libselinux is a liar!!!

    Date16 Sep 2015
    CategorySELinux
    1528
    Posted ByDave Wreski

    On an SELinux enabled machine, why does getenforce in a docker container say it is disabled? SELinux is not namespaced This means that there is only one SELinux rules base for all containers on a system. When we attempt to confine containers we want to prevent them from writing to kernel file systems, which might be one mechanism for escape. One of those file systems would be /proc/fs/selinux, and we also want to control there access to things like /proc/self/attr/* field.

    By default Docker processes run as svirt_lxc_net_t and they are prevented from doing (almost) all SELinux operations. But processes within containers do not know that they are running within a container. SELinux aware applications are going to attempt to do SELinux operations, especially if they are running as root.

    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    Do you read our distribution advisories on a regular basis?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /component/communitypolls/?task=poll.vote&format=json
    23
    radio
    [{"id":"84","title":"Yes, for a single distribution","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"85","title":"Yes, for multiple distributions","votes":"6","type":"x","order":"2","pct":60,"resources":[]},{"id":"86","title":"No","votes":"4","type":"x","order":"3","pct":40,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.