search

puppetlabs-toy-chest / lumogon

Get a complete picture of what your applications are made of *without* changing how you currently build and run containers. Just run and report.
Other
198 stars 14 forks source link

SELinux support #35

Open jboero opened 7 years ago

jboero commented 7 years ago

No error and no output with setenforce=1 SELinux on Fedora 25. Anybody else success with SELinux? Targeted/enforcing mode.

jboero commented 7 years ago

Note @johnmccabe has pointed out this works in enforcing selinux with --privileged flag.

johnmccabe commented 7 years ago

Thanks @jboero, we'll update the docs - regarding the lack of communication in the event of failure theres some work ongoing to address that at the moment (off the back of the API version mismatch updates).

johnmccabe commented 7 years ago

@jboero if you get a chance can you share the output you get with the --debug flag also set

johnmccabe commented 7 years ago

nvm, set it up here

[root@t7ad0yz0nuk83h6 ~]# docker run --rm  -v /var/run/docker.sock:/var/run/docker.sock puppet/lumogon scan --debug
[lumogon] 2017/06/07 15:03:13.716271 [Analytics] Initializing Google Analytics: scan
[lumogon] 2017/06/07 15:03:13.716319 [Docker Adapter] Creating container runtime client: Docker
[lumogon] 2017/06/07 15:03:13.717037 [Scheduler] Creating scheduler
[lumogon] 2017/06/07 15:03:13.717075 [Docker Adapter] Creating container runtime client: Docker
[lumogon] 2017/06/07 15:03:13.717081 [Scheduler] Running
[lumogon] 2017/06/07 15:03:13.717100 [Scheduler] Creating context with timeout [60]
[lumogon] 2017/06/07 15:03:13.717349 [Analytics] Submitting event to Google Analytics
[lumogon] 2017/06/07 15:03:13.718508 [Docker Adapter] Error listing running containers: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.27/containers/json?limit=0: dial unix /var/run/docker.sock: connect: permission denied
[lumogon] 2017/06/07 15:03:13.718537 [Targets] Unable to list containers, error: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.27/containers/json?limit=0: dial unix /var/run/docker.sock: connect: permission denied
Unable to normalise target containers: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.27/containers/json?limit=0: dial unix /var/run/docker.sock: connect: permission denied.
Exiting...[root@t7ad0yz0nuk83h6 ~]# docker run --rm  -v /var/run/docker.sock:/var/run/docker.sock puppet/lumogon version
Client:
 Version:      20170524205424-0.2.0-27-ge10ec0d
 Git commit:   e10ec0df4c031da28e3972915ffd868731af4ce6
 Built:        2017-05-24 08:54:24 UTC
todd-a-jacobs commented 6 years ago

For whatever it's worth, SELinux bind mounts with Docker often work by appending the poorly-documented :z option to the target. However, -v /var/run/docker.sock:/var/run/docker.sock:z also doesn't work. Lumogon exits silently, and even turning on scan --debug results in a lack of useful information. In my case, on RHEL 7.4 with SELinux I don't even get a "permission denied" error.