科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>docker - How to get Promtail to read audit.log on Fedora workstation 41 with SELinux enabled? - Stack Overflow

    docker - How to get Promtail to read audit.log on Fedora workstation 41 with SELinux enabled? - Stack Overflow

    programmeradmin3浏览0评论

    I've been trying to get Promtail, running in a container using podman, to read my audit log files so that I can forward them to Loki and visualize it in Grafana. The issue I am stuck with, is that while the directory is mounted and showing in the container environtment, I cannot get access to it. Trying to cat out the contents will return access denied.

    I suspect that the issue has to do with SELinux (my poor understanding of it).

    When running the podman container I've been using the following command:

    podman run --security-opt label=type:container_t \
 --name promtail --network loki-network \
 -d -v $(pwd):/mnt/config:z  \
 -v /var/log:/mnt/log:ro \
 grafana/promtail:3.3.2 -config.file=/mnt/config/promtail-config.yaml

    And this gets the container up and running with the config and with the log file directory mounted in the container.

    I then try to run podman exec promtail ls /mnt/log/audit/ and I get cannot open directory, permission denied error.

    I've also tried to run the container as root, just to see, both by specifying the user flag with the value root and 0. Same result as previously.

    The next steps I have tried has involved attempting to create a new SELinux policy that will grant the container_t access to read the contents of the directory and the contents of the files within the directory.

    In an attempt to get the SELinux permissions that are set on the directory and the files I ran an ls command: sudo ls -Z /var/log/audit/audit.log The output of this command was as expected system_u:object_r:auditd_log_t:s0 /var/log/audit/audit.log.

    And I also verified that the container ran under the default container_t value both as a process and as part of the podman information using these two commands:

    ps -eZ | grep promtail
podman inspect --format '{{ .ProcessLabel }}' promtail

    The output of these commands were also as expected:

    system_u:system_r:container_t:s0:c10,c73 380953 ? 00:00:00 promtail
system_u:system_r:container_t:s0:c10,c73

    The latest iteration of that policy is as follows:

    module promtail_audit_log_reader 1.0;

require {
    type auditd_log_t;
    type container_t;
    class dir { getattr search open };
    class file { getattr read open };
}

# Allow Promtail container access to /var/log/audit/
allow container_t auditd_log_t:dir { getattr search open };
allow container_t auditd_log_t:file { getattr read open };

    And this has been compiled and and applied using the following set of commands:

    checkmodule -M -m -o promtail_audit_log_reader.mod promtail_audit_log_reader.te
semodule_package -o promtail_audit_log_reader.pp -m promtail_audit_log_reader.mod
sudo semodule -i promtail_audit_log_reader.pp

    Stopping and removing the container, before running it again yielded no different results than from the first time. I was expecting it to be able to cat out the contents of the log files.

    How can I give access to the Promtail container so that it can read the log files?

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论