Docker-compose containers get AVC on FCOS

adathor · January 17, 2022, 8:50am

Hi,

Recently deployed 2 CoreOS servers for Bitwarden and Harbor., both requires docker-compose to run. What I did is that I added 1-1 disk to each VM, mount the disk under /var/lib/bitwarden_dataand /var/lib/harbor_data. Following that I set the context from /var/lib/containers and relabel with restorecon like this:

semanage fcontext -a -e /var/lib/containers /var/lib/bitwarden_data 
restorecon -Rv /var/lib/bitwarden_data

The label works, all fine, but when I start the containers with docker-compose I get AVCs:
From the Bitwarden box:

Jan 11 10:38:28 bitwarden.c.rock-data-109319.internal audit[3403]: AVC avc:  denied  { write } for  pid=3403 comm="certbot" name="letsencrypt" dev="sdb1" ino=263 scontext=system_u:system_r:container_t:s0:c188,c1008 tcontext=unconfined_u:object_r:cert_t:s0 tclass=dir permissive=0
Jan 11 10:39:08 bitwarden.c.rock-data-109319.internal audit[3690]: AVC avc:  denied  { write } for  pid=3690 comm="mkdir" name="bwdata" dev="sdb1" ino=258 scontext=system_u:system_r:container_t:s0:c143,c671 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0
Jan 11 10:39:08 bitwarden.c.rock-data-109319.internal audit[3691]: AVC avc:  denied  { write } for  pid=3691 comm="mkdir" name="bwdata" dev="sdb1" ino=258 scontext=system_u:system_r:container_t:s0:c143,c671 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0
Jan 11 10:39:08 bitwarden.c.rock-data-109319.internal audit[3693]: AVC avc:  denied  { write } for  pid=3693 comm="mkdir" name="bwdata" dev="sdb1" ino=258 scontext=system_u:system_r:container_t:s0:c143,c671 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0
Jan 11 10:39:08 bitwarden.c.rock-data-109319.internal audit[3694]: AVC avc:  denied  { write } for  pid=3694 comm="mkdir" name="bwdata" dev="sdb1" ino=258 scontext=system_u:system_r:container_t:s0:c143,c671 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0
Jan 11 10:39:08 bitwarden.c.rock-data-109319.internal audit[3695]: AVC avc:  denied  { write } for  pid=3695 comm="mkdir" name="bwdata" dev="sdb1" ino=258 scontext=system_u:system_r:container_t:s0:c143,c671 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0
Jan 11 10:41:20 bitwarden.c.rock-data-109319.internal kernel: audit: type=2313 audit(1641897680.261:407): pid=876 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  op=setenforce lsm=selinux enforcing=0 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
Jan 11 10:41:20 bitwarden.c.rock-data-109319.internal audit[876]: USER_MAC_STATUS pid=876 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  op=setenforce lsm=selinux enforcing=0 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
Jan 11 10:41:26 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc:  denied  { write } for  pid=3851 comm="certbot" name="letsencrypt" dev="sdb1" ino=263 scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=unconfined_u:object_r:cert_t:s0 tclass=dir permissive=1
Jan 11 10:41:26 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc:  denied  { add_name } for  pid=3851 comm="certbot" name="logs" scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=unconfined_u:object_r:cert_t:s0 tclass=dir permissive=1
Jan 11 10:41:26 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc:  denied  { create } for  pid=3851 comm="certbot" name="logs" scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
Jan 11 10:41:26 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc:  denied  { write } for  pid=3851 comm="certbot" name="logs" dev="sdb1" ino=264 scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
Jan 11 10:41:26 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc:  denied  { add_name } for  pid=3851 comm="certbot" name=".certbot.lock" scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
Jan 11 10:41:26 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc:  denied  { create } for  pid=3851 comm="certbot" name=".certbot.lock" scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Jan 11 10:41:26 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc:  denied  { write open } for  pid=3851 comm="certbot" path="/etc/letsencrypt/logs/.certbot.lock" dev="sdb1" ino=265 scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Jan 11 10:41:26 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc:  denied  { lock } for  pid=3851 comm="certbot" path="/etc/letsencrypt/logs/.certbot.lock" dev="sdb1" ino=265 scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Jan 11 10:41:26 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc:  denied  { append } for  pid=3851 comm="certbot" path="/etc/letsencrypt/logs/letsencrypt.log" dev="sdb1" ino=266 scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Jan 11 10:41:26 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc:  denied  { ioctl } for  pid=3851 comm="certbot" path="/etc/letsencrypt/logs/letsencrypt.log" dev="sdb1" ino=266 ioctlcmd=0x5413 scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Jan 11 10:41:26 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc:  denied  { remove_name } for  pid=3851 comm="certbot" name="letsencrypt.log" dev="sdb1" ino=266 scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
Jan 11 10:41:26 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc:  denied  { rename } for  pid=3851 comm="certbot" name="letsencrypt.log" dev="sdb1" ino=266 scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Jan 11 10:41:26 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc:  denied  { read } for  pid=3851 comm="certbot" name="directory" dev="sdb1" ino=275 scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
Jan 11 10:41:27 bitwarden.c.rock-data-109319.internal audit[3851]: AVC avc:  denied  { read } for  pid=3851 comm="certbot" path="/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/9a04c837519b8fe4e6d1c3356c7dd113/private_key.json" dev="sdb1" ino=277 scontext=system_u:system_r:container_t:s0:c615,c889 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1

From the Harbor box:

Jan 17 04:21:51 harbor-internal.c.rock-data-109319.internal audit[101404]: AVC avc:  denied  { read } for  pid=101404 comm="harbor_registry" name="config.yml" dev="sdb1" ino=109193 scontext=system_u:system_r:container_t:s0:c308,c572 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 04:21:51 harbor-internal.c.rock-data-109319.internal audit[101404]: AVC avc:  denied  { open } for  pid=101404 comm="harbor_registry" path="/etc/registryctl/config.yml" dev="sdb1" ino=109193 scontext=system_u:system_r:container_t:s0:c308,c572 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 04:21:57 harbor-internal.c.rock-data-109319.internal audit[101446]: AVC avc:  denied  { read } for  pid=101446 comm="harbor_core" name="app.conf" dev="sdb1" ino=109189 scontext=system_u:system_r:container_t:s0:c228,c650 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 04:21:57 harbor-internal.c.rock-data-109319.internal audit[101446]: AVC avc:  denied  { open } for  pid=101446 comm="harbor_core" path="/etc/core/app.conf" dev="sdb1" ino=109189 scontext=system_u:system_r:container_t:s0:c228,c650 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 04:21:58 harbor-internal.c.rock-data-109319.internal audit[101629]: AVC avc:  denied  { read } for  pid=101629 comm="harbor_jobservi" name="config.yml" dev="sdb1" ino=109196 scontext=system_u:system_r:container_t:s0:c329,c954 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 04:21:58 harbor-internal.c.rock-data-109319.internal audit[101629]: AVC avc:  denied  { open } for  pid=101629 comm="harbor_jobservi" path="/etc/jobservice/config.yml" dev="sdb1" ino=109196 scontext=system_u:system_r:container_t:s0:c329,c954 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 04:22:20 harbor-internal.c.rock-data-109319.internal audit[101950]: AVC avc:  denied  { write } for  pid=101950 comm="traefik" name="docker.sock" dev="tmpfs" ino=1094 scontext=system_u:system_r:container_t:s0:c13,c191 tcontext=system_u:object_r:container_var_run_t:s0 tclass=sock_file permissive=1
Jan 17 04:22:20 harbor-internal.c.rock-data-109319.internal audit[101950]: AVC avc:  denied  { connectto } for  pid=101950 comm="traefik" path="/run/docker.sock" scontext=system_u:system_r:container_t:s0:c13,c191 tcontext=system_u:system_r:container_runtime_t:s0 tclass=unix_stream_socket permissive=1
Jan 17 05:01:02 harbor-internal.c.rock-data-109319.internal audit[119240]: AVC avc:  denied  { read } for  pid=119240 comm="logrotate" name="logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 05:01:02 harbor-internal.c.rock-data-109319.internal kernel: audit: type=1400 audit(1642395662.233:10172): avc:  denied  { read } for  pid=119240 comm="logrotate" name="logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 05:01:02 harbor-internal.c.rock-data-109319.internal kernel: audit: type=1400 audit(1642395662.233:10172): avc:  denied  { open } for  pid=119240 comm="logrotate" path="/etc/logrotate.d/logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 05:01:02 harbor-internal.c.rock-data-109319.internal kernel: audit: type=1400 audit(1642395662.233:10173): avc:  denied  { lock } for  pid=119240 comm="logrotate" path="/etc/logrotate.d/logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 05:01:02 harbor-internal.c.rock-data-109319.internal audit[119240]: AVC avc:  denied  { open } for  pid=119240 comm="logrotate" path="/etc/logrotate.d/logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 05:01:02 harbor-internal.c.rock-data-109319.internal audit[119240]: AVC avc:  denied  { lock } for  pid=119240 comm="logrotate" path="/etc/logrotate.d/logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 05:01:02 harbor-internal.c.rock-data-109319.internal audit[119240]: AVC avc:  denied  { map } for  pid=119240 comm="logrotate" path="/etc/logrotate.d/logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:01:01 harbor-internal.c.rock-data-109319.internal audit[150532]: AVC avc:  denied  { read } for  pid=150532 comm="logrotate" name="logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:01:01 harbor-internal.c.rock-data-109319.internal audit[150532]: AVC avc:  denied  { open } for  pid=150532 comm="logrotate" path="/etc/logrotate.d/logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:01:01 harbor-internal.c.rock-data-109319.internal audit[150532]: AVC avc:  denied  { lock } for  pid=150532 comm="logrotate" path="/etc/logrotate.d/logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:01:01 harbor-internal.c.rock-data-109319.internal audit[150532]: AVC avc:  denied  { map } for  pid=150532 comm="logrotate" path="/etc/logrotate.d/logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:01:01 harbor-internal.c.rock-data-109319.internal kernel: audit: type=1400 audit(1642399261.353:10369): avc:  denied  { read } for  pid=150532 comm="logrotate" name="logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:01:01 harbor-internal.c.rock-data-109319.internal kernel: audit: type=1400 audit(1642399261.353:10369): avc:  denied  { open } for  pid=150532 comm="logrotate" path="/etc/logrotate.d/logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:01:01 harbor-internal.c.rock-data-109319.internal kernel: audit: type=1400 audit(1642399261.353:10370): avc:  denied  { lock } for  pid=150532 comm="logrotate" path="/etc/logrotate.d/logrotate.conf" dev="sdb1" ino=109185 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:08:47 harbor-internal.c.rock-data-109319.internal audit[101950]: AVC avc:  denied  { write } for  pid=101950 comm="traefik" name="docker.sock" dev="tmpfs" ino=1094 scontext=system_u:system_r:container_t:s0:c13,c191 tcontext=system_u:object_r:container_var_run_t:s0 tclass=sock_file permissive=1
Jan 17 06:11:48 harbor-internal.c.rock-data-109319.internal audit[4318]: AVC avc:  denied  { read } for  pid=4318 comm="harbor_jobservi" name="config.yml" dev="sdb1" ino=109196 scontext=system_u:system_r:container_t:s0:c329,c954 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
Jan 17 06:11:55 harbor-internal.c.rock-data-109319.internal audit[4706]: AVC avc:  denied  { read } for  pid=4706 comm="harbor_jobservi" name="config.yml" dev="sdb1" ino=109196 scontext=system_u:system_r:container_t:s0:c329,c954 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
Jan 17 06:11:56 harbor-internal.c.rock-data-109319.internal audit[5042]: AVC avc:  denied  { read } for  pid=5042 comm="harbor_jobservi" name="config.yml" dev="sdb1" ino=109196 scontext=system_u:system_r:container_t:s0:c329,c954 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
Jan 17 06:11:57 harbor-internal.c.rock-data-109319.internal audit[5303]: AVC avc:  denied  { read } for  pid=5303 comm="harbor_jobservi" name="config.yml" dev="sdb1" ino=109196 scontext=system_u:system_r:container_t:s0:c329,c954 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
Jan 17 06:11:59 harbor-internal.c.rock-data-109319.internal audit[5595]: AVC avc:  denied  { read } for  pid=5595 comm="harbor_jobservi" name="config.yml" dev="sdb1" ino=109196 scontext=system_u:system_r:container_t:s0:c329,c954 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
Jan 17 06:12:11 harbor-internal.c.rock-data-109319.internal audit[854]: USER_MAC_STATUS pid=854 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  op=setenforce lsm=selinux enforcing=0 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
Jan 17 06:12:11 harbor-internal.c.rock-data-109319.internal kernel: audit: type=2313 audit(1642399931.029:864): pid=854 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  op=setenforce lsm=selinux enforcing=0 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
Jan 17 06:12:11 harbor-internal.c.rock-data-109319.internal audit[6213]: AVC avc:  denied  { read } for  pid=6213 comm="rsyslogd" name="rsyslog_docker.conf" dev="sdb1" ino=109186 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:12:11 harbor-internal.c.rock-data-109319.internal audit[6213]: AVC avc:  denied  { open } for  pid=6213 comm="rsyslogd" path="/etc/rsyslog.d/rsyslog_docker.conf" dev="sdb1" ino=109186 scontext=system_u:system_r:container_t:s0:c405,c474 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:12:18 harbor-internal.c.rock-data-109319.internal audit[6380]: AVC avc:  denied  { read } for  pid=6380 comm="nginx" name="nginx.conf" dev="sdb1" ino=109184 scontext=system_u:system_r:container_t:s0:c741,c946 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:12:18 harbor-internal.c.rock-data-109319.internal audit[6380]: AVC avc:  denied  { open } for  pid=6380 comm="nginx" path="/etc/nginx/nginx.conf" dev="sdb1" ino=109184 scontext=system_u:system_r:container_t:s0:c741,c946 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:12:23 harbor-internal.c.rock-data-109319.internal audit[6672]: AVC avc:  denied  { read } for  pid=6672 comm="harbor_registry" name="config.yml" dev="sdb1" ino=109193 scontext=system_u:system_r:container_t:s0:c308,c572 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:12:23 harbor-internal.c.rock-data-109319.internal kernel: audit: type=1400 audit(1642399943.154:968): avc:  denied  { read } for  pid=6672 comm="harbor_registry" name="config.yml" dev="sdb1" ino=109193 scontext=system_u:system_r:container_t:s0:c308,c572 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:12:23 harbor-internal.c.rock-data-109319.internal kernel: audit: type=1400 audit(1642399943.154:968): avc:  denied  { open } for  pid=6672 comm="harbor_registry" path="/etc/registryctl/config.yml" dev="sdb1" ino=109193 scontext=system_u:system_r:container_t:s0:c308,c572 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:12:23 harbor-internal.c.rock-data-109319.internal audit[6672]: AVC avc:  denied  { open } for  pid=6672 comm="harbor_registry" path="/etc/registryctl/config.yml" dev="sdb1" ino=109193 scontext=system_u:system_r:container_t:s0:c308,c572 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:12:26 harbor-internal.c.rock-data-109319.internal audit[6872]: AVC avc:  denied  { read } for  pid=6872 comm="harbor_jobservi" name="config.yml" dev="sdb1" ino=109196 scontext=system_u:system_r:container_t:s0:c329,c954 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:12:26 harbor-internal.c.rock-data-109319.internal audit[6872]: AVC avc:  denied  { open } for  pid=6872 comm="harbor_jobservi" path="/etc/jobservice/config.yml" dev="sdb1" ino=109196 scontext=system_u:system_r:container_t:s0:c329,c954 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:12:27 harbor-internal.c.rock-data-109319.internal audit[6724]: AVC avc:  denied  { read } for  pid=6724 comm="harbor_core" name="app.conf" dev="sdb1" ino=109189 scontext=system_u:system_r:container_t:s0:c228,c650 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:12:27 harbor-internal.c.rock-data-109319.internal audit[6724]: AVC avc:  denied  { open } for  pid=6724 comm="harbor_core" path="/etc/core/app.conf" dev="sdb1" ino=109189 scontext=system_u:system_r:container_t:s0:c228,c650 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=1
Jan 17 06:12:38 harbor-internal.c.rock-data-109319.internal audit[7147]: AVC avc:  denied  { write } for  pid=7147 comm="traefik" name="docker.sock" dev="tmpfs" ino=1063 scontext=system_u:system_r:container_t:s0:c13,c191 tcontext=system_u:object_r:container_var_run_t:s0 tclass=sock_file permissive=1
Jan 17 06:12:38 harbor-internal.c.rock-data-109319.internal audit[7147]: AVC avc:  denied  { connectto } for  pid=7147 comm="traefik" path="/run/docker.sock" scontext=system_u:system_r:container_t:s0:c13,c191 tcontext=system_u:system_r:container_runtime_t:s0 tclass=unix_stream_socket permissive=1

As I need these boxes to work temporarily I set SELinux to permissive. Installed docker-compose with rpm-ostree from official repos. Any ideas?

adathor · January 17, 2022, 9:30am

Meh… solved by configuring the SELinux label in docker-compose for the volumes… for example:

services:
  mssql:
    image: bitwarden/mssql:1.45.2
    container_name: bitwarden-mssql
    restart: always
    stop_grace_period: 60s
    volumes:
      - ../mssql/data:/var/opt/mssql/data:z
      - ../logs/mssql:/var/opt/mssql/log:z
      - ../mssql/backups:/etc/bitwarden/mssql/backups:z
    env_file:
      - mssql.env
      - ../env/uid.env
      - ../env/mssql.override.env

And with that I continue to hate docker…