Hi,
Recently deployed 2 CoreOS servers for Bitwarden and Harbor., both requires docker-compose
to run. What I did is that I added 1-1 disk to each VM, mount the disk under /var/lib/bitwarden_data
and /var/lib/harbor_data
. Following that I set the context from /var/lib/containers
and relabel with restorecon like this:
semanage fcontext -a -e /var/lib/containers /var/lib/bitwarden_data
restorecon -Rv /var/lib/bitwarden_data
The label works, all fine, but when I start the containers with docker-compose I get AVCs:
From the Bitwarden box:
Jan 11 10:38:28 bitwarden.c.rock-data-109319.internal audit[3403]: AVC avc: denied { write } for pid=3403 comm="certbot" name="letsencrypt" dev="sdb1" ino=263 scontext=system_u:system_r:container_t:s0:c188,c1008 tcontext=unconfined_u:object_r:cert_t:s0 tclass=dir permissive=0
Jan 11 10:39:08 bitwarden.c.rock-data-109319.internal audit[3690]: AVC avc: denied { write } for pid=3690 comm="mkdir" name="bwdata" dev="sdb1" ino=258 scontext=system_u:system_r:container_t:s0:c143,c671 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0
Jan 11 10:39:08 bitwarden.c.rock-data-109319.internal audit[3691]: AVC avc: denied { write } for pid=3691 comm="mkdir" name="bwdata" dev="sdb1" ino=258 scontext=system_u:system_r:container_t:s0:c143,c671 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0
Jan 11 10:39:08 bitwarden.c.rock-data-109319.internal audit[3693]: AVC avc: denied { write } for pid=3693 comm="mkdir" name="bwdata" dev="sdb1" ino=258 scontext=system_u:system_r:container_t:s0:c143,c671 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0
Jan 11 10:39:08 bitwarden.c.rock-data-109319.internal audit[3694]: AVC avc: denied { write } for pid=3694 comm="mkdir" name="bwdata" dev="sdb1" ino=258 scontext=system_u:system_r:container_t:s0:c143,c671 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0
Jan 11 10:39:08 bitwarden.c.rock-data-109319.internal audit[3695]: AVC avc: denied { write } for pid=3695 comm="mkdir" name="bwdata" dev="sdb1" ino=258 scontext=system_u:system_r:container_t:s0:c143,c671 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0
Jan 11 10:41:20 bitwarden.c.rock-data-109319.internal kernel: audit: type=2313 audit(1641897680.261:407): pid=876 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: op=setenforce lsm=selinux enforcing=0 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
Jan 11 10:41:20 bitwarden.c.rock-data-109319.internal audit[876]: USER_MAC_STATUS pid=876 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: op=setenforce lsm=selinux enforcing=0 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
Jan 11 10:41:26 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc: denied { write } for pid=3851 comm="certbot" name="letsencrypt" dev="sdb1" ino=263 scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=unconfined_u:object_r:cert_t:s0 tclass=dir permissive=1
Jan 11 10:41:26 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc: denied { add_name } for pid=3851 comm="certbot" name="logs" scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=unconfined_u:object_r:cert_t:s0 tclass=dir permissive=1
Jan 11 10:41:26 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc: denied { create } for pid=3851 comm="certbot" name="logs" scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
Jan 11 10:41:26 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc: denied { write } for pid=3851 comm="certbot" name="logs" dev="sdb1" ino=264 scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
Jan 11 10:41:26 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc: denied { add_name } for pid=3851 comm="certbot" name=".certbot.lock" scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
Jan 11 10:41:26 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc: denied { create } for pid=3851 comm="certbot" name=".certbot.lock" scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Jan 11 10:41:26 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc: denied { write open } for pid=3851 comm="certbot" path="/etc/letsencrypt/logs/.certbot.lock" dev="sdb1" ino=265 scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Jan 11 10:41:26 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc: denied { lock } for pid=3851 comm="certbot" path="/etc/letsencrypt/logs/.certbot.lock" dev="sdb1" ino=265 scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Jan 11 10:41:26 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc: denied { append } for pid=3851 comm="certbot" path="/etc/letsencrypt/logs/letsencrypt.log" dev="sdb1" ino=266 scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Jan 11 10:41:26 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc: denied { ioctl } for pid=3851 comm="certbot" path="/etc/letsencrypt/logs/letsencrypt.log" dev="sdb1" ino=266 ioctlcmd=0x5413 scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Jan 11 10:41:26 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc: denied { remove_name } for pid=3851 comm="certbot" name="letsencrypt.log" dev="sdb1" ino=266 scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
Jan 11 10:41:26 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc: denied { rename } for pid=3851 comm="certbot" name="letsencrypt.log" dev="sdb1" ino=266 scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Jan 11 10:41:26 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc: denied { read } for pid=3851 comm="certbot" name="directory" dev="sdb1" ino=275 scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
Jan 11 10:41:27 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc: denied { read } for pid=3851 comm="certbot" path="/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/9a04c837519b8fe4e6d1c3356c7dd113/private_key.json" dev="sdb1" ino=277 scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
From the Harbor box:
Jan 17 04:21:51 harbor-internal.c.rock-data-109319.internal audit[101404]: AVC avc: denied { read } for pid=101404 comm="harbor_registry" name="config.yml" dev="sdb1" ino=109193 scontext=system_u:system_r:container_t:s0:c308,c572 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 04:21:51 harbor-internal.c.rock-data-109319.internal audit[101404]: AVC avc: denied { open } for pid=101404 comm="harbor_registry" path="/etc/registryctl/config.yml" dev="sdb1" ino=109193 scontext=system_u:system_r:container_t:s0:c308,c572 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 04:21:57 harbor-internal.c.rock-data-109319.internal audit[101446]: AVC avc: denied { read } for pid=101446 comm="harbor_core" name="app.conf" dev="sdb1" ino=109189 scontext=system_u:system_r:container_t:s0:c228,c650 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 04:21:57 harbor-internal.c.rock-data-109319.internal audit[101446]: AVC avc: denied { open } for pid=101446 comm="harbor_core" path="/etc/core/app.conf" dev="sdb1" ino=109189 scontext=system_u:system_r:container_t:s0:c228,c650 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 04:21:58 harbor-internal.c.rock-data-109319.internal audit[101629]: AVC avc: denied { read } for pid=101629 comm="harbor_jobservi" name="config.yml" dev="sdb1" ino=109196 scontext=system_u:system_r:container_t:s0:c329,c954 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 04:21:58 harbor-internal.c.rock-data-109319.internal audit[101629]: AVC avc: denied { open } for pid=101629 comm="harbor_jobservi" path="/etc/jobservice/config.yml" dev="sdb1" ino=109196 scontext=system_u:system_r:container_t:s0:c329,c954 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 04:22:20 harbor-internal.c.rock-data-109319.internal audit[101950]: AVC avc: denied { write } for pid=101950 comm="traefik" name="docker.sock" dev="tmpfs" ino=1094 scontext=system_u:system_r:container_t:s0:c13,c191 tcontext=system_u:object_r:container_var_run_t:s0 tclass=sock_file permissive=1
Jan 17 04:22:20 harbor-internal.c.rock-data-109319.internal audit[101950]: AVC avc: denied { connectto } for pid=101950 comm="traefik" path="/run/docker.sock" scontext=system_u:system_r:container_t:s0:c13,c191 tcontext=system_u:system_r:container_runtime_t:s0 tclass=unix_stream_socket permissive=1
Jan 17 05:01:02 harbor-internal.c.rock-data-109319.internal audit[119240]: AVC avc: denied { read } for pid=119240 comm="logrotate" name="logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 05:01:02 harbor-internal.c.rock-data-109319.internal kernel: audit: type=1400 audit(1642395662.233:10172): avc: denied { read } for pid=119240 comm="logrotate" name="logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 05:01:02 harbor-internal.c.rock-data-109319.internal kernel: audit: type=1400 audit(1642395662.233:10172): avc: denied { open } for pid=119240 comm="logrotate" path="/etc/logrotate.d/logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 05:01:02 harbor-internal.c.rock-data-109319.internal kernel: audit: type=1400 audit(1642395662.233:10173): avc: denied { lock } for pid=119240 comm="logrotate" path="/etc/logrotate.d/logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 05:01:02 harbor-internal.c.rock-data-109319.internal audit[119240]: AVC avc: denied { open } for pid=119240 comm="logrotate" path="/etc/logrotate.d/logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 05:01:02 harbor-internal.c.rock-data-109319.internal audit[119240]: AVC avc: denied { lock } for pid=119240 comm="logrotate" path="/etc/logrotate.d/logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 05:01:02 harbor-internal.c.rock-data-109319.internal audit[119240]: AVC avc: denied { map } for pid=119240 comm="logrotate" path="/etc/logrotate.d/logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:01:01 harbor-internal.c.rock-data-109319.internal audit[150532]: AVC avc: denied { read } for pid=150532 comm="logrotate" name="logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:01:01 harbor-internal.c.rock-data-109319.internal audit[150532]: AVC avc: denied { open } for pid=150532 comm="logrotate" path="/etc/logrotate.d/logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:01:01 harbor-internal.c.rock-data-109319.internal audit[150532]: AVC avc: denied { lock } for pid=150532 comm="logrotate" path="/etc/logrotate.d/logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:01:01 harbor-internal.c.rock-data-109319.internal audit[150532]: AVC avc: denied { map } for pid=150532 comm="logrotate" path="/etc/logrotate.d/logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:01:01 harbor-internal.c.rock-data-109319.internal kernel: audit: type=1400 audit(1642399261.353:10369): avc: denied { read } for pid=150532 comm="logrotate" name="logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:01:01 harbor-internal.c.rock-data-109319.internal kernel: audit: type=1400 audit(1642399261.353:10369): avc: denied { open } for pid=150532 comm="logrotate" path="/etc/logrotate.d/logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:01:01 harbor-internal.c.rock-data-109319.internal kernel: audit: type=1400 audit(1642399261.353:10370): avc: denied { lock } for pid=150532 comm="logrotate" path="/etc/logrotate.d/logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:08:47 harbor-internal.c.rock-data-109319.internal audit[101950]: AVC avc: denied { write } for pid=101950 comm="traefik" name="docker.sock" dev="tmpfs" ino=1094 scontext=system_u:system_r:container_t:s0:c13,c191 tcontext=system_u:object_r:container_var_run_t:s0 tclass=sock_file permissive=1
Jan 17 06:11:48 harbor-internal.c.rock-data-109319.internal audit[4318]: AVC avc: denied { read } for pid=4318 comm="harbor_jobservi" name="config.yml" dev="sdb1" ino=109196 scontext=system_u:system_r:container_t:s0:c329,c954 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
Jan 17 06:11:55 harbor-internal.c.rock-data-109319.internal audit[4706]: AVC avc: denied { read } for pid=4706 comm="harbor_jobservi" name="config.yml" dev="sdb1" ino=109196 scontext=system_u:system_r:container_t:s0:c329,c954 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
Jan 17 06:11:56 harbor-internal.c.rock-data-109319.internal audit[5042]: AVC avc: denied { read } for pid=5042 comm="harbor_jobservi" name="config.yml" dev="sdb1" ino=109196 scontext=system_u:system_r:container_t:s0:c329,c954 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
Jan 17 06:11:57 harbor-internal.c.rock-data-109319.internal audit[5303]: AVC avc: denied { read } for pid=5303 comm="harbor_jobservi" name="config.yml" dev="sdb1" ino=109196 scontext=system_u:system_r:container_t:s0:c329,c954 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
Jan 17 06:11:59 harbor-internal.c.rock-data-109319.internal audit[5595]: AVC avc: denied { read } for pid=5595 comm="harbor_jobservi" name="config.yml" dev="sdb1" ino=109196 scontext=system_u:system_r:container_t:s0:c329,c954 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
Jan 17 06:12:11 harbor-internal.c.rock-data-109319.internal audit[854]: USER_MAC_STATUS pid=854 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: op=setenforce lsm=selinux enforcing=0 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
Jan 17 06:12:11 harbor-internal.c.rock-data-109319.internal kernel: audit: type=2313 audit(1642399931.029:864): pid=854 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: op=setenforce lsm=selinux enforcing=0 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
Jan 17 06:12:11 harbor-internal.c.rock-data-109319.internal audit[6213]: AVC avc: denied { read } for pid=6213 comm="rsyslogd" name="rsyslog_docker.conf" dev="sdb1" ino=109186 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:12:11 harbor-internal.c.rock-data-109319.internal audit[6213]: AVC avc: denied { open } for pid=6213 comm="rsyslogd" path="/etc/rsyslog.d/rsyslog_docker.conf" dev="sdb1" ino=109186 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:12:18 harbor-internal.c.rock-data-109319.internal audit[6380]: AVC avc: denied { read } for pid=6380 comm="nginx" name="nginx.conf" dev="sdb1" ino=109184 scontext=system_u:system_r:container_t:s0:c741,c946 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:12:18 harbor-internal.c.rock-data-109319.internal audit[6380]: AVC avc: denied { open } for pid=6380 comm="nginx" path="/etc/nginx/nginx.conf" dev="sdb1" ino=109184 scontext=system_u:system_r:container_t:s0:c741,c946 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:12:23 harbor-internal.c.rock-data-109319.internal audit[6672]: AVC avc: denied { read } for pid=6672 comm="harbor_registry" name="config.yml" dev="sdb1" ino=109193 scontext=system_u:system_r:container_t:s0:c308,c572 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:12:23 harbor-internal.c.rock-data-109319.internal kernel: audit: type=1400 audit(1642399943.154:968): avc: denied { read } for pid=6672 comm="harbor_registry" name="config.yml" dev="sdb1" ino=109193 scontext=system_u:system_r:container_t:s0:c308,c572 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:12:23 harbor-internal.c.rock-data-109319.internal kernel: audit: type=1400 audit(1642399943.154:968): avc: denied { open } for pid=6672 comm="harbor_registry" path="/etc/registryctl/config.yml" dev="sdb1" ino=109193 scontext=system_u:system_r:container_t:s0:c308,c572 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:12:23 harbor-internal.c.rock-data-109319.internal audit[6672]: AVC avc: denied { open } for pid=6672 comm="harbor_registry" path="/etc/registryctl/config.yml" dev="sdb1" ino=109193 scontext=system_u:system_r:container_t:s0:c308,c572 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:12:26 harbor-internal.c.rock-data-109319.internal audit[6872]: AVC avc: denied { read } for pid=6872 comm="harbor_jobservi" name="config.yml" dev="sdb1" ino=109196 scontext=system_u:system_r:container_t:s0:c329,c954 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:12:26 harbor-internal.c.rock-data-109319.internal audit[6872]: AVC avc: denied { open } for pid=6872 comm="harbor_jobservi" path="/etc/jobservice/config.yml" dev="sdb1" ino=109196 scontext=system_u:system_r:container_t:s0:c329,c954 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:12:27 harbor-internal.c.rock-data-109319.internal audit[6724]: AVC avc: denied { read } for pid=6724 comm="harbor_core" name="app.conf" dev="sdb1" ino=109189 scontext=system_u:system_r:container_t:s0:c228,c650 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:12:27 harbor-internal.c.rock-data-109319.internal audit[6724]: AVC avc: denied { open } for pid=6724 comm="harbor_core" path="/etc/core/app.conf" dev="sdb1" ino=109189 scontext=system_u:system_r:container_t:s0:c228,c650 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:12:38 harbor-internal.c.rock-data-109319.internal audit[7147]: AVC avc: denied { write } for pid=7147 comm="traefik" name="docker.sock" dev="tmpfs" ino=1063 scontext=system_u:system_r:container_t:s0:c13,c191 tcontext=system_u:object_r:container_var_run_t:s0 tclass=sock_file permissive=1
Jan 17 06:12:38 harbor-internal.c.rock-data-109319.internal audit[7147]: AVC avc: denied { connectto } for pid=7147 comm="traefik" path="/run/docker.sock" scontext=system_u:system_r:container_t:s0:c13,c191 tcontext=system_u:system_r:container_runtime_t:s0 tclass=unix_stream_socket permissive=1
As I need these boxes to work temporarily I set SELinux to permissive. Installed docker-compose with rpm-ostree from official repos. Any ideas?