Sockets created in /tmp cause issues with relays run in containers on systems with SELinux

[Wojtek242]

I'm trying to get ccn-lite running in docker containers in order to make it easier to spin up, manage, and orchestrate ccn-lite networks for testing. I noticed that relays will create temporary sockets in /tmp so to get ccn-lite-ctrl working I had to also share the host's /tmp with the container. However, access to this socket is blocked by SELinux. Disabling SELinux with setenforce 0 makes the problem go away, but that's obviously not ideal. Adding a policy for sockets created in /tmp also does not sound great.

Is there a simpler way around this? Is there a good reason for creating these temporary sockets? Why is the one socket created by the relay not enough?

[blacksheeep]

I think there is only one reason for that is, that the unix socket is not only used for mgmt, but can also be used for communication, when having multiple nodes on the same machine.
To be able to accept requests from multiple clients at the same time, each request is handled by a temporary face/socket.
I see your point, that this does not work well for docker. I think we have that implementation to be able to handle all kind of interface the same way.
If we just use UDP sockets for communication it would be possible to send all replies using the same socket. But I do not think this is possible for Unix or maybe future TCP sockets, is it?

[Wojtek242]

Hmm, wouldn't opening a UDP listening port not work? In that case you just communicate via the IP/UDP stack. Admittedly this does confine you to the UDP/IP implementation.