How to audit the selinux denial inside a docker container

Question

I have a docker container, when disable selinux, it works well; but when enabled selinux (i.e. the docker daemon is started with --selinux-enabled), it can not start up.

So the failure should caused by selinux denial, but this is not shown in the selinux audit log. when I use the "ausearch -m XXX | audit2allow ..." to generate the policy, it does not include any denial info.

want to know how to get the selinux denial info occured inside the container, so that I can use it in generating my policy file?

ps: I checked the label info of the accessed file, they seem right,but access(ls) is denied:

# ls -dlZ /usr/bin
dr-xr-xr-x. root root system_u:object_r:container_file_t:s0:c380,c857 /usr/bin
# ls /usr/bin
ls: cannot open directory /usr/bin: Permission denied

more: the selected answer answered the question, but now the problem is the audit log shows the access is to read "unlabeled_t", but as the "ls -dZ /usr/bin" shows, it is a "container_file_t". I put this in a separate question: Why SELinux denies access to container internal files and claims them as "unlabled_t"?

Answer 1

The policy likely contains dontaudit rules. Dontaudit rules do not allow acecss, but suppress logging for the specific access.

You can disable dontaudit rules with semanage:

semanage dontaudit off

After solving the issue, you probably want to turn the dontaudit rules back on to reduce log noise.

It is also possible to search for possible dontaudit rules with sesearch:

sesearch --dontaudit -t container_file_t