CODEWITHSUNDEEP
ubuntudockerlxcselinux
John Stevo
John Stevo

Reputation: 63

Docker Run With SELinux on ubuntu Constrain violation

On Ubuntu 14.04, I run Docker with SELinux,As I Known,Docker will Read $Selinux-Root-Dir/default/contexts/lxc_contexts。but I can't find this file,so I create this file and puts some contents.following:

process = "system_u:system_r:svirt_lxc_net_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"
file = "system_u:object_r:svirt_lxc_file_t:s0"
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"

then I Run Docker with Selinux's Permissive Mode, docker -dD --selinux-enabled=false and docker run -it --rm ubuntu /bin/bash

At last I want to use audit2allow to generate a *.te and *.pp file, I execute cat /var/log/audit/audit.log | audit2allow -M container,but it said compilation failed: container.te:41:ERROR 'syntax error' at token 'mlsconstrain' on line 41: #Constraint rule: mlsconstrain chr_file { create relabelto } ((h1 dom h2 -Fail-) and (l2 eq h2) ); Constraint DENIED /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from container.te

I cat the container.te,its contents is: #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. #Constraint rule: mlsconstrain chr_file { create relabelto } ((h1 dom h2 -Fail-) and (l2 eq h2) ); Constraint DENIED mlsconstrain chr_file { relabelfrom } ((h1 dom h2 -Fail-) ); Constraint DENIED .... # Possible cause is the source level (s0) and target level (s0:c96,c879) are different. I guess the docker run with s0,but it want to relabel the docker's rootfs file system to (s0:c96,c879) and this error happen.

So My Question:

Is the Type for the container error?how to close this constrains or how to solve this problem ?

Upvotes: 3

Views: 2714

Answers (1)

admirableadmin
admirableadmin

Reputation: 2759

I don't know line 41 of your container.te file. In general 'syntax error' indicates a missing selinux-type or an unknown selinux-interface, which means that the problem is at a different place.

But there are some things that I noticed:

  • The Docker Daemon have to run with--selinux-enabled=true to support SELinux
  • To create a new selinux policy module you need all these files: .te, .fc and .if. See the Debian how-to for an example of a minimal SELinux policy.
  • By using cat /var/log/audit/audit.log | audit2allow -M container you work on all logged linies. Better you copy only needed lines into a new file.
  • s0 is the level not a label. While 'relabeling' means to change the type. See labeling files.
  • At runtime SELinux (not docker itself) will relabel the docker daemon type (docker_t) and running containers (svirt_lxc_net_t).
  • Docker change the category of file by default (i.e. s0:c96,c879) to separate running containers from each other.

By default Ubuntu is preinstalled with AppArmor, you have remove/disable it first if you want to work with SELinux. Ubuntu and Debian do not ship a Docker policy for SELinux.

Possible solutions:

  • Use AppArmor with Ubuntu (but i don't known if there is a ready-to-use Docker profile).
  • Build your own Docker policy for SELinux on Ubuntu. See Fedora-Cloud Docker SELinux policy, but there are a lot of dependencies, i.e. svirt_lxc_net_t is from virt.te
  • Use Fedora, which will work with SELinux and Docker out-of-the-box, including the mentioned file lxc_contexts.

Upvotes: 1

Related Questions