-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add --security-opts options to allow user to customize container labels and apparmor profile #8299
Conversation
…guration security-opts will allow you to customise the security subsystem. For example the labeling system like SELinux will run on a container. --security-opt="label:user:USER" : Set the label user for the container --security-opt="label:role:ROLE" : Set the label role for the container --security-opt="label:type:TYPE" : Set the label type for the container --security-opt="label:level:LEVEL" : Set the label level for the container --security-opt="label:disabled" : Turn off label confinement for the container Since we are passing a list of string options instead of a space separated string of options, I will change function calls to use InitLabels instead of GenLabels. Genlabels interface is Depracated. Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Signed-off-by: Victor Vieux <vieux@docker.com>
ping @rhatdan tell me how to fix the tests, they aren't working right now. |
## Using alternative security labeling | ||
|
||
If you want to use the same label for multiple containers, you can override use | ||
the security-opt flag to select an MCS level. This is a common practive for MLS |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/practive/practice?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
@vieux I just figured this out. Basically since the tests are running docker in docker, SELinux thinks it is disabled, so the plabel returns "" and the tests are never run. I did change the tests to use cat /proc/self/attr/current rather then ps -eZ. But the tests will never run. The only way to get the processes within a docker container to think SELinux is enabled would be to volume mount the /sys/fs/selinux into the container. Not really a good way to do this, So maybe I should drop the tests. Or just document the fact that if selinux was enabled in the test container these tests would run. |
@rhatdan I think we should drop the tests, @crosbymichael ? |
Signed-off-by: Victor Vieux <vieux@docker.com>
I would say drop the integration tests and write unit tests for the parsing of these settings |
ok, @rhatdan I'll take care of it |
Signed-off-by: Victor Vieux <vieux@docker.com>
ping @jfrazelle @erikh @aluzzardi please review |
LGTM |
1 similar comment
LGTM |
We need docs review. Ping @jamtur01 @fredlf @SvenDowideit @ostezer |
Docs were reviewed in the previous PR |
Add --security-opts options to allow user to customize container labels and apparmor profile
I rewrote some of the description of the --security-opt options. Using alternative security labelingYou can override the default labeling scheme for each container by specifying
An MLS example might be.
If you want to disable the security labeling but do not want to disable all
If you decide you would like to work with a tighter policy on your container,
Note: You would have to write policy defining a svirt_apache_t type. |
@rhatdan can you make a PR ? |
I did. |
Thank you @rhatdan |
Replace #7425