My son and I are hoping to learn more about running and managing our own Linux server. Currently, we set up a test box (not exposed to the internet) where we have installed Fedora Server 32beta (since 32 is soon to be released).
We have Cockpit installed. We would like to use this server to learn more about managing and using containers on a Linux server. We installed a Syncthing container, and by reading the log messages in Cockpit, we discovered that we are having issues with SElinux refusing permissions to the Syncthing container. We noticed that we can get the Syncthing container to work if we shut off SElinux, but clearly we would like to learn how to manage a Linux server in the safest and most secure way, so shutting off SElinux is not ideal.
Since this is an educational exercise, we are looking for additional documentation that explains well the how Fedora Server, SElinux, Podman, and such things interact. There doesnât seem to be a lot of documentation for Fedora Server specific use cases from what we have found so far. Just wondering if others have found some good resources for learning and using these technologies.
Podman is still evolving from what I see, so the man page of the version installed on your system is the best source. In the various podman man pages, --security-opt
should tell you what your version of podman allows/does.
On the web, this is probably worth reading:
Dan Walsh works with SELinux and is recently working on the Podman eco system, so itâs good to follow their posts on these subjects. Hereâs a fun website: https://stopdisablingselinux.com/
I have no experience setting this up but I read about a tool that can help you define a SELinux policy for your container.
See:
- Chapter 9. Creating SELinux policies for containers Red Hat Enterprise Linux 8 | Red Hat Customer Portal, which also links to
- https://www.redhat.com/en/blog/generate-selinux-policies-containers-with-udica,. and
- GitHub - containers/udica: This repository contains a tool for generating SELinux security profiles for containers
Hope that helps.
Generally, there is plenty of container documentation here: Building, running, and managing containers Red Hat Enterprise Linux 8 | Red Hat Customer Portal
Some more things:
- Understanding SELinux labels for container runtimes
- regarding the RHEL 8 documentation mentioned by @florian s always a great source to understand how these things work, since it also comes along with Podman and uses SELinux - and the quality of the documentation is awesome (*)
- SELinux blocks podman container from talking to libvirt â goes into a lot of details why SELinux does what; different use case and somewhat outdated, but a good source for further understanding
In general I would not start with a complex container like Syncthing if you want to learn. Maybe first try to launch a simple web server, and go from there. According to the documentation, Syncthing might require access to host network, and with podman you need to know what you are doing there.
(*) Just to be totally transparent, I work for Red Hat, though not in the RHEL team.
SELinux coloring book is nice:
Thanks everyone for the suggestions. These are some great suggestions to get us started in our learning.
@liquidat you raised a good point that Syncthing may not be the best first choice for a container. We started there because we have a Debian Freedom box running on our network, and that is probably its main use case on our home network at this time, so we thought if we got our Fedora server running Syncthing then we could decommission the Freedom Box and just run the Fedora server.
Freedom Box is a wonderful project for running your own home server, but we felt limited because we would like to try some of the server based apps that are not supported by Freedom box. I kind of looked at this Fedora server build as an educational experience that would open up new possibilities of server applications.
I totally get the rationale. It is just that Syncthing might require quite some network configuration since it is using non-standard ports and for example UDP discovery broad casts. So that way you only have to learn about containers, and maybe some simple port forwarding or proxying, but directly about how to manage non-standard ports with SELinux and so on. It is certainly possible, and I am sure you will find enough help here in the forum if you post the errors and trouble you run into.
I just wanted to highlight that you are in for a steep learning curve with that approach