SPC stands for Super Privileged Container, which are containers that contain software used to manage the host system that the container will be running on. Since these containers could do anything on the system and we don't want SELinux blocking any access we made spc_t an unconfined domain.
If you are on an SELinux system, and run docker with SELinux separation turned off, the containers will run with the spc_t type.
You can disable SELinux container separation in docker in multiple different ways.
- You don't build docker from scratch with the BUILDTAG=selinux flag.
- You run the docker daemon without --selinux-enabled flag
- You run a container with the --security-opt label:disable flag
- You share the PID namespace or IPC namespace with the host
Note: we have to disable SELinux separation in ipc=host and pid=host because it would block access to processes or the IPC mechanisms on the host.
Why not use unconfined_t?
The question comes up is why not just run as unconfined_t? A lot of people falsely assume that unconfined_t is the only unconfined domains. But unconfined_t is a user domain. We block most confined domains from communicating with the unconfined_t domain, since this is probably the domain that the administrator is running with.
What is different about spc_t?
First off the type docker runs as (docker_t) can transition to spc_t, it is not allowed to transition to unconfined_t. It transitions to this domain, when it executes programs located under /var/lib/docker
# sesearch -T -s docker_t | grep spc_t
type_transition container_t docker_share_t : process spc_t;
type_transition container_t docker_var_lib_t : process spc_t;
type_transition container_t svirt_sandbox_file_t : process spc_t;
Secondly and most importantly confined domains are allowed to connect to unix domain sockets running as spc_t.
This means I could run as service as a container process and have it create a socket on /run on the host system and other confined domains on the host could communicate with the service.
For example if you wanted to create a container that runs sssd, and wanted to allow confined domains to be able to get passwd information from it, you could run it as spc_t and the confined login programs would be able to use it.
Some times you can create an unconfined domain that you want to allow one or more confined domains to communicate with. In this situation it is usually better to create a new domain, rather then reusing unconfined_t.