CODEWITHSUNDEEP
securitydockerselinux
Omnifarious
Omnifarious

Reputation: 56048

How do I create and use a specific SELinux policy for a specific container?

I have a specific container in which I need to mount the /proc filesystem, which is normally fobidden by SELinux for understandable reasons. I would like to create a modification of the normal SELinux policy that allows this for a particular label, and then get Docker to run a particular container with a new context I create with this policy instead of the normal system_u:system_r:container_t:s0:c540,c856 context.

Is this possible? How? I can't even find the source code for the policy file that disables the mounting of /proc from the system_u:system_r:container_t:s0:c540,c856 context. How do I install that?

I have a policy file right now that re-enables the mounting of /proc for all containers, which isn't exactly what I want. But I don't know how to write what I really need. And I don't know how to get Docker to run in a different context either. Here's the policy file I do have that's too broad:

gen_require(`
        type proc_t;
        type tmpfs_t;
        type container_t;
        class filesystem unmount;
        class filesystem mount;
        class filesystem remount;
        class dir mounton;
        class dir proc_t;
')

#============= container_t ==============
allow container_t proc_t:filesystem unmount;
allow container_t proc_t:filesystem mount;
allow container_t proc_t:filesystem remount;
allow container_t tmpfs_t:filesystem unmount;
allow container_t proc_t:dir mounton;

A different answer with a different set of drawbacks is to do this:

docker run --security-opt label:disable

This will disable all SELinux checks for that container. There is a section in the Docker manual that talks about the various valid arguments for --security-opt, including SELinux related ones.

So, my current choices are, disable /proc related checks for all containers, or disable all checks for a specific container. Using the label: argument, you can also set a specific SELinux context for the container, so if I knew how to create a new SELinux context that was just like some other one, except for a few things I specified, I could get what I wanted.

Also, this question is related to a different question I asked earlier on ServerFault: How do I mount a private /proc inside a namespace inside a Docker container?.

Upvotes: 0

Views: 2162

Answers (1)

moebius
moebius

Reputation: 2269

Check out this great blog post by Dan Walsh. It describes how to create your own selinux policy which extends the standard selinux policy for containers.

Upvotes: 1

Related Questions