Docker Run With SELinux on ubuntu Constrain violation

On Ubuntu 14.04, I run Docker with SELinux,As I Known,Docker will Read $Selinux-Root-Dir/default/contexts/lxc_contexts。but I can’t find this file,so I create this file and puts some contents.following:

process = "system_u:system_r:svirt_lxc_net_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"
file = "system_u:object_r:svirt_lxc_file_t:s0"
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"

then I Run Docker with Selinux’s Permissive Mode,
docker -dD --selinux-enabled=false
and docker run -it --rm ubuntu /bin/bash

  • Published k8s service is not available
  • Spin off another container on host machine from an existing container
  • Environment variables with double asterisks in Dockerfile
  • How to load and run a container at run time from a running pod
  • Error the docker engine version is less than the minimum
  • running iptables with rhel7.2 image with in docker
  • At last I want to use audit2allow to generate a *.te and *.pp file,
    I execute cat /var/log/audit/audit.log | audit2allow -M container,but it said

    compilation failed:
    container.te:41:ERROR 'syntax error' at token 'mlsconstrain' on line 41:
    #Constraint rule:
    mlsconstrain chr_file { create relabelto } ((h1 dom h2 -Fail-) and (l2 eq h2) ); Constraint DENIED
    /usr/bin/checkmodule: error(s) encountered while parsing configuration
    /usr/bin/checkmodule: loading policy configuration from container.te

    I cat the container.te,its contents is:

    #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
    #Constraint rule:
    mlsconstrain chr_file { create relabelto } ((h1 dom h2 -Fail-) and (l2 eq h2) ); Constraint DENIED
    mlsconstrain chr_file { relabelfrom } ((h1 dom h2 -Fail-) ); Constraint DENIED
    ....
    # Possible cause is the source level (s0) and target level (s0:c96,c879) are different.

    I guess the docker run with s0,but it want to relabel the docker’s rootfs file system to (s0:c96,c879) and this error happen.

    So My Question:

    Is the Type for the container error?how to close this constrains or how to solve this problem ?

  • Task on marathon never ends
  • Set values on image build for a Docker container
  • Redis Exited While Run With Persistent Data In Boot2Docker
  • How to restrict access to path in Docker container?
  • Mounting (possibly corrupt) docker partitions with devicemapper
  • how to share folder between host os and docker container
  • One Solution collect form web for “Docker Run With SELinux on ubuntu Constrain violation”

    I don’t know line 41 of your container.te file. In general ‘syntax error’ indicates a missing selinux-type or an unknown selinux-interface, which means that the problem is at a different place.

    But there are some things that I noticed:

    • The Docker Daemon have to run with--selinux-enabled=true to support SELinux
    • To create a new selinux policy module you need all these files: .te, .fc and .if. See the Debian how-to for an example of a minimal SELinux policy.
    • By using cat /var/log/audit/audit.log | audit2allow -M container you work on all logged linies. Better you copy only needed lines into a new file.
    • s0 is the level not a label. While ‘relabeling’ means to change the type. See labeling files.
    • At runtime SELinux (not docker itself) will relabel the docker daemon type (docker_t) and running containers (svirt_lxc_net_t).
    • Docker change the category of file by default (i.e. s0:c96,c879) to separate running containers from each other.

    By default Ubuntu is preinstalled with AppArmor, you have remove/disable it first if you want to work with SELinux. Ubuntu and Debian do not ship a Docker policy for SELinux.

    Possible solutions:

    • Use AppArmor with Ubuntu (but i don’t known if there is a ready-to-use Docker profile).
    • Build your own Docker policy for SELinux on Ubuntu. See Fedora-Cloud Docker SELinux policy, but there are a lot of dependencies, i.e. svirt_lxc_net_t is from virt.te
    • Use Fedora, which will work with SELinux and Docker out-of-the-box, including the mentioned file lxc_contexts.
    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.