What is the default boot2docker selinux configuration?

I’m having some difficult-to-pin-down permissions issues, and I want to rule out selinux as the problem.

I’m using the latest docker client/boot2docker images with centos:centos7 base image, along with selenium, firefox, and wildfly.

I’ve found documentation here: https://access.redhat.com/articles/1353593 and here: http://www.projectatomic.io/docs/docker-and-selinux/ that suggests that selinux is present in some form, in RHEL flavors or maybe all flavors. Not sure.

This snippet from the first link pointed me down this road:

“You might notice that SELinux appears to be disabled inside the container even though it is running in enforcing mode on host system – you can verify this by executing the getenforce command on host and in the container. This is to prevent utilities that have SELinux awareness, such as setenforce, to perform any SELinux activity inside the container.Note that if SELinux is disabled or running in permissive mode on the host machine, containers are not separated securely enough.”

I see no evidence that selinux is enabled or even installed in boot2docker, and I don’t know how busybox relates to selinux.

For example, on the boot2docker VM (ie. boot2docker ssh), ps -eZ returns no labels at all. None of the standard selinux utilities are installed. No /selinux mounted.

What is the intended/actual selinux configuration in boot2docker?

@tianon could you comment? I don’t think SELinux is enabled in the boot2docker ISO.

We definitely don’t have SELinux enabled in boot2docker. :slight_smile:

2 Likes

OK, excellent – thank you.

Does that imply in all cases that selinux will not function inside a running container in the boot2docker VM, even with --selinux-enabled=true?