Document SELinux relabelling options and add warning#832
Conversation
Make it clear what the `z` and `Z` options do, and that they affect files on the host system. See the discussion in moby/moby#30934 for the reasons a warning is needed. Signed-off-by: Justin Cormack <justin.cormack@docker.com>
justincormack
requested review from
mdlinville,
thaJeztah and
vdemeester
as code owners
Codecov Report
@@ Coverage Diff @@
## master #832 +/- ##
=======================================
Coverage 52.96% 52.96%
=======================================
Files 244 244
Lines 15828 15828
=======================================
Hits 8383 8383
Misses 6891 6891
Partials 554 554 |
| only be used on directories that are intended for use by containers, and not the | ||
| host system itself. In most cases, such as shared access, it is better to label | ||
| in advance. If your container does require broader access to system directories, | ||
| then use of '--security-opt label:disable' with the 'docker run' command is a better |
There was a problem hiding this comment.
Is this such a good thing to encourage?
There was a problem hiding this comment.
I swear we already have something about this in the docs, let me find it. Yes, here: https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label Perhaps you can just link to that instead of putting these docs here.
There was a problem hiding this comment.
oh, forgot about that; good point. @justincormack perhaps you can look at that section in the docs and see if anything is missing there? Then we can link to there
| only be used on directories that are intended for use by containers, and not the | ||
| host system itself. In most cases, such as shared access, it is better to label | ||
| in advance. If your container does require broader access to system directories, | ||
| then use of '--security-opt label:disable' with the 'docker run' command is a better |
There was a problem hiding this comment.
I swear we already have something about this in the docs, let me find it. Yes, here: https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label Perhaps you can just link to that instead of putting these docs here.
|
What's current status? |
|
What's current status? cc @thaJeztah |
| The `z` option will make the files available to any container, using the `s0` label, | ||
| while the `Z` option will label the files with the same label as the container, so | ||
| that they are exclusive to that container. | ||
|
|
There was a problem hiding this comment.
These do more then just modify the MCS Portion of the SELinux label. They modify the entire label to either
system_u:object_r:container_file_t:s0 or system_u:object_r:svirt_lxc_net_t:s0 (On RHEL/Centos, Hopefully fixed in RHEL7.5)
| level system directory would result in the relabeling of those directories for use | ||
| by containers. There are some blacklisted paths, but this could cause issues such | ||
| as being unable to SSH back into a system. When using the relabel options, it should | ||
| only be used on directories that are intended for use by containers, and not the |
There was a problem hiding this comment.
sed s/intended/dedicated/g
| only be used on directories that are intended for use by containers, and not the | ||
| host system itself. In most cases, such as shared access, it is better to label | ||
| in advance. If your container does require broader access to system directories, | ||
| then use of '--security-opt label:disable' with the 'docker run' command is a better |
There was a problem hiding this comment.
If you need to give a container broad access to content in a homedirectory ar all of /var then it is better to disable SELinux protections in the container then to attempt to change the labels. Use the '--security-opt label:disable` ...
10 participants
Make it clear what the
zandZoptions do, and that theyaffect files on the host system.
See the discussion in moby/moby#30934
for the reasons a warning is needed.
Signed-off-by: Justin Cormack justin.cormack@docker.com