Re: Selinux Docker issues

Daniel J Walsh <dwalsh@xxxxxxxxxx> · Thu, 5 May 2016 09:03:36 -0400

    On 05/05/2016 02:32 AM, Naina Emmanuel
      wrote:

                            Good Morning,
                            I am working on docker and its
                              securituy through SElinux, I am facing
                              some problems and have some Questions to
                              ask...

                            Q1: If for the containers, we have MLS
                              policy to be configured SelinuxType=mls in
                              /etc/selinux/config,  then on the host for
                              other modules we have targeted policy, how
                              can take these two different types
                              simultaneously ? 

    The HOSTS SELinux policy affects the container.  Inside of the
    containers, the system thinks that SELinux is disabled.  We don't
    allow you to run two different SELinux policies with the same
    kernel. You would need kvm/virtualization for this and to have a
    separate VM from the host.

                            Q2: Docker is running on my Centos7,
                              still it is giving unconfined_t label on
                              docker process, (policy is configured as
                              selinuxtype=mls and selinux=permissive)

    If you are running  unconfined_t then you are running on a targeted
    host,  What the configuration of content inside of the container
    does not matter.  See above.

    Docker should be running as docker_t, if you have docker-selinux
    package installed and everything labeled properly.

                            Q3: In targeted rpm package i have
                              found namespace.te and cgroup.te, if
                              docker works on mls, then why these policy
                              modules are given in targeted rpm?

    I have never heard of these, The docker-selinux policy ships with
    the docker.te, it also uses types defined in the virt.te files.

                            Q4: Where is mls policy is located? As
                              we have .te policy for targeted 

    MLS Policy and targeted are shared.  MLS Should be able to work with
    docker-selinux, with a few tweaks to make sure that

    docker_t runs ranged.  May need some mls overrides.   You might also
    need to add virt.pp if that is not in the default mls package.

    I would suggest that you setup the host to run in MLS mode and then
    modify docker-selinux package to run in an MLS environment.  

    docker will pick out random MCS Labels for running containers, so
    you would need to override this behaviour if you want a container

    to run at a particular level.

    Something like

    docker run -ti --security-opt label=level:s15:c1,c2 rhel7 /bin/sh

                            please guide me in these regard

                            Thanks in advance

                              Engr. Naina Emmanuel
                            Linux
                                Essential Certified (LEPDC)

                            Cisco
                                  Certified Network Associate (CCNA)
                            Computer
                                Engineering Department, UET Taxila

                            Information
                                Security, CS Department, CIIT Islamabad

      _______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.