如何审核docker容器中的selinux拒绝

本文介绍了如何审核docker容器中的selinux拒绝的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我有一个docker容器，当禁用selinux时，它运行良好；但是当启用selinux(即docker daemon以--selinux-enabled启动)时，它将无法启动.

I have a docker container, when disable selinux, it works well;but when enabled selinux (i.e. the docker daemon is started with --selinux-enabled), it can not start up.

因此，故障应该是由selinux拒绝引起的，但这未在selinux审核日志中显示.当我使用"ausearch -m XXX | audit2allow ..."生成策略时，它不包含任何拒绝信息.

So the failure should caused by selinux denial, but this is not shown in the selinux audit log. when I use the "ausearch -m XXX | audit2allow ..." to generate the policy, it does not include any denial info.

想知道如何在容器内获取selinux拒绝信息，以便我可以在生成策略文件时使用它吗?

want to know how to get the selinux denial info occured inside the container, so that I can use it in generating my policy file?

ps:我检查了所访问文件的标签信息，它们似乎正确，但是拒绝了access(ls):

ps: I checked the label info of the accessed file, they seem right,but access(ls) is denied:

# ls -dlZ /usr/bin
dr-xr-xr-x. root root system_u:object_r:container_file_t:s0:c380,c857 /usr/bin
# ls /usr/bin
ls: cannot open directory /usr/bin: Permission denied

更多:所选答案回答了问题，但是现在的问题是审核日志显示访问权限为读取"unlabeled_t"，但是如"ls -dZ/usr/bin"所示，它为"container_file_t".我将其放在一个单独的问题中:为什么SELinux拒绝访问容器内部文件并将其声明为"unlabled_t"?

more: the selected answer answered the question, but now the problem is the audit log shows the access is to read "unlabeled_t", but as the "ls -dZ /usr/bin" shows, it is a "container_file_t". I put this in a separate question:Why SELinux denies access to container internal files and claims them as "unlabled_t"?

推荐答案

该策略可能包含 dontaudit 规则. Dontaudit 规则不允许使用acecss，但禁止记录特定访问权限.

The policy likely contains dontaudit rules. Dontaudit rules do not allow acecss, but suppress logging for the specific access.

您可以使用 semanage 禁用 dontaudit 规则:

semanage dontaudit off

解决问题后，您可能希望重新打开 dontaudit 规则以减少日志噪音.

After solving the issue, you probably want to turn the dontaudit rules back on to reduce log noise.

还可以使用 sesearch 搜索可能的 dontaudit 规则:

It is also possible to search for possible dontaudit rules with sesearch:

sesearch --dontaudit -t container_file_t

这篇关于如何审核docker容器中的selinux拒绝的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！