Add --security-opts options to allow user to customize container labels and apparmor profile #8299
Conversation
…guration
security-opts will allow you to customise the security subsystem.
For example the labeling system like SELinux will run on a container.
--security-opt="label:user:USER" : Set the label user for the container
--security-opt="label:role:ROLE" : Set the label role for the container
--security-opt="label:type:TYPE" : Set the label type for the container
--security-opt="label:level:LEVEL" : Set the label level for the container
--security-opt="label:disabled" : Turn off label confinement for the container
Since we are passing a list of string options instead of a space separated
string of options, I will change function calls to use InitLabels instead of
GenLabels. Genlabels interface is Depracated.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Signed-off-by: Victor Vieux <vieux@docker.com>
|
ping @rhatdan tell me how to fix the tests, they aren't working right now. |
| ## Using alternative security labeling | ||
|
|
||
| If you want to use the same label for multiple containers, you can override use | ||
| the security-opt flag to select an MCS level. This is a common practive for MLS |
|
@vieux I just figured this out. Basically since the tests are running docker in docker, SELinux thinks it is disabled, so the plabel returns "" and the tests are never run. I did change the tests to use cat /proc/self/attr/current rather then ps -eZ. But the tests will never run. The only way to get the processes within a docker container to think SELinux is enabled would be to volume mount the /sys/fs/selinux into the container. Not really a good way to do this, So maybe I should drop the tests. Or just document the fact that if selinux was enabled in the test container these tests would run. |
|
@rhatdan I think we should drop the tests, @crosbymichael ? |
Signed-off-by: Victor Vieux <vieux@docker.com>
|
I would say drop the integration tests and write unit tests for the parsing of these settings |
|
ok, @rhatdan I'll take care of it |
Signed-off-by: Victor Vieux <vieux@docker.com>
|
ping @jfrazelle @erikh @aluzzardi please review |
|
LGTM |
1 similar comment
|
LGTM |
|
We need docs review. Ping @jamtur01 @fredlf @SvenDowideit @ostezer |
|
Docs were reviewed in the previous PR |
Add --security-opts options to allow user to customize container labels and apparmor profile
|
I rewrote some of the description of the --security-opt options. Using alternative security labelingYou can override the default labeling scheme for each container by specifying An MLS example might be. If you want to disable the security labeling but do not want to disable all If you decide you would like to work with a tighter policy on your container, Note: You would have to write policy defining a svirt_apache_t type. |
|
@rhatdan can you make a PR ? |
|
I did. |
|
Thank you @rhatdan |
Replace #7425