Documentation Suggestions for Podman SElinux Cockpit

My son and I are hoping to learn more about running and managing our own Linux server. Currently, we set up a test box (not exposed to the internet) where we have installed Fedora Server 32beta (since 32 is soon to be released).
We have Cockpit installed. We would like to use this server to learn more about managing and using containers on a Linux server. We installed a Syncthing container, and by reading the log messages in Cockpit, we discovered that we are having issues with SElinux refusing permissions to the Syncthing container. We noticed that we can get the Syncthing container to work if we shut off SElinux, but clearly we would like to learn how to manage a Linux server in the safest and most secure way, so shutting off SElinux is not ideal.
Since this is an educational exercise, we are looking for additional documentation that explains well the how Fedora Server, SElinux, Podman, and such things interact. There doesn’t seem to be a lot of documentation for Fedora Server specific use cases from what we have found so far. Just wondering if others have found some good resources for learning and using these technologies.

3 Likes

Podman is still evolving from what I see, so the man page of the version installed on your system is the best source. In the various podman man pages, --security-opt should tell you what your version of podman allows/does.

On the web, this is probably worth reading:

Dan Walsh works with SELinux and is recently working on the Podman eco system, so it’s good to follow their posts on these subjects. Here’s a fun website: https://stopdisablingselinux.com/

I have no experience setting this up but I read about a tool that can help you define a SELinux policy for your container.
See:

Hope that helps.

Generally, there is plenty of container documentation here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/building_running_and_managing_containers/index

1 Like

Some more things:

In general I would not start with a complex container like Syncthing if you want to learn. Maybe first try to launch a simple web server, and go from there. According to the documentation, Syncthing might require access to host network, and with podman you need to know what you are doing there.

(*) Just to be totally transparent, I work for Red Hat, though not in the RHEL team.

2 Likes

SELinux coloring book is nice:

Thanks everyone for the suggestions. These are some great suggestions to get us started in our learning.

@liquidat you raised a good point that Syncthing may not be the best first choice for a container. We started there because we have a Debian Freedom box running on our network, and that is probably its main use case on our home network at this time, so we thought if we got our Fedora server running Syncthing then we could decommission the Freedom Box and just run the Fedora server.

Freedom Box is a wonderful project for running your own home server, but we felt limited because we would like to try some of the server based apps that are not supported by Freedom box. I kind of looked at this Fedora server build as an educational experience that would open up new possibilities of server applications.

1 Like

I totally get the rationale. It is just that Syncthing might require quite some network configuration since it is using non-standard ports and for example UDP discovery broad casts. So that way you only have to learn about containers, and maybe some simple port forwarding or proxying, but directly about how to manage non-standard ports with SELinux and so on. It is certainly possible, and I am sure you will find enough help here in the forum if you post the errors and trouble you run into.

I just wanted to highlight that you are in for a steep learning curve with that approach :slight_smile:

1 Like