Hello,

So when I run my alma Linux container (where I disabled Selinux inside the container) causes my fedora host to set SELinux to permissive. This behavior seems odd to me, Anyone faced similar issues and have a workaround? So far I haven’t seen any negative effects, besides needing to reset SELinux to enforcing.

I don’t think you should configure anything related to SELinux inside a container. A container usually runs only one process in an environment isolated by kernel namespaces. SELinux is a kernel security module and containers are not virtual machines, so you have only one kernel, the kernel of the host.

Ah,

So when i disabled selinux inside alma init system, it changed it for my host too?

Only reason is if i keep it enabled,

Container cant find policy.33 file (which is my fedora policy) and systemd-gpt-auto-generator failed with exit status 1.occurs since selinux stops it. Ubi-8 and centos7 systemd had no issues, i dont understand why alma is trying to mess with my host. Is there a way to stop the container from doing this, or can i create a selinux exception for this container?

Also side question, centos7 has no issues but both alma and ubi-8 fails to connect to display on anything thats not host network (i.e. --net=host), im.using the container with host network right now, is that insecure? I already passed XAUTHORITY, DISPLAY, XDG_RUNTIME_DIR and the x11 socket in tmp folder as well (centos 7 works fine in this regard).

Basically Im using docker to have access to rhel libraries for certain applications and I am using nvidia runtime for cuda support and hardware acceleration. I am using docker ce version, not moby-engine.

Thanks!!

Unfortunately I mosty work with Debian based systems so I have less experience with Centos and Fedora. As I mentioned I would not do anything in a container that tries to change any kernel parameter or module for the container only, since you have only one kernel. You can use a container to to run a script that can change the parameters for the host.

I don’t know why only some distributions break your selinux on the host. Maybe because different distributions have different libraries sending different syscalls to the kernel.

For example you can run systemd in a container but running systemd inside a container can break the GUI on your host if that containerized systemd is not configured properly for containers. Systemd is also very close to the kernel as it is the first process on top of it.

If you need help to configure SELinux properly, I am afraid you need to wait for someone else.

Is running any pocess on your host is insecure? If you just share the network namespace between the host and the container that allows the process to listen on the host’s ip addresses. If you know what ports the app is listening on, you can configure a firewall if you need to. It depends on what the application is, what is it for and what your infrastucture is.

I guess X11 can be configured differently on different distributions but I rarely need to configure it in containers, although I have done it, but I don’t remember what I have done exactly. If you need help with that, I think it would be better to open a new topic and leave a link here so that conversation would not be lost in SELinux-related topic and someone emay notice the title of the topic and helps you faster.