Skip to content
This repository has been archived by the owner on Oct 16, 2020. It is now read-only.

SELinux doesn't contain Docker containers #972

Closed
tjdett opened this issue Nov 11, 2015 · 1 comment
Closed

SELinux doesn't contain Docker containers #972

tjdett opened this issue Nov 11, 2015 · 1 comment

Comments

@tjdett
Copy link

tjdett commented Nov 11, 2015

On a clean 845.0, following:

rm /etc/audit/rules.d/80-selinux.rules
rm /etc/audit/rules.d/99-default.rules
rm /var/lib/selinux; cp -a /usr/lib/selinux/policy /var/lib/selinux
rm /etc/selinux/mcs; cp -a /usr/lib/selinux/mcs /etc/selinux/
semodule -DB
systemctl restart audit-rules
setenforce 1
systemctl restart docker

Docker runs as kernel_t:

$ ps -efZ | grep docker
system_u:system_r:kernel_t:s0   root      1792     1  0 04:04 ?        00:00:00 docker daemon --host=fd://

and as a result Docker containers are unrestricted in their access to the filesystem:

$ getenforce && docker run -ti --rm -v /etc:/mnt/etc alpine:3.2 sh -c "echo foo > /mnt/etc/test" && cat /etc/test
Enforcing
foo
@crawford
Copy link
Contributor

Looks like a duplicate of #961.

@kh34 kh34 mentioned this issue May 4, 2018
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@crawford @tjdett