Skip to content

Commit a7fb7f5

Browse files
authored
Support Selinux enabled platforms (#282)
* Support Selinux enabled platforms * Add SELinux paragraph to document use of :Z tags, add :Z tag to commented files
1 parent cbb53c5 commit a7fb7f5

File tree

2 files changed

+21
-13
lines changed

2 files changed

+21
-13
lines changed

README.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -138,6 +138,13 @@ Using a slow disk as the mounted volume or a volume with high latency like NFS,
138138
- `./attachments`: `/var/www/MISP/app/attachments`
139139
- Set the environment variable `ATTACHMENTS_DIR` to the above folder location (it is important that it doesn't replace the `/var/www/MISP/app/files/` folder).
140140

141+
### SELinux
142+
143+
On systems using SELinux, volume binds are not given write permissions by default. Using the tag `:Z` or `:z` at the end of a volume bind files grants write permission through SELinux.
144+
145+
- The `Z` option tells Docker to label the content with a private unshared label.
146+
- The `z` option tells Docker that two containers share the volume content.
147+
141148
## Installing custom root CA certificates
142149

143150
Custom root CA certificates can be mounted under `/usr/local/share/ca-certificates` and will be installed during the `misp-core` container start.

docker-compose.yml

Lines changed: 14 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@ services:
4040
--innodb-stats-persistent=${INNODB_STATS_PERSISTENT:-ON} \
4141
--innodb-write-io-threads=${INNODB_WRITE_IO_THREADS:-4}"
4242
volumes:
43-
- mysql_data:/var/lib/mysql
43+
- mysql_data:/var/lib/mysql:Z
4444
cap_add:
4545
- SYS_NICE # CAP_SYS_NICE Prevent runaway mysql log
4646
healthcheck:
@@ -92,15 +92,15 @@ services:
9292
- "80:80"
9393
- "443:443"
9494
volumes:
95-
- "./configs/:/var/www/MISP/app/Config/"
96-
- "./logs/:/var/www/MISP/app/tmp/logs/"
97-
- "./files/:/var/www/MISP/app/files/"
98-
- "./ssl/:/etc/nginx/certs/"
99-
- "./gnupg/:/var/www/MISP/.gnupg/"
100-
# customize by replacing ${CUSTOM_PATH} with a path containing 'files/customize_misp.sh'
101-
# - "${CUSTOM_PATH}/:/custom/"
95+
- "./configs/:/var/www/MISP/app/Config/:Z"
96+
- "./logs/:/var/www/MISP/app/tmp/logs/:Z"
97+
- "./files/:/var/www/MISP/app/files/:Z"
98+
- "./ssl/:/etc/nginx/certs/:Z"
99+
- "./gnupg/:/var/www/MISP/.gnupg/:Z"
100+
# customize by replacing ${CUSTOM_PATH} with a path containing 'files/customize_misp.sh'
101+
# - "${CUSTOM_PATH}/:/custom/:Z"
102102
# mount custom ca root certificates
103-
# - "./rootca.pem:/usr/local/share/ca-certificates/rootca.crt"
103+
# - "./rootca.pem:/usr/local/share/ca-certificates/rootca.crt:Z"
104104
environment:
105105
- "BASE_URL=${BASE_URL}"
106106
- "CRON_USER_ID=${CRON_USER_ID}"
@@ -269,10 +269,11 @@ services:
269269
start_interval: 5s
270270
volumes:
271271
# custom MISP modules are loaded at startup time
272-
- "./custom/action_mod/:/custom/action_mod/"
273-
- "./custom/expansion/:/custom/expansion/"
274-
- "./custom/export_mod/:/custom/export_mod/"
275-
- "./custom/import_mod/:/custom/import_mod/"
272+
- "./custom/action_mod/:/custom/action_mod/:Z"
273+
- "./custom/expansion/:/custom/expansion/:Z"
274+
- "./custom/export_mod/:/custom/export_mod/:Z"
275+
- "./custom/import_mod/:/custom/import_mod/:Z"
276276

277277
volumes:
278278
mysql_data:
279+

0 commit comments

Comments
 (0)