SELinux docker run --permissive or --privileged?


So does the –permissive reference by docker run refer to SELinux or to the --privileged option?

The documentation for docker run mentions a –permissive option when discussing SELinux support. Since this option was mentioned within the context of docker run, without additional background explaining its usage, I thought it might be an option for either docker run or perhaps Docker Engine. However, specifying this option for either process in version 1.12 causes both to issue a message indicating the lack of its support.

I then thought –permissive might refer to an SELinux command line parameter to either globally or at a domain level disable strict enforcement of SELinux policies which allows and records their violation. However, none of the SELinux utilities like setenforce or semanage accepts –permissive, although setenforce and semanage do respectively accept ‘Permissive’ or ‘permissive’ .

Given the observations above, it seems that –permissive refers:

  • to the ‘Permissive’ or ‘permissive’ options of setenforce or semanage
  • perhaps the –privileged option of docker run. Since this option disables? (haven’t confirmed) SELinux for the running container while disabling other Docker applied security strategies like seccomp/apparmor it, behaves like an analog for SELunix permissive mode, which allows violations to occur and whose effects are also broadly applied, in this situation, beyond the scope of a given container. After introducing this permissive notion, the docker run documentation implicitly contrasts this extended/broad behavior to the focused behavior of –security-opt label=disable, that limits its effect to the specific container’s SELinux security settings recommending this approach instead of the one denoted by –permissive.

Update: 8/29/2016:

The documentation for docker run has been changed by replacing –permissive with –privileged.