SELinux and Containers

Next week at the Red Hat summit, I have a short session to talk about SELinux and Containers.  I am constantly reminded in bugzilla about how great the combination is.  

It truly is like Peanut Butter and Jelly.  

Sadly, people are still surprised when it blocks access.  For example I got a bugzilla recently that talked about containers not working on Fedora.  The avc was

type=AVC msg=audit(1524873307.948:1814): avc:  denied  { connectto } for  pid=28746 comm="boinc" path=002F746D702F2E5831312D756E69782F5831 scontext=system_u:system_r:container_t:s0:c420,c759 tcontext=unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0

This AVC shows SELinux blocking the container process from connecting to the Xserver. We definitely do not want to allow containers to connect to the Xserver.  SELinux is doing precisely what it is designed to do.

Allowing a process to connect to the XServer would allow it to screen scrape all of you data on the desktop, it would also allow it to fool humans into typing passwords.  It would also allow it to grab all data in the cut and paste buffer. Especially things like passwords.

I can imagine that this works fine on other platforms with SELinux disabled. 

I often say SELinux is the best tool for protecting the file system from container break out, and in this case it prevents a container that has broken out from communicating with other services on the system via unix domain sockets.  SELinux examines both ends of communications on fifos and domain sockets and will prevent it from fooling privileged services.  No other security prevents this communication.

But what if I want to allow this communication?

If you want to run trusted applications to connect to the desktop then you need to disable SELinux.

The way you do this with podman is

podman run --security-opt label=disable ...

Or with Docker

docker run --security-opt label=disable ...


Error

Anonymous comments are disabled in this journal

default userpic

Your reply will be screened