Container Domains (Types)
One of the things people have always had a hard time understanding about SELinux is around different types. In this blog, I am going to discuss Contianer Domains.
Recently I had someone questioning me about specifying types to run containers inside of Kubernetes. Basically he wanted to run a locked down container that could read and write content inside of /var/log. He saw that the content in /var/log was labeled var_log_t, and made the assumption that he would run the container with var_lot_t and it would be able to manage content with that label.
This is not a crazy assumption, after all in DAC, if a file is owned by the user dwalsh, usually processes owned by dwalsh are able to read and write them. (If the permission flags allow it). But in SELinux type enforcement is different. CRI-O failed to execute the container process for Kubernetes and an AVC was generated that looked like:
type=AVC msg=audit(1558135492.958:247182): avc: denied { transition } for pid=22423 comm="runc:[2:INIT]" path="/usr/bin/pod" dev="sda1" ino=570425443 scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=process permissive=0
( Collapse )