Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add some SELinux info I've pieced together #11396

Closed
wants to merge 1 commit into from
Closed

Add some SELinux info I've pieced together #11396

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
8 changes: 4 additions & 4 deletions docs/man/docker-run.1.md
View file
Open in desktop
Expand Up @@ -528,9 +528,9 @@ colon:

# docker run -v /var/db:/data1 -i -t fedora bash

When using SELinux, be aware that the host has no knowledge of container SELinux
When using SELinux, be aware that the container has no knowledge of host SELinux
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should state the problem immediately after the example -- the example context is clear given the position of the sentence and the references. Two bits of information are important the fact that the host is runing SELinux and the container cannot write. If you state these two ideas at the first and last bit of the sentence you leverage the two "power" ends of a sentence the beginning and the end.

You should define SELInux as it is the first occurence on this page.

In your work around, you don't need the "at the time of this" clause. That fact is assumed by the reader. It isn't clear when or where for running the chcon command. It is an SELinux command so --- run it on the host and state this clearly. Does the user need to set the context before mounting --- not clear but I assumed that the answer was yes.

If your host is using SELinux (Security-Enhanced Linux), you can mount the /var/db directory but the container cannot write to /data1. Instead, attempts to write to /data1 result in a Permission denied message and an avc: message in the host's syslog. This is because the container has no knowledge of the host's SELinux policies.

To work around this, change the security context on the /var/db directory. This command applies an appropriate SELINUX policy to the directory:

chcon -Rt svirt_sandbox_file_t /var/db

Then, rerun the container; the /data1 is now writable.

policy. Therefore, in the above example, if SELinux policy is enforced, the
`/var/db` directory is not writable to the container. A "Permission Denied"
`/var/db` directory is not writeable by the container. A "Permission Denied"
message will occur and an avc: message in the host's syslog.


Expand All @@ -557,8 +557,8 @@ An MLS example might be:

# docker run --security-opt label:level:TopSecret -i -t rhel7 bash

To disable the security labeling for this container versus running with the
`--permissive` flag, use the following command:
To disable the security labeling for this container instead of running with the
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this also under SELinux? Not clear.

"for this container" unclear antecedent for this --- is this extending the prior example

Not sure why you are mentioning "instead of running with the privileged flag. Since it takes up so much of the sentence, it might be helpful for the user to understand why this in this context. If you aren't willing to provide context, I'd omit the clause.

`--privileged` flag, use the following command:

# docker run --security-opt label:disable -i -t fedora bash

Expand Down
48 changes: 43 additions & 5 deletions docs/sources/reference/run.md
View file
Open in desktop
Expand Up @@ -382,8 +382,8 @@ An MLS example might be:

# docker run --security-opt label:level:TopSecret -i -t rhel7 bash

To disable the security labeling for this container versus running with the
`--permissive` flag, use the following command:
To disable the security labeling for this container instead of running with the
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ibid previous comment re this text.

`--privileged` flag, use the following command:

# docker run --security-opt label:disable -i -t fedora bash

Expand All @@ -394,9 +394,47 @@ command:

# docker run --security-opt label:type:svirt_apache_t -i -t centos bash

Note:

You would have to write policy defining a `svirt_apache_t` type.
> **Note**: You would have to write policy defining a `svirt_apache_t` type.

## Volume mounts and SELinux
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If your host is using SELinux (Security-Enhanced Linux), you can mount volumes
on a container but the container cannot write to them. Attempts to
write to a mounted volume result in a Permission denied message and an avc: message
in the host's syslog.

[root@RHEL71 sven]# docker run -v /var/db:/data1 -i -t fedora ls -laZ /data1
ls: cannot access /data1/Makefile: Permission denied
drwxr-xr-x. root root system_u:object_r:var_t:s0 .
drwxr-xr-x. root root system_u:object_r:svirt_sandbox_file_t:s0:c602,c707 ..
?--------- ? ? Makefile
drwx------. root root system_u:object_r:sudo_db_t:s0 sudo
[root@RHEL71 sven]# ls -laZ /var/db
drwxr-xr-x. root root system_u:object_r:var_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_t:s0 ..
-rw-r--r--. root root system_u:object_r:var_t:s0 Makefile
drwx------. root root system_u:object_r:sudo_db_t:s0 sudo
[root@RHEL71 sven]# docker run -v /var/db:/data1 -i -t fedora bash
bash-4.3# echo "test" > /data1/test.txt
bash: /data1/test.txt: Permission denied
bash-4.3# exit

This happens because the container has no knowledge of the host's SELinux
policies.

Considering the previous example above, you can give the container write access in
any one of the following ways:

  • Disable SELinux for the enture host: setenforce 0
  • Set the directory SELinux policy to allow any container access:
    chcon -Rt svirt_sandbox_file_t /var/db
  • Make the container --privileged. This disables not only SELinux constraints but
    also the default cgroups restrictions:
    docker run --privileged -v /var/db:/data1 -i -t fedora
  • Disable SELinux policy constraints for this container only:
    docker run --security-opt label:disable -v /var/db:/data1 -i -t fedora
  • Run the container processes as SELinux process type unconfined_t:
    docker run --security-opt label:type:unconfined_t -v /var/db:/data1 -i -t fedora

Any of these methods allow the container to write to the /data1 volume and
you'll see the changes reflected on the host's /var/db directory.


When using SELinux, be aware that the container has no knowledge of host SELinux
policy. Therefore when SELinux policy is enforced, the
host directory is not accessible by the container. A "Permission Denied"
message will occur and an avc: message in the host's syslog.

[root@RHEL71 sven]# docker run -v /var/db:/data1 -i -t fedora ls -laZ /data1
ls: cannot access /data1/Makefile: Permission denied
drwxr-xr-x. root root system_u:object_r:var_t:s0 .
drwxr-xr-x. root root system_u:object_r:svirt_sandbox_file_t:s0:c602,c707 ..
?--------- ? ? Makefile
drwx------. root root system_u:object_r:sudo_db_t:s0 sudo
[root@RHEL71 sven]# ls -laZ /var/db
drwxr-xr-x. root root system_u:object_r:var_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_t:s0 ..
-rw-r--r--. root root system_u:object_r:var_t:s0 Makefile
drwx------. root root system_u:object_r:sudo_db_t:s0 sudo
[root@RHEL71 sven]# docker run -v /var/db:/data1 -i -t fedora bash
bash-4.3# echo "test" > /data1/test.txt
bash: /data1/test.txt: Permission denied
bash-4.3# exit


You can give the container access to the `/var/db` directory in several ways:

- Disable SELinux for the enture host: `setenforce 0`
- Set the directory SELinux policy to allow any container access:
`chcon -Rt svirt_sandbox_file_t /var/db`
- Make this container `--privileged`, disabling not only SELinux constraints, but
also the default cgroups restrictions:
`docker run --privileged -v /var/db:/data1 -i -t fedora`
- Disable SELinux policy constraints for this container:
`docker run --security-opt label:disable -v /var/db:/data1 -i -t fedora`
- Run the container processes as SELinux process type `unconfined_t`:
`docker run --security-opt label:type:unconfined_t -v /var/db:/data1 -i -t fedora`

Now, writing to the /data1 volume in the container will be allowed and the
changes will also be reflected on the host in /var/db.

## Runtime constraints on CPU and memory

Expand Down