I have seen lots of SELinux bugs being reported where users are running a container that volume mounts the docker.sock into a container. The container then uses a docker client to do something with docker. While I appreciate that a lot of these containers probbaly need this access, I am not sure people realize that this is equivalent to giving the container full root outside of the contaienr on the host system. I just execute the following command and I have full root access on the host.
docker run -ti --privileged -v /:/host fedora chroot /host
SELinux definitely shows its power in this case by blocking the access. From a security point of view, we definitely want to block all confined containers from talking to the docker.sock. Sadly the other security mechanisms on by default in containers, do NOT block this access. If a process somehow breaks out of a container and get write to the docker.sock, your system is pwned on an SELinux disabled system. (User Namespace, if it is enabled, will also block this access also going forward).
If you have a run a container that talks to the docker.sock you need to turn off the SELinux protection. There are two ways to do this.
You can turn off all container security separation by using the --privileged flag. Since you are giving the container full access to your system from a security point of view, you probably should just do this.
docker run --privileged -v /run/docker.sock:/run/docker.sock POWERFULLCONTAINER
If you want to just disable SELinux you can do this by using the --security-opt label:disable flag.
docker run --security-opt label:disable -v /run/docker.sock:/run/docker.sock POWERFULLCONTAINER
Note in the future if you are using User Namespace and have this problem, a new flag --userns=host flag is being
developed, which will turn off user namespace within the container.
Dan Walsh's Blog
- Its a good thing SELinux blocks access to the docker socket.