Skip to content

Instantly share code, notes, and snippets.

@odyssey4me

odyssey4me/setup-traefik-selinux.sh

Created September 7, 2025 08:49
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save odyssey4me/3f189a9ead6861c48638cad0cb9d26cd to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save odyssey4me/3f189a9ead6861c48638cad0cb9d26cd to your computer and use it in GitHub Desktop.
Download ZIP
Traefik Podman Quadlet Setup with SELinux Configuration
Raw
setup-traefik-selinux.sh
#!/bin/bash
# Traefik Podman Quadlet Setup with SELinux Configuration
# This script sets up Traefik as a systemd service using Podman quadlets
# with proper SELinux configuration to access the Podman socket
set -euo pipefail
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
log_info() {
echo -e "${GREEN}[INFO]${NC} $1"
}
log_warn() {
echo -e "${YELLOW}[WARN]${NC} $1"
}
log_error() {
echo -e "${RED}[ERROR]${NC} $1"
}
# Check if running as root
if [[ $EUID -ne 0 ]]; then
log_error "This script must be run as root"
exit 1
fi
# Check if SELinux is enabled
if ! command -v getenforce >/dev/null 2>&1 || [[ "$(getenforce)" == "Disabled" ]]; then
log_error "SELinux is not enabled or not installed"
exit 1
fi
log_info "Setting up Traefik with Podman quadlets and SELinux configuration..."
# Create Traefik configuration directory
log_info "Creating Traefik configuration directory..."
mkdir -p /srv/traefik
chmod 755 /srv/traefik
# Create basic Traefik configuration
log_info "Creating basic Traefik configuration..."
cat > /srv/traefik/traefik.yml << 'EOF'
api:
dashboard: true
insecure: true
entryPoints:
web:
address: ":80"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
log:
level: INFO
EOF
# Create the Traefik quadlet configuration
log_info "Creating Traefik quadlet configuration..."
cat > /etc/containers/systemd/traefik.container << 'EOF'
[Container]
AutoUpdate=registry
ContainerName=traefik
Image=docker.io/library/traefik:latest
PublishPort=80:80/tcp
Volume=/srv/traefik:/etc/traefik:Z
Volume=/run/podman/podman.sock:/var/run/docker.sock:Z
[Service]
Restart=always
[Install]
WantedBy=default.target
EOF
log_info "Quadlet configuration created at /etc/containers/systemd/traefik.container"
# Configure SELinux
log_info "Configuring SELinux for container socket access..."
# Enable container_connect_any boolean
log_info "Enabling container_connect_any SELinux boolean..."
setsebool -P container_connect_any on
# Verify the boolean is set
if [[ "$(getsebool container_connect_any | grep -o 'on')" == "on" ]]; then
log_info "container_connect_any boolean successfully enabled"
else
log_warn "Failed to enable container_connect_any boolean"
fi
# Create custom SELinux policy module
log_info "Creating custom SELinux policy module..."
cat > /tmp/traefik_socket.te << 'EOF'
module traefik_socket 1.0;
require {
type container_t;
type container_runtime_t;
class unix_stream_socket connectto;
}
# Allow containers to connect to container runtime socket
allow container_t container_runtime_t:unix_stream_socket connectto;
EOF
# Compile and install SELinux module
log_info "Compiling and installing SELinux policy module..."
cd /tmp
checkmodule -M -m -o traefik_socket.mod traefik_socket.te
semodule_package -o traefik_socket.pp -m traefik_socket.mod
semodule -i traefik_socket.pp
# Verify module installation
if semodule -l | grep -q traefik_socket; then
log_info "SELinux policy module 'traefik_socket' successfully installed"
else
log_error "Failed to install SELinux policy module"
exit 1
fi
# Clean up temporary files
rm -f /tmp/traefik_socket.te /tmp/traefik_socket.mod /tmp/traefik_socket.pp
# Reload systemd daemon
log_info "Reloading systemd daemon..."
systemctl daemon-reload
# Start and enable the service
log_info "Starting Traefik service..."
systemctl start traefik.service
systemctl enable traefik.service
# Wait for service to start
sleep 10
# Check service status
if systemctl is-active --quiet traefik.service; then
log_info "Traefik service is running successfully"
else
log_error "Traefik service failed to start"
systemctl status traefik.service
exit 1
fi
# Test connectivity
log_info "Testing Traefik connectivity..."
if curl -s http://localhost >/dev/null 2>&1; then
log_info "Traefik is responding to HTTP requests"
# Check if dashboard is accessible
if curl -s http://localhost:8080 >/dev/null 2>&1; then
log_info "Traefik dashboard is accessible at http://localhost:8080"
fi
else
log_warn "Traefik is not responding to HTTP requests yet (this may be normal if no routes are configured)"
fi
# Check for SELinux denials
log_info "Checking for recent SELinux denials..."
denial_count=$(ausearch -m AVC -ts recent 2>/dev/null | grep -c traefik || echo "0")
if [[ "$denial_count" -gt 0 ]]; then
log_warn "Found $denial_count SELinux denials for Traefik - this may be normal during startup"
else
log_info "No recent SELinux denials found for Traefik"
fi
log_info "Setup complete! Traefik is now running with proper SELinux configuration."
log_info ""
log_info "Configuration files created:"
log_info " - Quadlet: /etc/containers/systemd/traefik.container"
log_info " - Config: /srv/traefik/traefik.yml"
log_info ""
log_info "Service management:"
log_info " - Status: systemctl status traefik.service"
log_info " - Logs: podman logs traefik"
log_info " - Restart: systemctl restart traefik.service"
log_info ""
log_info "SELinux configuration:"
log_info " - Boolean: container_connect_any=on"
log_info " - Module: traefik_socket (allows container_t -> container_runtime_t socket access)"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment