r/z*2mqtt: Fix device node contexts at start

Processes running in containers only have access to a limited set of devices, based on their SELinux type label. The USB serial devices exposed by the Zwave and Zigbee adapters are not labelled correctly by default to allow them to be used in containers. Using `chcon` to change the type label of the device before starting the container seems to work, but seems a bit kludgy. It would probably be better to use a SELinux file context rule and/or a udev rule to ensure the label is set correctly when the device node is created.
2021-10-10 15:51:54 -05:00 · 2021-10-10 15:51:54 -05:00 · f8e3bdade0
parent 6f9ff86788
commit f8e3bdade0
2 changed files with 2 additions and 0 deletions
--- a/roles/zigbee2mqtt/templates/zigbee2mqtt.service.j2
+++ b/roles/zigbee2mqtt/templates/zigbee2mqtt.service.j2
@ -7,6 +7,7 @@ Wants=network-online.target
 Type=notify
 NotifyAccess=all
 ExecStartPre=/usr/bin/setfacl -m zigbee2mqtt:rw {{ zigbee2mqtt_device }}
+ExecStartPre=/usr/bin/chcon -t console_device_t {{ zigbee2mqtt_device }}
 ExecStartPre=-/usr/bin/podman container rm --ignore -f zigbee2mqtt
 ExecStart=/usr/bin/podman run \
    --pull never \
--- a/roles/zwavejs2mqtt/templates/zwavejs2mqtt.service.j2
+++ b/roles/zwavejs2mqtt/templates/zwavejs2mqtt.service.j2
@ -7,6 +7,7 @@ Wants=network-online.target
 Type=notify
 NotifyAccess=all
 ExecStartPre=/usr/bin/setfacl -m zwavejs:rw {{ zwavejs_device }}
+ExecStartPre=/usr/bin/chcon -t console_device_t {{ zwavejs_device }}
 ExecStartPre=-/usr/bin/podman container rm --ignore -f zwavejs2mqtt
 ExecStart=/usr/bin/podman run \
    --pull never \