I have a program running inside a Docker container that loads an .so file which alters the behaviour of the program through hooking and memory manipulation. This behaviour is blocked by SELinux with the following message in the audit log:
type=AVC msg=audit(1548166862.066:2419): avc: denied { execheap } for pid=11171 comm="myProgram" scontext=system_u:system_r:container_t:s0:c426,c629 tcontext=system_u:system_r:container_t:s0:c426,c629 tclass=process permissive=0
I am extremely hesistant to just run this through audit2allow
as I do not want to allow this specific behaviour anywhere else (as that would be quite risky).
- How can I tell SELinux to allow this specific behaviour in the safest manner possible?
- Can I do this in a way that allows me to spawn more Docker containers running the same program in the future?
Best Answer
audit2allow
likely generates a rule to allowexecheap
forcontainer_t
type process. You can always first generate the module and inspect it, before you load it.A possible problem is, that now any process with
container_t
type is now allowed the same operation. To avoid this, you possibly need to create your own custom type (usingcontainer_t
as template) and only allowexecheap
for this special type.This blog post by Dan Walsh explains how to write such custom policy. You can also combine this with
audit2allow
to generate the actual rules. The essential steps are:Create a basic container policy, for example
container_execheap
:virt_sandbox_domain_template
macro creates the new typecontainer_execheap_t
and creates necessary rules for docker operation that the new type can be used as container domain.Compile and load the policy module (necessary development files, including the makefile, should be provided by
selinux-policy-devel
package):The new type can be configured to be a permissive domain:
For permissive domains, AVC denials are logged but rules are not enforced. This way it is easy to generate the missing rules later using
audit2allow
.Run your container in this new context, something like
docker run ... --security-opt label:type:container_execheap_t ...
Generate expected errors. Then run
audit2allow
to generate rules allowing those operations forcontainer_execheap_t
. You can update the same module.te
file (remember to bump up version number) with the new rules. Compile and install the updated module.When no more errors generated, put the custom container type back into enforcing mode
semanage -d container_execheap
.