Docker Community Forums

Share and learn in the Docker community.

SELinux policy same for all docker process?


(Frank) #1

I’m trying to understand what the current use and policy is WRT docker . All that seems to be distro’ed is the docker.pp file and is not readable. You need the .te and .if files I believe.

The other thing that I’m not understanding is I thought folks/Docker told me you coudl have a differnt SELinux policy per container. But looking at how process start on the host I’m not sure how that can be done as all process share the same docker_t label:
example:
$ ps -eZ | grep docker_t
system_u:system_r:docker_t:s0 1375 ? 00:32:19 docker
system_u:system_r:docker_t:s0 40175 ? 00:01:23 exe
system_u:system_r:docker_t:s0 58652 ? 00:00:00 exe

and all the containers are forked/execed from the docker daemon and are docker-proxy process. They also seem to fork/exec from the daemon if say running a webserver the webserver process.

Now I have not done SELinux in a long time but from what I can recall and look up if process have the same SELinux label and name but running multiple instances the same policy allies to all no way to differentiate.
When doing something like micro services where each service does a very different thing it would be great to make a least privileged approach but does not seem to be possible.

I’m also struggling how this would work in a cloud very well with numerous and or containers being transient. Unless SELinux is very liberal.