How to allow access to a particular X unix socket for a particular docker container with SELinux enabled?
I prefer a solution with a setup of docker run --security-opt
.
On fedora 25, I found the docker daemon running with--selinux-enabled
per default.
Access to shared files from host with --volume
is denied. Access can be allowed setting the flag z
. Example: --volume $HOME:$HOME:rw,z
. This works for regular files so far.
Compare atomic blog: Using Volumes with Docker can Cause Problems with SELinux
The z
flag is not enough to allow connections to an X unix socket.
Solutions found so far:
- disabling SELinux restrictions for the particular container with docker run option
--security-opt label=disable
. Pro: This is easy, works fine, and I don't need to change SELinux policies on host. Contra: SELinux protections for this one container are disabled at all. (So far, the best solution) - Setting docker run option
--ipc=host
. Pro: simple, works, SELinux stays enabled, no policy changes needed. Contra: Disables IPC namespacing, thus opening another security issue and reducing container isolation. - Creating a SELinux policy with suggested
ausearch -c 'xfce4-about' --raw | audit2allow -M my-xfce4about
. The created module is cited below. Pro: It works. Contra: All containers have access to all X unix sockets forever, and I have to change SELinux policies. (So far, the worst solution).
I am searching for a solution fulfilling this criteria:
- Allow one particular container access to one particular X unix socket. (Multiple applications in same container are possible).
- Do not change SELinux policy on host.
Acceptable minor solutions I can imagine:
- changing file attributes of particular X unix socket to allow arbitrary container access.
- allowing arbitrary X sockets, but only to one particular container.
I hope for a solution that can be done with docker run --security-opt
.
Module suggested by SELinux:
module my-xfce4about 1.0;
require {
type container_t;
type xserver_t;
class unix_stream_socket connectto;
}
#============= container_t ==============
#!!!! The file '/tmp/.X11-unix/X0' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /tmp/.X11-unix/X0
allow container_t xserver_t:unix_stream_socket connectto;
AVC example:
A container application (here: xfce4-about
) tries to access an X unix socket /tmp/.X11-unix/X100
. The socket file is shared with --volume=/tmp/.X11-unix/X100:/tmp/.X11-unix/X100:rw,z
. I get this SELinux warning:
SELinux is preventing xfce4-about from connectto access on
the unix_stream_socket /tmp/.X11-unix/X100.
***** Plugin catchall (100. confidence) suggests **************************
If sie denken, dass es xfce4-about standardmäßig erlaubt sein sollte,
connectto Zugriff auf X100 unix_stream_socket zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do allow this access for now by executing:
# ausearch -c 'xfce4-about' --raw | audit2allow -M my-xfce4about
# semodule -X 300 -i my-xfce4about.pp
Additional Information:
Source Context system_u:system_r:container_t:s0:c231,c522
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023
Target Objects /tmp/.X11-unix/X100 [ unix_stream_socket ]
Source xfce4-about
Source Path xfce4-about
Port <Unbekannt>
Host localhost.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-225.19.fc25.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain
4.11.12-200.fc25.x86_64 #1 SMP Fri Jul 21 16:41:43
UTC 2017 x86_64 x86_64
Alert Count 1
First Seen 2017-08-17 20:08:13 CEST
Last Seen 2017-08-17 20:08:13 CEST
Local ID b73182b3-ce4f-4507-a821-ad12ae2bc690
Raw Audit Messages
type=AVC msg=audit(1502993293.76:374): avc: denied { connectto } for pid=5435
comm="xfce4-about" path="/tmp/.X11-unix/X100"
scontext=system_u:system_r:container_t:s0:c231,c522
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=unix_stream_socket permissive=0
Hash: xfce4-about,container_t,unconfined_t,unix_stream_socket,connectto
Best Answer
I found a partial solution: docker run option
--security-opt label=type:container_runtime_t
allows access to X unix sockets. It is not needed to disable SELinux in container at all.From what I understand in the docker policy source, label
container_runtime_t
allows a lot of privileges, much more than intended.I still hope for a more restrictive solution.