【Docker + Selinux】 Can't Open / Permission denied

Foreword

The main solution is how to configure docker security in the environment where selinux is turned on, as well as common error solutions. It is not blindly chmod -R 777,--privileged=true,setenforce 0 , But focus on using the selinux security strategy

Report an error

When the directory of the host is mounted to the container, the internal call of the container reports a permission problem

Read and write fragments

docker run -d --rm --cap-add=SYS_PTRACE -v $SHELL_FOLDER/../builds/webserver-straced/output_h:/output_c:rw elephdev/web-straced:1.0

ENTRYPOINT ["strace", "-ff", "-o", "/output_c/webserver-strace-out","/docker-entrypoint.sh"]

Report an error

xxx: Can't Open xxxx Permission denied

Solutions

For many people who haven't touched the selinux mechanism in depth, turning off the selinux mechanism and using the privileged method to start the container will skip this problem.

I will not talk about SELinux security context here.

Dockerized solution: the directory that needs to be mounted into the container to modify its context security

chcon -Rt svirt_sandbox_file_t $SHELL_FOLDER/../builds/webserver-straced/output_h

Linux extends the libvirt-SELinux model to Docker. Docker SELinux Role and Docker SELinux type are based on libvirt. For example, by default, Docker can access /usr/var/ and some other locations, but it can fully access the content marked with svirt_sandbox_file_t