spantaleev / matrix-docker-ansible-deploy

🐳 Matrix (An open network for secure, decentralized communication) server setup using Ansible and Docker
GNU Affero General Public License v3.0
4.88k stars 1.04k forks source link

selinux issues on RHEL/Centos 7 #316

Open pgera opened 4 years ago

pgera commented 4 years ago

I made some progress in getting this to run, but ran into some selinux issues. Most of them are related to volume mounts in docker. For files under /matrix, they can be worked around by adding "Z" to the mount options. For exampe,

-                       -v {{ matrix_mxisd_config_path }}:/etc/mxisd:ro \
+                       -v {{ matrix_mxisd_config_path }}:/etc/mxisd:ro,Z \

I had to make similar changes in other places. However, the postgres case is more problematic since it mounts /etc/passwd in the container. There doesn't seem to be a way to resolve that cleanly as adding "Z" there is not recommended and would break other stuff.

Other selinux issues stem from choice of port numbers if you use an external nginx server. 8448 is fine as it is unclaimed; so it can be worked around with semanage port -a -t http_port_t -p tcp 8448. 8765 is used for something else. So I changed that to 8766 followed by semanage.

Is this expected, or are others using this with selinux disabled/permissive ?

spantaleev commented 4 years ago

Thanks for your research! We don't target running under SELinux, because it's rather complicated, as you've found out.

Still, if someone is willing to do the work of figuring out these issues and fixing them (either in the playbook or upstream), I would be happy to merge such changes!

pgera commented 4 years ago

Is there an alternative to mounting /etc/passwd ? I think that is the only blocking thing in a basic setup.

spantaleev commented 4 years ago

Perhaps running Postgres as root and letting it drop privileges by itself, instead of trying to force it run as a regular user?

That's not ideal though.. I wonder if there's a better way

pgera commented 4 years ago

The other approach is to write a policy that allows the container to read /etc/passwd. Dan Walsh (Red Hat) has this post which has some background and context: https://danwalsh.livejournal.com/79597.html