-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add some SELinux info I've pieced together #11396
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -528,9 +528,9 @@ colon: | |
|
||
# docker run -v /var/db:/data1 -i -t fedora bash | ||
|
||
When using SELinux, be aware that the host has no knowledge of container SELinux | ||
When using SELinux, be aware that the container has no knowledge of host SELinux | ||
policy. Therefore, in the above example, if SELinux policy is enforced, the | ||
`/var/db` directory is not writable to the container. A "Permission Denied" | ||
`/var/db` directory is not writeable by the container. A "Permission Denied" | ||
message will occur and an avc: message in the host's syslog. | ||
|
||
|
||
|
@@ -557,8 +557,8 @@ An MLS example might be: | |
|
||
# docker run --security-opt label:level:TopSecret -i -t rhel7 bash | ||
|
||
To disable the security labeling for this container versus running with the | ||
`--permissive` flag, use the following command: | ||
To disable the security labeling for this container instead of running with the | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is this also under SELinux? Not clear. "for this container" unclear antecedent for Not sure why you are mentioning "instead of running with the |
||
`--privileged` flag, use the following command: | ||
|
||
# docker run --security-opt label:disable -i -t fedora bash | ||
|
||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -382,8 +382,8 @@ An MLS example might be: | |
|
||
# docker run --security-opt label:level:TopSecret -i -t rhel7 bash | ||
|
||
To disable the security labeling for this container versus running with the | ||
`--permissive` flag, use the following command: | ||
To disable the security labeling for this container instead of running with the | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ibid previous comment re this text. |
||
`--privileged` flag, use the following command: | ||
|
||
# docker run --security-opt label:disable -i -t fedora bash | ||
|
||
|
@@ -394,9 +394,47 @@ command: | |
|
||
# docker run --security-opt label:type:svirt_apache_t -i -t centos bash | ||
|
||
Note: | ||
|
||
You would have to write policy defining a `svirt_apache_t` type. | ||
> **Note**: You would have to write policy defining a `svirt_apache_t` type. | ||
|
||
## Volume mounts and SELinux | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If your host is using SELinux (Security-Enhanced Linux), you can mount volumes [root@RHEL71 sven]# docker run -v /var/db:/data1 -i -t fedora ls -laZ /data1 This happens because the container has no knowledge of the host's SELinux Considering the previous example above, you can give the container write access in
Any of these methods allow the container to write to the |
||
|
||
When using SELinux, be aware that the container has no knowledge of host SELinux | ||
policy. Therefore when SELinux policy is enforced, the | ||
host directory is not accessible by the container. A "Permission Denied" | ||
message will occur and an avc: message in the host's syslog. | ||
|
||
[root@RHEL71 sven]# docker run -v /var/db:/data1 -i -t fedora ls -laZ /data1 | ||
ls: cannot access /data1/Makefile: Permission denied | ||
drwxr-xr-x. root root system_u:object_r:var_t:s0 . | ||
drwxr-xr-x. root root system_u:object_r:svirt_sandbox_file_t:s0:c602,c707 .. | ||
?--------- ? ? Makefile | ||
drwx------. root root system_u:object_r:sudo_db_t:s0 sudo | ||
[root@RHEL71 sven]# ls -laZ /var/db | ||
drwxr-xr-x. root root system_u:object_r:var_t:s0 . | ||
drwxr-xr-x. root root system_u:object_r:var_t:s0 .. | ||
-rw-r--r--. root root system_u:object_r:var_t:s0 Makefile | ||
drwx------. root root system_u:object_r:sudo_db_t:s0 sudo | ||
[root@RHEL71 sven]# docker run -v /var/db:/data1 -i -t fedora bash | ||
bash-4.3# echo "test" > /data1/test.txt | ||
bash: /data1/test.txt: Permission denied | ||
bash-4.3# exit | ||
|
||
|
||
You can give the container access to the `/var/db` directory in several ways: | ||
|
||
- Disable SELinux for the enture host: `setenforce 0` | ||
- Set the directory SELinux policy to allow any container access: | ||
`chcon -Rt svirt_sandbox_file_t /var/db` | ||
- Make this container `--privileged`, disabling not only SELinux constraints, but | ||
also the default cgroups restrictions: | ||
`docker run --privileged -v /var/db:/data1 -i -t fedora` | ||
- Disable SELinux policy constraints for this container: | ||
`docker run --security-opt label:disable -v /var/db:/data1 -i -t fedora` | ||
- Run the container processes as SELinux process type `unconfined_t`: | ||
`docker run --security-opt label:type:unconfined_t -v /var/db:/data1 -i -t fedora` | ||
|
||
Now, writing to the /data1 volume in the container will be allowed and the | ||
changes will also be reflected on the host in /var/db. | ||
|
||
## Runtime constraints on CPU and memory | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should state the problem immediately after the example -- the example context is clear given the position of the sentence and the references. Two bits of information are important the fact that the host is runing SELinux and the container cannot write. If you state these two ideas at the first and last bit of the sentence you leverage the two "power" ends of a sentence the beginning and the end.
You should define SELInux as it is the first occurence on this page.
In your work around, you don't need the "at the time of this" clause. That fact is assumed by the reader. It isn't clear when or where for running the
chcon
command. It is an SELinux command so --- run it on the host and state this clearly. Does the user need to set the context before mounting --- not clear but I assumed that the answer was yes.If your host is using SELinux (Security-Enhanced Linux), you can mount the
/var/db
directory but the container cannot write to/data1
. Instead, attempts to write to/data1
result in aPermission denied
message and anavc:
message in the host'ssyslog
. This is because the container has no knowledge of the host's SELinux policies.To work around this, change the security context on the
/var/db
directory. This command applies an appropriate SELINUX policy to the directory:chcon -Rt svirt_sandbox_file_t /var/db
Then, rerun the container; the
/data1
is now writable.