what does the docker daemon option --selinux-enabled do what does the docker daemon option --selinux-enabled do docker docker

what does the docker daemon option --selinux-enabled do


docker selinux

Short Answer

  • --selinux-enabled will enable an selinux policy which allows container processes labelled with svirt_lxc_net_t to read and write to files with the svirt_sandbox_file_t label.
  • Container labels can be checked by inspecting the container using docker inspect -f '{{ .ProcessLabel }}' <container name> and docker inspect -f '{{ .MountLabel }}' <container name>

Long Answer

The --selinux-enabled option enables the docker selinux security policy, which is described in detail here. When enabled, this policy will:

  • Label containers with the svirt_sandbox_file_t and svirt_lxc_net_t labels. This can be confirmed by running a container, and checking the labels applied to it:

    docker inspect <container id> | grep "Label""MountLabel": "system_u:object_r:svirt_sandbox_file_t:s0:c557,c611","ProcessLabel": "system_u:system_r:svirt_lxc_net_t:s0:c557,c611",

    The svirt_sandbox_file_t is a MountLabel which restricts access to files on the host filesystem. The docker selinux docs say:

    If a file is labeled svirt_sandbox_file_t, then by default all containers can read it. But if the containers write into a directory that has svirt_sandbox_file_t ownership, they write using their own category

    The category in the example above is c557,c611.

    The svirt_lxc_net_t is used to protect processes. According to the redhat solution here, it is used to:

    ... isolate the container processes from the host, and it generates a unique Multi-Category Security label to allow SELinux to prevent one container process from attacking other container processes and content.

Your access issue is most likely occurring because the selinux labels on the host filesystem are preventing access from within the container. For example, the selinux docs say:

By default, docker gets access to everything in /usr and most things in /etc.

So your options are to either:

  1. Manually relabel the files on the hosts system with system_u:object_r:svirt_sandbox_file_t. This is often not recommended for system files and directories as it can have unintended effects on the host.

  2. Run the container as an unconfined type. This will disable isolation for this container only while still continuing to enforce selinux on the host:

    docker run -it --security-opt label:disable alpine sh

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last