Docker Run With SELinux on ubuntu Constrain violation

On Ubuntu 14.04, I run Docker with SELinux,As I Known,Docker will Read $Selinux-Root-Dir/default/contexts/lxc_contexts。but I can’t find this file,so I create this file and puts some contents.following:

process = "system_u:system_r:svirt_lxc_net_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"
file = "system_u:object_r:svirt_lxc_file_t:s0"
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"

then I Run Docker with Selinux’s Permissive Mode,
docker -dD --selinux-enabled=false
and docker run -it --rm ubuntu /bin/bash

  • DOCKER_OPTS in Docker container 1.9.1-dind
  • Spring Properties from Docker Environment Variables
  • Docker install fails on OSx
  • Why does container does't execite scripts inside /etc/my_init.d/ on startup?
  • Bash variable inside third remote server
  • Where exactly, are files in docker container stored on the host machine
  • At last I want to use audit2allow to generate a *.te and *.pp file,
    I execute cat /var/log/audit/audit.log | audit2allow -M container,but it said

    compilation failed:
    container.te:41:ERROR 'syntax error' at token 'mlsconstrain' on line 41:
    #Constraint rule:
    mlsconstrain chr_file { create relabelto } ((h1 dom h2 -Fail-) and (l2 eq h2) ); Constraint DENIED
    /usr/bin/checkmodule: error(s) encountered while parsing configuration
    /usr/bin/checkmodule: loading policy configuration from container.te

    I cat the container.te,its contents is:

    #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
    #Constraint rule:
    mlsconstrain chr_file { create relabelto } ((h1 dom h2 -Fail-) and (l2 eq h2) ); Constraint DENIED
    mlsconstrain chr_file { relabelfrom } ((h1 dom h2 -Fail-) ); Constraint DENIED
    ....
    # Possible cause is the source level (s0) and target level (s0:c96,c879) are different.

    I guess the docker run with s0,but it want to relabel the docker’s rootfs file system to (s0:c96,c879) and this error happen.

    So My Question:

    Is the Type for the container error?how to close this constrains or how to solve this problem ?

  • How to use 'when' conditional with Systemd Unit configs
  • Gui application in docker. What about drivers?
  • Change Java “SecureRandom” in Dockerfile
  • Configuring riak-ruby to work with docker cluster
  • TravisCI Docker Permissions
  • apt-get fails within container without sudo
  • One Solution collect form web for “Docker Run With SELinux on ubuntu Constrain violation”

    I don’t know line 41 of your container.te file. In general ‘syntax error’ indicates a missing selinux-type or an unknown selinux-interface, which means that the problem is at a different place.

    But there are some things that I noticed:

    • The Docker Daemon have to run with--selinux-enabled=true to support SELinux
    • To create a new selinux policy module you need all these files: .te, .fc and .if. See the Debian how-to for an example of a minimal SELinux policy.
    • By using cat /var/log/audit/audit.log | audit2allow -M container you work on all logged linies. Better you copy only needed lines into a new file.
    • s0 is the level not a label. While ‘relabeling’ means to change the type. See labeling files.
    • At runtime SELinux (not docker itself) will relabel the docker daemon type (docker_t) and running containers (svirt_lxc_net_t).
    • Docker change the category of file by default (i.e. s0:c96,c879) to separate running containers from each other.

    By default Ubuntu is preinstalled with AppArmor, you have remove/disable it first if you want to work with SELinux. Ubuntu and Debian do not ship a Docker policy for SELinux.

    Possible solutions:

    • Use AppArmor with Ubuntu (but i don’t known if there is a ready-to-use Docker profile).
    • Build your own Docker policy for SELinux on Ubuntu. See Fedora-Cloud Docker SELinux policy, but there are a lot of dependencies, i.e. svirt_lxc_net_t is from virt.te
    • Use Fedora, which will work with SELinux and Docker out-of-the-box, including the mentioned file lxc_contexts.
    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.