Description
I installed docker 1.11 on a hardened rhel7.2 system with selinux in enforcing mode. When I add the option selinux-enabled=true to the docker daemon and run a container I can't get access to /dev (and probably other problems.
How to reproduce:
- install as mentioned
- change docker daemon options to include
--selinux-enabled=true - run a container
docker run -it alpine /bin/sh - run
ls /devin the container - result is a
permission deniedmessage
After analysis it looks like the difference is due to the process label that is added to the runc process.
With selinux-enabled=true the label is svirt_lxc_net_t with selinux-enabled=false the label is spc_t
As a consequence I get a denied message in /var/log/audit/audit.log:
type=AVC msg=audit(1461154725.310:2115): avc: denied { read } for pid=11869 comm="ls" name="/" dev="tmpfs" ino=1160672 scontext=system_u:system_r:svirt_lxc_net_t:s0:c187,c658 tcontext=system_u:object_r:docker_tmpfs_t:s0 tclass=dir
using ps -efZ on the correct process (the sh process in the alpine container and its parent) shows
system_u:system_r:docker_t:s0 root 11798 11690 0 13:57 ? 00:00:00 docker-containerd-shim d54269abe4604e71bebc552422f2f4728b1b818b471b27470de940f7882bf12e /var/run/docker/libcontainerd/d54269abe4604e71bebc552422f2f4728b1b818b471b27470de940f7882bf12e docker-runc
system_u:system_r:svirt_lxc_net_t:s0:c187,c658 root 11812 11798 0 13:57 pts/1 00:00:00 /bin/sh
The same action done without selinux-enabled=true shows the following using ps -efZ:
system_u:system_r:docker_t:s0 root 12044 11933 0 14:26 ? 00:00:00 docker-containerd-shim ab1b150c15b92677abf0462ebcd29a759da168446a41d0749c927cd725ae3941 /var/run/docker/libcontainerd/ab1b150c15b92677abf0462ebcd29a759da168446a41d0749c927cd725ae3941 docker-runc
system_u:system_r:spc_t:s0 root 12057 12044 0 14:26 pts/1 00:00:00 /bin/sh
The selinux policy file in the docker repo has rules for spc_t but not for svirt_lxc_net_t
I created this issue on the containerd repository because containerd is the parent proces of the container itself. As I understand selinux (after digging for half a day :-( ) and finding this link this would mean that the context is changed in containerd?
To me it seems that either the docker-engine-selinux policy file should be changed or the transitioning to svirt_lcx_net_t should not be done?
regards,
Rick