SELinux prevents access to edge-hub-server-cert.pfx

Question

SELinux prevents access to edge-hub-server-cert.pfx

ralarcon opened this issue 7 years ago · 4 comments

V2 issue
OS version and architecture used: RHEL 7 / x86_64
Version used: iotedgectl 1.0.0_rc22
V2 Docker version and container type Docker 1.13.1 on linux (Package version: docker-1.13.1-63.git94f4240.el7.x86_64)

Description of the issue:

Edge Hub is not able to copy the certificate due to insufficient permissions. This happens due to the selinux do not allow to share the volume among the containers.

Edge Hub Server Certificate File: /mnt/edgehub/edge-hub-server.cert.pfx
Edge Hub CA Server Certificate File: /mnt/edgehub/edge-chain-ca.cert.pem
SSL_CERTIFICATE_PATH=/mnt/edgehub
SSL_CERTIFICATE_NAME=edge-hub-server.cert.pfx
Executing: cp /mnt/edgehub/edge-chain-ca.cert.pem /usr/local/share/ca-certificates/edge-chain-ca.crt
cp: cannot stat '/mnt/edgehub/edge-chain-ca.cert.pem': Permission denied
Failed to Copy Edge Chain CA Certificate

We have a workaround for this by modifying the file lib/python2.7/site-packages/edgectl/deployment/deploymentdocker.py

Line 134 volume_dict[self._EDGE_HUB_VOL_NAME] = {'bind': hub_vol_path, 'mode': 'rw'}
Replace by volume_dict[self._EDGE_HUB_VOL_NAME] = {'bind': hub_vol_path, 'mode': 'z'}

Line 137 volume_dict[self._EDGE_MODULE_VOL_NAME] = {'bind': module_vol_path, 'mode': 'rw'}
Replace by volume_dict[self._EDGE_MODULE_VOL_NAME] = {'bind': module_vol_path, 'mode': 'z'}

We are trying to use IoT Edge in a corporate environment and to modify this file for each deployment is unmanageable.

Answer 1 · 2018-06-21T15:16:49.000Z

Another workaround through selinux labels:
chcon -R -t svirt_sandbox_file_t /var/lib/docker/volumes/edgemodule
chcon -R -t svirt_sandbox_file_t /var/lib/docker/volumes/edgehub

Answer 2 · 2018-06-21T16:53:47.000Z

@roicostas looks like that approach is stale and that configuration will be lost after a machine restart.

Answer 3 · 2018-06-21T16:57:11.000Z

In the upcoming GA release this issue should become moot because the way Edge Hub acquires its server cert is being changed. There will be a daemon running on the host that the Edge Hub communicates with to fetch its TLS server cert.

Answer 4 · 2018-07-11T00:23:51.000Z

Please reopen if this is still an issue with the GA bits (using IoT Edge Security Daemon, aka iotedged, rather than the preview-only iotedgectl). Note RHEL is not officially supported at this time, but certainly we're interested in knowing about issues with IoT Edge and SELinux...