Running the latest opensuse LeapMicro 6.2 and suddenly Traefik logs have a lot of "Permission denied" errors? Initial searches may have you jumping through hoops for docker group changes, etc. But that won't fix it. LeapMicro 6.2 has a stricter SELinux policy which no amount user/group shenanigans will evade. Instead, do the following:
- install a SELinux suitable policy
- mount bind volumes with an SELinux label
That may sound daunting (and you probably should read up on the topic), but here is a straightforward step-by-step approach:
SELinux labels
Edit your docker-compose (or, docker run command) to mount /var/docker/docker.sock as "/var/docker/docker.sock:/var/docker/docker.sock:ro,Z"
- This may be for the Traefik container itself or for a docker socket proxy container (recommended)
- For Traefik's certificate management file mount you will need to do the same (e.g. "/opt/traefik/acme.json:/acme.json:Z")
SELinux policy
1. Start a clean LeapMicro instance
2. Temporarily set SELinux to Permissive mode (this will cause audit logs to be created, but no blocking will take place)
setenforce 0
3. Proceed to install necessary packages, etc (e.g. docker, docker-compose)
4. Copy across your deployment file (e.g. docker-compose.yml)
5. Start the container(s)
(e.g. docker compose up -d, or docker run -d ...)
6. Test everything is running correctly
7. View the related audit logs generated (if using a socket proxy, the -c paramter might not be "traefik")
ausearch -c traefik --raw
7. Convert SELinux audit logs to an allow policy:
ausearch -c traefik --raw | audit2allow -M traefik_allow
8. Install the policy
semodule -i traefik_allow.pp
9. Re-enable Enforcing mode
setenforce 1
10. Restart your containers and verify they are working well.
11. Reduce/automate
- copy the traefik_allow.pp file for importing the policy on other servers
- if the traefik_allow.pp file is no longer present, export the module into an file that can be copied off: semodule --cil -E traefik_allow
With a small once-off hassle, the audit utilities provided with SELinux make it easy to not compromise security.
