在FCOS中使用SELinux访问SELinux

Question

简介

大家好，

从一周以来，我一直在尝试建立一个FCOS (Fedora CoreOS)，并与SELinux一起运行一个码头群(这是我对SELinux的第一次体验)。

容器运行得很好，但是当我尝试使用/var/run/docker.socket时，我总是得到permission denied

portainer_agent.0.k9c6uqifwohk@localhost    | 2020/03/14 13:24:11 [ERROR] [main,docker] [message: Unable to retrieve information from Docker] [error: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.24/info: dial unix /var/run/docker.sock: connect: permission denied]

我已经尝试过禁用SELinux (setenforce 0)以确保问题来自SELinux，

信息

docker.socket

srw-rw----. 1 root docker system_u:object_r:container_var_run_t:s0 0 Mar 14 13:14 /var/run/docker.sock

这是我用来做测试的

version: '3.2'

services:
  agent:
    image: portainer/agent
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:z      
      - /var/lib/docker/volumes:/var/lib/docker/volumes:z
    networks:
      - agent_network
    deploy:
      mode: global
      placement:
        constraints: [node.platform.os == linux]


networks:
  agent_network:
    driver: overlay
    attachable: true

谢谢你的帮助！

Answer 1

我终于成功了，使用了来自dockersock.te的这个GitHub

下面是我在安装脚本中使用的函数：

function fix_socket_permission()
{
    echo "Downloading docker socket policy"
    sudo rpm-ostree install policycoreutils-python-utils
    echo "Need reboot"
    # need to reboot

    curl https://raw.githubusercontent.com/dpw/selinux-dockersock/master/dockersock.te -o /tmp/dockersock.te

    echo "Applying policy to system"
    checkmodule -M -m -o dockersock.mod /tmp/dockersock.te
    semodule_package -o dockersock.pp -m dockersock.mod
    sudo semodule -i dockersock.pp
    rm -rf /tmp/dockersock.te
}

Answer 2

与CL (Container )不同的是，FCOS (Fedora CoreOS)提供了将SELinux“目标明确”设置为“强制”的策略。如果您期望的行为与CL中的行为相同，则应该在/etc/selinux/config中设置"SELINUX=permissive“。

下面是CL /etc/selinux/config：

# This file controls the state of SELinux on the system on boot.

# SELINUX can take one of these three values:
#   enforcing - SELinux security policy is enforced.
#   permissive - SELinux prints warnings instead of enforcing.
#   disabled - No SELinux policy is loaded.
SELINUX=permissive

# SELINUXTYPE can take one of these four values:
#   targeted - Only targeted network daemons are protected.
#   strict   - Full SELinux protection.
#   mls      - Full SELinux protection with Multi-Level Security
#   mcs      - Full SELinux protection with Multi-Category Security 
#              (mls, but only one sensitivity level)
SELINUXTYPE=mcs

下面是FCOS /etc/selinux/config：

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted