Currently in SELinux and UserNamespace can not be enabled with Docker/runc at the same time.
Runc mounts tmpfs directories with --context="system_u:object_r:container_file_t:s0:c1,c2" type labels but the following patch blocks the use of context mounts when using user namespace. http://kernel.suse.com/cgit/kernel/commit/?id=aad82892af261b9903cc11c55be3ecf5f0b0b4f8 User Namespace has to be established before tmpfs are mounted so we are unable to mount a tmpfs with a context=flag and UserNamespace enabled. Controlling the ability to change the label of a mounted file systemd should be a MAC decision not a DAC, or UserNamespace. Setting the SELinux labels on an object like a file system mount point should be controlled by SELinux. SELinux should check if the label of the process doing the mount is able to relabel from the label of the mount point, and labelto the specified label. SELinux does this for privileged processes (running with SYS_ADMIN) so use namespace should not be any different. Also the process doing the mount would be allowed by DAC to set the label of the tmpfs after it is mounted (As long as SELinux allowed). There is no security difference between: mount -o tmpfs context="foobar" none /dev And mount -o tmpfs none /dev chcon foobar -R /dev The second would not be blocked by usernamespace. Bottom line this patch should be reverted so container runtimes like docker can use both User Namespace and SELinux at the same time.
_______________________________________________ Selinux mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
