由于 SELINUX,无法使用 docker 缓存
Unable to use docker cache because of the SELINUX
我尝试为我的 docker 图像构建缓存卷(我的主机是 RedHat 7.7,图像基于
ubuntu:bionic):
docker run -v /tmp/cache:/cache:z --entrypoint true --name cache image-dev
docker run --rm --volumes-from cache image-dev
很遗憾,我无法使用缓存的文件。
ERROR: Could not install packages due to an EnvironmentError: [Errno 13] Permission denied: '/cache/pip/wheels/c6/8c/80/527c233e7cb169f828b7168ebeab0fc5206d09b0fa133472fb/mysqlclient-1.4.6-cp36-cp36m-linux_x86_64.whl'
Consider using the `--user` option or check the permissions.
我注意到当我禁用 SELINUX 时一切正常。
我尝试使用以下方法对其进行调查:
ausearch -m avc -ts recent | audit2allow
#============= container_t ==============
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
# mlsconstrain file { ioctl read lock execute execute_no_trans } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain file { write setattr append unlink link rename } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain file { create relabelto } ((h1 dom h2 -Fail-) and (l2 eq h2) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain file { relabelfrom } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
# Possible cause is the source level (s0:c46,c613) and target level (s0:c241,c588) are different.
allow container_t container_file_t:file { ioctl read };
我创建了自定义 SELinux 策略 container_cache.te 并将其加载到系统中:
policy_module(container_cache, 1.0)
require {
type container_t;
type container_file_t;
}
allow container_t container_file_t:file { ioctl read read lock execute execute_no_trans write setattr append unlink link rename create relabelto relabelfrom };
不幸的是,它没有帮助。
有谁知道如何在不禁用 SELinux 的情况下修复它?
这个问题的答案是每个容器的不同 MCS/MLS 标签。此标签可以通过标志设置,即:
--security-opt label=level:s0:c100,c200
更多信息
https://docs.docker.com/engine/reference/run/#security-configuration
我尝试为我的 docker 图像构建缓存卷(我的主机是 RedHat 7.7,图像基于 ubuntu:bionic):
docker run -v /tmp/cache:/cache:z --entrypoint true --name cache image-dev
docker run --rm --volumes-from cache image-dev
很遗憾,我无法使用缓存的文件。
ERROR: Could not install packages due to an EnvironmentError: [Errno 13] Permission denied: '/cache/pip/wheels/c6/8c/80/527c233e7cb169f828b7168ebeab0fc5206d09b0fa133472fb/mysqlclient-1.4.6-cp36-cp36m-linux_x86_64.whl'
Consider using the `--user` option or check the permissions.
我注意到当我禁用 SELINUX 时一切正常。
我尝试使用以下方法对其进行调查:
ausearch -m avc -ts recent | audit2allow
#============= container_t ==============
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
# mlsconstrain file { ioctl read lock execute execute_no_trans } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain file { write setattr append unlink link rename } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain file { create relabelto } ((h1 dom h2 -Fail-) and (l2 eq h2) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain file { relabelfrom } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
# Possible cause is the source level (s0:c46,c613) and target level (s0:c241,c588) are different.
allow container_t container_file_t:file { ioctl read };
我创建了自定义 SELinux 策略 container_cache.te 并将其加载到系统中:
policy_module(container_cache, 1.0)
require {
type container_t;
type container_file_t;
}
allow container_t container_file_t:file { ioctl read read lock execute execute_no_trans write setattr append unlink link rename create relabelto relabelfrom };
不幸的是,它没有帮助。
有谁知道如何在不禁用 SELinux 的情况下修复它?
这个问题的答案是每个容器的不同 MCS/MLS 标签。此标签可以通过标志设置,即:
--security-opt label=level:s0:c100,c200
更多信息 https://docs.docker.com/engine/reference/run/#security-configuration