TIP: User must consult their system administrator before running Swarm with SE Linux in their system or doing any security related changes on the system.
When SE Linux is enabled, it restricts access to various system resources. Before starting Swarm, user must apply appropriate security context labels to workspace. For more information, see Platform specific SE Linux guide.
To get access to various system resources, user needs to apply svirt_sandbox_file_t security context label to workspace_path using the chcon command.
chcon -Rt svirt_sandbox_file_t <workspace_path>
For more information, see docker_selinux_security_policy.
For SE Linux environment, workspace label set by chcon are sufficient.
SWOP needs access to host podman socket which is restricted by default. To get access to host podman socket, user needs to pass the following parameter in run-swop script:
--docker-socket-file="<podman socket path>"
--security-opt=label=type:container_runtime_t
docker-socket-fileparameter exposespodman.socketto SWOP container; andcontainer_runtime_tlabel allows the container to interact with thecontainer.runtimeand access the socket.
NOTE:
Paths in SWOP profile need to be labeled with svirt_sandbox_file_t security context using the chcon command.
For SE Linux environment, workspace label set by chcon are sufficient.