Re: Docker Container files MCS labelling not being implemented in Fedora 32

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Aswad,

First of all, Fedora 32 reached End Of Life on 2021-05-25 (https://docs.fedoraproject.org/en-US/releases/eol/), which means that it has not been receiving any updates for a few months already and any problems are unlikely to be fixed.

Recent versions of Fedora provide Moby Engine instead of Docker (I can't recall which version made the switch), but that package provides the `docker` executable now.

$ sudo dnf provides $(which docker)
...
moby-engine-20.10.20-1.fc37.x86_64 : The open-source application container engine
Repo        : updates
Matched from:
Filename    : /usr/bin/docker

$ rpm -q moby-engine
moby-engine-20.10.20-1.fc37.x86_64

That said, I can see that new files get the right label:

$ docker run --security-opt label=level:s0:c100,c200 -i -t fedora bash
Unable to find image 'fedora:latest' locally
latest: Pulling from library/fedora
e437052d4f94: Pull complete
Digest: sha256:d2c7dadebf6d8eb44ae87955cd02e1bc89fa6f9afb7452467a5524a8c72c208e
Status: Downloaded newer image for fedora:latest
[root@e8c7aed274ee /]# exit
exit

$ sudo ls -lrtZ /var/lib/docker/containers/e8c7aed274eec207959d26fa5b617ebc7b830fa4e49cddfe5d686c2fcdb9b14c
total 24
drwx------. 1 root root system_u:object_r:container_var_lib_t:s0           0 Nov 15 21:39 checkpoints
-rw-r--r--. 1 root root system_u:object_r:container_var_lib_t:s0          71 Nov 15 21:39 resolv.conf.hash
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0:c100,c200  853 Nov 15 21:39 resolv.conf
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0:c100,c200  174 Nov 15 21:39 hosts
drwx--x---. 1 root root system_u:object_r:container_var_lib_t:s0           0 Nov 15 21:39 mounts
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0:c100,c200   13 Nov 15 21:39 hostname
-rw-r--r--. 1 root root system_u:object_r:container_var_lib_t:s0        1497 Nov 15 21:39 hostconfig.json
-rw-------. 1 root root system_u:object_r:container_var_lib_t:s0        2489 Nov 15 21:39 config.v2.json

and so do volumes:

$ docker run --security-opt label=level:s0:c100,c200 -i -t -v /mnt fedora bash
[root@911a3dbaf2f0 /]# exit
exit

$ docker volume ls
DRIVER    VOLUME NAME
local     1540d47a79e2443cd0398f9da1b09cd7120647f1f200b55718d945a899d6b845

$ sudo ls -lrtZ /var/lib/docker/volumes/1540d47a79e2443cd0398f9da1b09cd7120647f1f200b55718d945a899d6b845
total 0
drwxr-xr-x. 1 root root system_u:object_r:container_file_t:s0:c100,c200 0 Aug  9 15:57 _data

Can you paste an example of what you see?

In any case, most probably the problem does not exist in current versions.

Hope that helps.


On Tue, Nov 15, 2022 at 1:24 PM Aswad Tariq <aswadtariq05@xxxxxxxxx> wrote:
In Docker version 20.10.7, build f0df350 and with SE-Linux enabled and set to enforcing mode with policy as targeted the MCS labels should be applied to containers and their files by default. I should see user:role:type:s0:c1,c34 for example but instead the category labels are not applied and I see user:role:type:s0 for files inside the container when running ls -lZ or in audit records.

The version of Fedora is 32 with kernel version 5.6.6-300.fc32.x86_64. This would be simpler if the labels were not being applied to podman containers but when making files in podman containers the category labels are being set and working fine. Any idea as to what could be the issue.

Thanks!

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux