Consider setting some selinux policy.

[dustymabe]

https://www.redhat.com/archives/container-tools/2016-April/msg00034.html

user is getting selinux denial when running docker inside a vagrant machine that has an sshfs shared mount. Steps to recreate:

 $ Add sshfs folder into Vagrantfile
   config.vm.synced_folder "/home/tnozicka/tmp/registry-data",
"/var/lib/registry", type: "sshfs"
 $ vagrant up
 $ vagrant ssh
 $ docker run -it --rm -v /var/lib/registry:/var/lib/registry centos:7
bash -c 'mkdir /var/lib/registry/new-dir'
(fails [and should] since /var/lib/registry does not have the right
SELinux context)

If fuse supported it we could do: sshfs -o context="system_u:object_r:svirt_sandbox_file_t:s0". This was added in: libfuse/libfuse@c52cafc but there is no fuse release yet with this commit in it.

As a workaround we could run this on client VMs to free things up for now:

setsebool -P virt_sandbox_use_fusefs 1

[tnozicka]

I reported this problem to libfuse: libfuse/libfuse#36

[hferentschik]

As a workaround we could run this on client VMs to free things up for now:
setsebool -P virt_sandbox_use_fusefs 1

So you think the plugin should do this per default? This seems wrong to me. It is needed in the specific use case of using the synced folder as Docker volumes. Being able to specify the context options as part of the folder sync creation makes sense, but I am not so sure whether the plugin should transparently set setsebool.

[dustymabe]

Being able to specify the context options as part of the folder sync creation makes sense, but I am not so sure whether the plugin should transparently set setsebool.

we can't set the context as part of the folder sync creation because that isn't supported in any released version of fuse. I don't see setting sebool as such a bad thing in a vagrant box. vagrant boxes are typically development environments where security is already lowered to a minimum. I don't think setting this as a default would make it that much less secure.

[hferentschik]

we can't set the context as part of the folder sync creation because that isn't supported in any released version of fuse.

Sure, I get that

I don't see setting sebool as such a bad thing in a vagrant box. vagrant boxes are typically development environments where security is already lowered to a minimum.

Funny, when we talked about transparently handling path conversions you argued that this is not in the "scope" of a Vagrant synced folder provider and that it should be generic etc. How does the situation differ here. Why would you consider changing SELinux setting implicitly, even though we only need it for a very specific use case? If you are using vagrant-sshfs just to mount a directory into the host, you are fine. The problem here is that we then want to further use this mount as Docker volume mount. That's very specific imo.

If you think doing it, is the best approach, no worries, but I don't think you are consistent here. Personally, I would at least expect this to be a plugin option I need to explicitly set.

I don't see setting sebool as such a bad thing in a vagrant box. vagrant boxes are typically development environments where security is already lowered to a minimum.

I am not disagreeing here.

I don't think setting this as a default would make it that much less secure.

I am not arguing around security here. For all I care we could disable SELinux altogether. I am more thinking about responsibilities of the various pieces of software acting together here. For me this is not a vagrant-sshfs issue.

[dustymabe]

If you think doing it, is the best approach, no worries, but I don't think you are consistent here. Personally, I would at least expect this to be a plugin option I need to explicitly set.

You are right. I think ultimately it would be good for the plugin to do this (including other plugins that use fuse as a backend), but doing it automatically is perhaps not the right thing to do. Would you like me to add this behavior but make it an option that must be set?

In the ADB we would probably not be able to use the option but would probably just need to blindly set it in the Vagrantfile so we could accout for whatever synced folder plugin someone decided to use.

What do you think?

[hferentschik]

but doing it automatically is perhaps not the right thing to do

+1

Would you like me to add this behavior but make it an option that must be set

It might be useful, but tbh I think the best solution for now is to either configure ADB/CDK out of the box with the right SELinux settings (my preferred choice atm) or as you say do it in the Vagrantfile.

What do you think?

For now I think there is nothing to do in the plugin. Once libfuse has the right options, it should for sure be possible via the plugin as well, but I guess it would then become just a plain additional option you can pass as any other!?

[dustymabe]

I just confirmed that if you have libfuse 2.9.7 then you can get this to work:

    config.vm.synced_folder "./", "/localdir/", type: "sshfs",                                          
        sshfs_opts_append: "-o context='system_u:object_r:svirt_sandbox_file_t:s0'"