docker를 통해 cassandra를 구동하는데
csql을 찾지 못해서 헤매는걸 해결하지 못함...
일단 시간도 없고 귀찮아서 setenforce 0로 하고 다음기회에..
[링크 : https://github.com/instaclustr/cassandra-docker]
+
2019.03.22
찾아보니 이런 에러발생
type=AVC msg=audit(1553061777.728:1930): avc: denied { open } for pid=23358 comm="python" path="/cql/create-keyspace.cql" dev="dm-0" ino=35212277 scontext=system_u:system_r:container_t:s0:c203,c1009 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1 |
이건 어떻게 해결해야 한다냐....
일단은 ll -alZ를 통해서 컨텍스를 보니 아래와 같고
tcontext의 내용과 동일하다.
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 cql/create-keyspace.cql |
centos 7에서 확인해보니 container_t 라는건 안보이고 다른걸로 이름을 지어주어야 하나..
# cat /etc/selinux/targeted/contexts/lxc_contexts process = "system_u:system_r:svirt_lxc_net_t:s0" content = "system_u:object_r:virt_var_lib_t:s0" file = "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0" sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0" |
[링크 : https://prefetch.net/blog/2017/09/30/using-docker-volumes-on-selinux-enabled-servers/]
검색하다 보니 이런게 있었던거 같은데..
# chcon -Rt svirt_sandbox_file_t /var/db |
[링크 : https://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/]
+
2019.04.29
If a file is labeled svirt_sandbox_file_t, then by default all containers can read it. But if the containers write into a directory that has svirt_sandbox_file_t ownership, they write using their own category (which in this case is "c186,c641). If you start the same container twice, it will get a new category the second time ( a different category than it had the first time). The category system isolates containers from one another. |
[링크 : https://access.redhat.com/.../docker_selinux_security_policy]