Use SELinux in Docker containers

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides mechanisms to support access control security policies, including mandatory access control (MAC). Containers support running on SELinux-enabled hosts

If you want to run the container on SELinux, you need to run it on CentOS or Red Hat Enterprise Linux. These operating systems have the best support for SELinux and corresponding strategy modules

I have been researching SELinux in depth recently for use in a highly regulated environment. I am trying to explain how SELinux works with containers and how to get started

SELinux for containers

The container's SELinux policy is defined by the container-selinux package. Docker CE requires this package (and its dependencies) so that the processes and files created by Docker can run with limited system access. The container makes full use of the container_t tag. This is simply an alias svirt_lxc_net_t and container_file_t and its alias svirt_sandbox_file_t

By default, containers and labels run container_t, and allow reading/down execution of /usr and reading most of the contents of /etc. The files under /var/lib/docker and /var/lib/containers have the label container_var_lib_t

ls -Z /var/lib/docker
# drwx------. root root system_u:object_r:container_var_lib_t:s0 builder
# drwx--x--x. root root system_u:object_r:container_var_lib_t:s0 buildkit
# drwx------. root root system_u:object_r:container_var_lib_t:s0 containers
# drwx------. root root system_u:object_r:container_var_lib_t:s0 image
# drwx------. root root system_u:object_r:container_var_lib_t:s0 lost+found
# drwxr-x---. root root system_u:object_r:container_var_lib_t:s0 network
# drwx------. root root system_u:object_r:container_share_t:s0 overlay2
# drwx------. root root system_u:object_r:container_var_lib_t:s0 plugins
# drwx------. root root system_u:object_r:container_var_lib_t:s0 runtimes
# drwx------. root root system_u:object_r:container_var_lib_t:s0 swarm
# drwx------. root root system_u:object_r:container_var_lib_t:s0 tmp
# drwx------. root root system_u:object_r:container_var_lib_t:s0 trust
# drwx------. root root system_u:object_r:container_var_lib_t:s0 volumes

ls -Z /etc/docker
# dr--r--r--. root root unconfined_u:object_r:cert_t:s0 certs.d
# -rw-r--r--. root root system_u:object_r:container_config_t:s0 daemon.json
# -rw-------. root root system_u:object_r:container_config_t:s0 key.json

The container does not have access to these folders because it will interfere with the container engine. By default, the SELinux policy also prevents mounting protected files into the container

docker run -it \
  -v /var/lib/docker/image/overlay2/repositories.json:/host/repositories.json \
  centos:7 cat /host/repositories.json
# cat: /host/repositories.json: Permission denied

docker run -it \
  -v /etc/passwd:/host/etc/passwd \
  centos:7 cat /host/etc/passwd
# cat: /host/etc/passwd: Permission denied

The file marked with container_file_t is the only file that can be written by the container. If you want the volume mount to be writable, you need to specify :z or :Z at the end. Their behavior is different, so be careful which one you use. Let's start: z:

ls -Z /var/lib/misc
# -rw-r--r--. root root system_u:object_r:var_lib_t:s0 postfix.aliasesdb-stamp

docker run -it \
  -v /var/lib/misc:/host/var/lib/misc:z \
  centos:7 echo "Relabeled!"

ls -Z /var/lib/misc
#-rw-r--r--. root root system_u:object_r:container_file_t:s0 postfix.aliasesdb-stamp

If you want to mount a folder so that only the container can access the folder, such as your log daemon, please :z use :Z.

docker run -it \
  -v /var/log:/host/var/log:Z \
  fluentbit:latest

How to enable SELinux for containers

The use of containers to enable SELinux is only supported on CentOS and Red Hat Enterprise Linux

1. Enable SELinux on the host operating system
2. Use the container-selinux package to install Docker CE
3. Enable the container cgroup Boolean value setsebool container_manage_cgroup 1
4. Add "selinux-enabled": true to /etc/docker/daemon.json
   5.systemctl daemon-reload && systemctl restart docker

Container linux may be difficult to use and may interfere with the Kubernetes CNI driver, CSI driver, and some ingress controllers. Some common things to check are access to privileged ports or access to files on the host