r/z*2mqtt: Fix device node contexts at start
Processes running in containers only have access to a limited set of devices, based on their SELinux type label. The USB serial devices exposed by the Zwave and Zigbee adapters are not labelled correctly by default to allow them to be used in containers. Using `chcon` to change the type label of the device before starting the container seems to work, but seems a bit kludgy. It would probably be better to use a SELinux file context rule and/or a udev rule to ensure the label is set correctly when the device node is created.ntfy
parent
6f9ff86788
commit
f8e3bdade0
|
|
@ -7,6 +7,7 @@ Wants=network-online.target
|
||||||
Type=notify
|
Type=notify
|
||||||
NotifyAccess=all
|
NotifyAccess=all
|
||||||
ExecStartPre=/usr/bin/setfacl -m zigbee2mqtt:rw {{ zigbee2mqtt_device }}
|
ExecStartPre=/usr/bin/setfacl -m zigbee2mqtt:rw {{ zigbee2mqtt_device }}
|
||||||
|
ExecStartPre=/usr/bin/chcon -t console_device_t {{ zigbee2mqtt_device }}
|
||||||
ExecStartPre=-/usr/bin/podman container rm --ignore -f zigbee2mqtt
|
ExecStartPre=-/usr/bin/podman container rm --ignore -f zigbee2mqtt
|
||||||
ExecStart=/usr/bin/podman run \
|
ExecStart=/usr/bin/podman run \
|
||||||
--pull never \
|
--pull never \
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ Wants=network-online.target
|
||||||
Type=notify
|
Type=notify
|
||||||
NotifyAccess=all
|
NotifyAccess=all
|
||||||
ExecStartPre=/usr/bin/setfacl -m zwavejs:rw {{ zwavejs_device }}
|
ExecStartPre=/usr/bin/setfacl -m zwavejs:rw {{ zwavejs_device }}
|
||||||
|
ExecStartPre=/usr/bin/chcon -t console_device_t {{ zwavejs_device }}
|
||||||
ExecStartPre=-/usr/bin/podman container rm --ignore -f zwavejs2mqtt
|
ExecStartPre=-/usr/bin/podman container rm --ignore -f zwavejs2mqtt
|
||||||
ExecStart=/usr/bin/podman run \
|
ExecStart=/usr/bin/podman run \
|
||||||
--pull never \
|
--pull never \
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue