From f8e3bdade0c7c5a5795128b0fc02502a229525a1 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sun, 10 Oct 2021 15:51:54 -0500 Subject: [PATCH] r/z*2mqtt: Fix device node contexts at start Processes running in containers only have access to a limited set of devices, based on their SELinux type label. The USB serial devices exposed by the Zwave and Zigbee adapters are not labelled correctly by default to allow them to be used in containers. Using `chcon` to change the type label of the device before starting the container seems to work, but seems a bit kludgy. It would probably be better to use a SELinux file context rule and/or a udev rule to ensure the label is set correctly when the device node is created. --- roles/zigbee2mqtt/templates/zigbee2mqtt.service.j2 | 1 + roles/zwavejs2mqtt/templates/zwavejs2mqtt.service.j2 | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/zigbee2mqtt/templates/zigbee2mqtt.service.j2 b/roles/zigbee2mqtt/templates/zigbee2mqtt.service.j2 index d0bf699..b1ba94f 100644 --- a/roles/zigbee2mqtt/templates/zigbee2mqtt.service.j2 +++ b/roles/zigbee2mqtt/templates/zigbee2mqtt.service.j2 @@ -7,6 +7,7 @@ Wants=network-online.target Type=notify NotifyAccess=all ExecStartPre=/usr/bin/setfacl -m zigbee2mqtt:rw {{ zigbee2mqtt_device }} +ExecStartPre=/usr/bin/chcon -t console_device_t {{ zigbee2mqtt_device }} ExecStartPre=-/usr/bin/podman container rm --ignore -f zigbee2mqtt ExecStart=/usr/bin/podman run \ --pull never \ diff --git a/roles/zwavejs2mqtt/templates/zwavejs2mqtt.service.j2 b/roles/zwavejs2mqtt/templates/zwavejs2mqtt.service.j2 index 3ccf4f7..d6cee35 100644 --- a/roles/zwavejs2mqtt/templates/zwavejs2mqtt.service.j2 +++ b/roles/zwavejs2mqtt/templates/zwavejs2mqtt.service.j2 @@ -7,6 +7,7 @@ Wants=network-online.target Type=notify NotifyAccess=all ExecStartPre=/usr/bin/setfacl -m zwavejs:rw {{ zwavejs_device }} +ExecStartPre=/usr/bin/chcon -t console_device_t {{ zwavejs_device }} ExecStartPre=-/usr/bin/podman container rm --ignore -f zwavejs2mqtt ExecStart=/usr/bin/podman run \ --pull never \