English
« Back to projectatomic.io
Ask Your Question
0

How SELinux control Process inside Docker Container

asked 2015-12-12 04:59:13 +0000

hackingNerd gravatar image

updated 2015-12-12 05:12:16 +0000

I am running 50 containers on Docker Engine at CentOS 7 (Host). I am bucking around if I could control the processes running inside containers with my SELinux polices. I understand this is possible and I would be grateful if any one here could help me in implementation or put some light for direction.

edit retag flag offensive close merge delete

Comments

Can you provide an example of what you are trying to do? SELinux and Docker is generally used to separate containers from each other with the built in policies and not applying "standard" policies to process. Container security generally relies on that plus namespaces currently.

nzwulfin ( 2015-12-14 17:43:21 +0000 )edit

@nzwulfin SELinux secure and isolate containers, it means SELinux monitor all process in containers, am i right?If yes then i want to get audit logs of containers. SELinux generate audit logs of docker daemon by default but I am looking for audit logs of processes running inside container. possible?

hackingNerd ( 2015-12-14 18:52:22 +0000 )edit

1 answer

Sort by ยป oldest newest most voted
0

answered 2015-12-16 15:49:34 +0000

SELinux support for Docker containers is different from typical processes. For example, if you were using the Apache policy for SELinux to secure a webserver, you would see:

system_u:system_r:httpd_t:s0

and all of the files on the system would have some sort of httpd related label to allow for interactions. Any child process spawned by httpd would keep that same label and share the same SELinux context.

Since Docker is a daemon with it's own label and spawns containers as child processes, this would mean that any container would get the following label:

system_u:system_r:docker_t:s0

This means that processes in containers are in the same context would be able to read each others files, ports, etc. So the --selinux-enabled option adds a new label to child processes and a second set of labels to each container and related objects. These come from the Multi Category Security support and is modelled after the sVirt project. These labels look something like:

system_u:system_r:svirt_lxc_net_t:s0:c581,c913

where c581 and c913 are the extra labels that would differentiate containers with the same svirt_lxc_net_t label into separate contexts.

So we aren't securing the process in the container as much as we are securing the process as a container.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

[hide preview]

Stats

Asked: 2015-12-12 04:59:13 +0000

Seen: 329 times

Last updated: Dec 16 '15