
+ [ ! -f /factorio/config/rconpw ]
+ pwgen 15 1
+ echo uz8aighoeQueih9
+ [ ! -f /factorio/config/server-settings.json ]
+ cp /opt/factorio/data/server-settings.example.json /factorio/config/server-settings.json
cp: can't stat '/factorio/config/server-settings.json': Permission denied
+ set -e
+ id
+ SAVES=/factorio/saves
+ CONFIG=/factorio/config
+ mkdir -p /factorio/saves
uid=845(factorio) gid=845(factorio)
+ mkdir -p /factorio/mods
+ mkdir -p /factorio/config
+ [ ! -f /factorio/config/rconpw ]
+ pwgen 15 1
+ echo uNg1eCh9rophieN
+ [ ! -f /factorio/config/server-settings.json ]
+ cp /opt/factorio/data/server-settings.example.json /factorio/config/server-settings.json
cp: can't stat '/factorio/config/server-settings.json': Permission denied

However, the files are actually present.

[root@seifer-server persistent-volumes]# ls -lah factorio/
total 0
drwxr-xr-x. 5  845  845  45 Dec 19 21:41 .
drwxr-xr-x. 3 root root  22 Dec 18 19:05 ..
drwxr-xr-x. 2  845  845 102 Dec 19 21:41 config
drwxr-xr-x. 2  845  845  27 Dec 19 21:41 mods
drwxr-xr-x. 2  845  845  28 Dec 19 21:41 saves

I'm not sure what the issue is with accessing the files after it creates them. I'm currently running an up-to-date host with Docker version 1.12.6, build ec8512b/1.12.6.

dtandersen commented 6 years ago

Unfortunately I'm not that familiar with selinux. Did you try to mount with :Z?

https://stackoverflow.com/questions/24288616/permission-denied-on-accessing-host-directory-in-docker

seifer44 commented 6 years ago

Never mind. I had the wrong context set on the file. You want to use svirt_sandbox_file_t

semanage fcontext -a -t svirt_sandbox_file_t '/var/lib/docker/persistent-volumes(/.*)?'

I'd highly recommend getting familiar with using SELinux. It's a frustrating juggle to permission stuff out sometimes, but it's great for adding a strong layer of security to your stuff.

EDIT: It looks like that's in your Stack Overflow thread.

dtandersen commented 6 years ago

Sounded like :Z adds the rules automatically.