Tuesday, December 2, 2025

OpenSUSE LeapMicro 6.2 and Traefik: Permission denied

 Running the latest opensuse LeapMicro 6.2 and suddenly Traefik logs have a lot of "Permission denied" errors? Initial searches may have you jumping through hoops for docker group changes, etc. But that won't fix it. LeapMicro 6.2 has a stricter SELinux policy which no amount user/group shenanigans will evade. Instead, do the following:

  • install a SELinux suitable policy
  • mount bind volumes with an SELinux label

That may sound daunting (and you probably should read up on the topic), but here is a straightforward step-by-step approach:

SELinux labels

Edit your docker-compose (or, docker run command) to mount /var/docker/docker.sock as "/var/docker/docker.sock:/var/docker/docker.sock:ro,Z"

  1. This may be for the Traefik container itself or for a docker socket proxy container (recommended)
  2. For Traefik's certificate management file mount you will need to do the same (e.g. "/opt/traefik/acme.json:/acme.json:Z")




SELinux policy

1. Start a clean LeapMicro instance

2. Temporarily set SELinux to Permissive mode (this will cause audit logs to be created, but no blocking will take place)

setenforce 0

3. Proceed to install necessary packages, etc (e.g. docker, docker-compose)

4. Copy across your deployment file (e.g. docker-compose.yml)

5. Start the container(s) 

(e.g. docker compose up -d, or docker run -d ...)

6. Test everything is running correctly

7. View the related audit logs generated (if using a socket proxy, the -c paramter might not be "traefik")

ausearch -c traefik --raw

7. Convert SELinux audit logs to an allow policy: 

ausearch -c traefik --raw | audit2allow -M traefik_allow

8. Install the policy

semodule -i traefik_allow.pp

9. Re-enable Enforcing mode

setenforce 1

10. Restart your containers and verify they are working well.

11. Reduce/automate

  • copy the traefik_allow.pp file for importing the policy on other servers
  • if the traefik_allow.pp file is no longer present, export the module into an file that can be copied off: semodule --cil -E traefik_allow

With a small once-off hassle, the audit utilities provided with SELinux  make it easy to not compromise security.


Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)