Open pgera opened 4 years ago
Thanks for your research! We don't target running under SELinux, because it's rather complicated, as you've found out.
Still, if someone is willing to do the work of figuring out these issues and fixing them (either in the playbook or upstream), I would be happy to merge such changes!
Is there an alternative to mounting /etc/passwd ? I think that is the only blocking thing in a basic setup.
Perhaps running Postgres as root
and letting it drop privileges by itself, instead of trying to force it run as a regular user?
That's not ideal though.. I wonder if there's a better way
The other approach is to write a policy that allows the container to read /etc/passwd. Dan Walsh (Red Hat) has this post which has some background and context: https://danwalsh.livejournal.com/79597.html
I made some progress in getting this to run, but ran into some selinux issues. Most of them are related to volume mounts in docker. For files under /matrix, they can be worked around by adding "Z" to the mount options. For exampe,
I had to make similar changes in other places. However, the postgres case is more problematic since it mounts /etc/passwd in the container. There doesn't seem to be a way to resolve that cleanly as adding "Z" there is not recommended and would break other stuff.
Other selinux issues stem from choice of port numbers if you use an external nginx server. 8448 is fine as it is unclaimed; so it can be worked around with semanage port -a -t http_port_t -p tcp 8448. 8765 is used for something else. So I changed that to 8766 followed by semanage.
Is this expected, or are others using this with selinux disabled/permissive ?