Docker Run With SELinux on ubuntu Constrain violation

On Ubuntu 14.04, I run Docker with SELinux,As I Known,Docker will Read $Selinux-Root-Dir/default/contexts/lxc_contexts。but I can’t find this file,so I create this file and puts some contents.following:

process = "system_u:system_r:svirt_lxc_net_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"
file = "system_u:object_r:svirt_lxc_file_t:s0"
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"

then I Run Docker with Selinux’s Permissive Mode,
docker -dD --selinux-enabled=false
and docker run -it --rm ubuntu /bin/bash

At last I want to use audit2allow to generate a *.te and *.pp file,
I execute cat /var/log/audit/audit.log | audit2allow -M container,but it said

compilation failed:
container.te:41:ERROR 'syntax error' at token 'mlsconstrain' on line 41:
#Constraint rule:
mlsconstrain chr_file { create relabelto } ((h1 dom h2 -Fail-) and (l2 eq h2) ); Constraint DENIED
/usr/bin/checkmodule: error(s) encountered while parsing configuration
/usr/bin/checkmodule: loading policy configuration from container.te

I cat the container.te,its contents is:

#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
mlsconstrain chr_file { create relabelto } ((h1 dom h2 -Fail-) and (l2 eq h2) ); Constraint DENIED
mlsconstrain chr_file { relabelfrom } ((h1 dom h2 -Fail-) ); Constraint DENIED
....
# Possible cause is the source level (s0) and target level (s0:c96,c879) are different.

I guess the docker run with s0,but it want to relabel the docker’s rootfs file system to (s0:c96,c879) and this error happen.

So My Question:

Is the Type for the container error?how to close this constrains or how to solve this problem ?


Source: ubuntu

Leave a Reply