Add some SELinux info I've pieced together #11396
Conversation
Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au>
| @@ -528,9 +528,9 @@ colon: | |||
|
|
|||
| # docker run -v /var/db:/data1 -i -t fedora bash | |||
|
|
|||
| When using SELinux, be aware that the host has no knowledge of container SELinux | |||
| When using SELinux, be aware that the container has no knowledge of host SELinux | |||
There was a problem hiding this comment.
You should state the problem immediately after the example -- the example context is clear given the position of the sentence and the references. Two bits of information are important the fact that the host is runing SELinux and the container cannot write. If you state these two ideas at the first and last bit of the sentence you leverage the two "power" ends of a sentence the beginning and the end.
You should define SELInux as it is the first occurence on this page.
In your work around, you don't need the "at the time of this" clause. That fact is assumed by the reader. It isn't clear when or where for running the chcon command. It is an SELinux command so --- run it on the host and state this clearly. Does the user need to set the context before mounting --- not clear but I assumed that the answer was yes.
If your host is using SELinux (Security-Enhanced Linux), you can mount the /var/db directory but the container cannot write to /data1. Instead, attempts to write to /data1 result in a Permission denied message and an avc: message in the host's syslog. This is because the container has no knowledge of the host's SELinux policies.
To work around this, change the security context on the /var/db directory. This command applies an appropriate SELINUX policy to the directory:
chcon -Rt svirt_sandbox_file_t /var/db
Then, rerun the container; the /data1 is now writable.
|
Perhaps @rhatdan (being "Mr SELinux") can give this a quick read as well? |
|
Well merge in the -v /src:/dest:Z But if you are going to put out this document, I would rewrite it from most secure to least secure. The chcon command is documented in the docker-run man page. |
|
I also cover some of these subjects in these articles. http://opensource.com/business/14/7/docker-security-selinux Bottom line SELinux is a labeling system. If you are going to volume mount an object into the container, you need to make sure it is labeled correctly for the container. chcon -t svirt_sandbox_file_t PATHTOVOL Will do this. Anything else is lowering the security of the container. |
|
Ping back to @SvenDowideit |
|
@rhatdan I'm struggling to put an order of 'goodness' on these (and really, its not an ordered list, its a list with different tradeoffs). take If I understand SELinux labeling right, this means that When I made this PR, I was looking for the info that you wrote up in your latest blog post - as I really wanted to show how to create a set of custom process labels - I've hit a number of other snags in the mean time, so that's a WIP. @moxiegirl merci - I'll get to re-writing stuff later when I've groked enough of the technical details. |
|
chcon -R -t svirt_sandbox_file_t PATHTOVOL Will make the volume read/write by all containers if the containers can some how access the volume. It will most likely not make the path available to other CONFINED processes on the system. Basically by executing this command, you identify the data as "Container Data". Rules in SELinux say that the "Container Processes" can read/write "Container Data" Since the data's MCS Label is s0 (The default) it is read/write by all container processes. If lxc or libvirt-lxc launch containers with the same "Container Process Label" they will be allowed to also Read/Write the Container Data. The problem with most people writing data is that they think about adding ALLOW rules rather then changing the label on the content. For example if I bind mount in /var/lib/foobar into a container, SELinux will complain about the "container process label" read/writing var_lib_t which is the default label of content in /var/lib. If I write a policy rule to allow this, I have now setup a rule where the container can read any content in /var/lib if it is labeled var_lib_t. If on the other hand I set the label to svirt_sandbox_file_t, then I have identified the content as COntainer Data and the container processes will ONLY be allowed to read/write content in /var/lib/foobar. My order of preference would be |
|
Thanks for kicking in @rhatdan and adding your input! |
|
@rhatdan yup (and merci!) - that confirms my general thinking. I think we need to add mentioning 3 and 3(a) alone make this PR worth working on |
|
ping @SvenDowideit |
|
sorry, been on PTO, and now working to catch back up. |
|
@SvenDowideit Catch up already. :) |
|
@SvenDowideit @moxiegirl what's status here? Can we merge it? |
|
@LK4D4 I haven't seen any commits in response to the various comments. So, I'm gonna say no. |
|
then ping @SvenDowideit again |
|
I'm going to shelve this - I havn't had time to work on RHEL stuff. I'll reopen when I find time to ⚫ |
Signed-off-by: Sven Dowideit SvenDowideit@home.org.au