Containers fail to start when using podman + SElinux

[ftoppi]

Hello,

containers fail to start as SElinux prevents the process inside the container to change files and the following kind of message is present in audit.log:

type=AVC msg=audit(1710253700.452:2073): avc:  denied  { write } for  pid=28867 comm="supervisord" name="logs" dev="sda1" ino=3114063 scontext=system_u:system_r:container_t:s0:c664,c930 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0

The solution is to add the option "z" or "Z" to the mounts:

• z: SELinux option indicating that the bind mount host content is shared among multiple containers.
• Z: SELinux option indicating that the bind mount host content is private and unshared for other containers.

Source: https://docs.docker.com/compose/compose-file/05-services/#volumes

Patch:

diff --git a/docker-compose.yml b/docker-compose.yml
index 96cdde7..2367ed5 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -24,7 +24,7 @@ services:
       - "MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD:-password}"
       - "MYSQL_DATABASE=${MYSQL_DATABASE:-misp}"
     volumes:
-      - mysql_data:/var/lib/mysql
+      - mysql_data:/var/lib/mysql:Z
     cap_add:
       - SYS_NICE  # CAP_SYS_NICE Prevent runaway mysql log

@@ -52,11 +52,11 @@ services:
       - "80:80"
       - "443:443"
     volumes:
-      - "./configs/:/var/www/MISP/app/Config/"
-      - "./logs/:/var/www/MISP/app/tmp/logs/"
-      - "./files/:/var/www/MISP/app/files/"
-      - "./ssl/:/etc/nginx/certs/"
-      - "./gnupg/:/var/www/MISP/.gnupg/"
+      - "./configs/:/var/www/MISP/app/Config/:Z"
+      - "./logs/:/var/www/MISP/app/tmp/logs/:Z"
+      - "./files/:/var/www/MISP/app/files/:Z"
+      - "./ssl/:/etc/nginx/certs/:Z"
+      - "./gnupg/:/var/www/MISP/.gnupg/:Z"
       # customize by replacing ${CUSTOM_PATH} with a path containing 'files/customize_misp.sh'
       # - "${CUSTOM_PATH}/:/custom/"
       # mount custom ca root certificates

[ostefano]

Thanks!

What happens if we use a docker-compose file with the Z option, and SElinux is not used?
In other words, would it make sense to merge this patch?

[ftoppi]

To my knowledge, adding Z to mounts makes podman/docker add labels to the files. If SElinux is off, then those labels are ignored and it should not impact anything.

I tested the following scenarii (Rocky Linux 8.9) and the containers started well as a normal user.

• SElinux OFF
• SElinux OFF + option Z to mounts
• SElinux ON + option Z to mounts

The only combination that fails is SElinux ON and no option Z to mounts.

Steps to reproduce:

• install OS
• yum install podman python3.11-pip
• pip3 install podman-compose
• git clone && edit .env
• podman-compose up

[ftoppi]

Note that misp-core also fails to start as it cannot listen on ports 80 and 443 because I'm a normal user, but that's another issue :)
There are basically 2 ways to fix it: listen on other ports or allow non-root users to bind ports < 1024. This could be mentioned in README.

[ostefano]

I see. Feel free to open a PR including the "Z" options for the docker-compose file and a note in the readme mentioning this.

A few questions:

• How are other projects dealing with this? Would we be the only ones adding the Z option by default?
• What is the minimum version of Docker-compose needed for that option to be silently dropped when not used?

[derfel1989]

@ftoppi, would you mind sharing your deployment steps using Podman?

It would be good to have this documented, as MISP is focused on security, and Podman is safer than Docker.

Thank you in advance.

[ostefano]

See here for a working setup #124