Access to docker.socket using SELinux in FCOS

Question

Intro

Greetings,

Since a week I'm trying to setup a FCOS (Fedora CoreOS) and running a Docker Swarm along with SELinux (this is my first experience with SELinux)

Containers is running great but when I'm trying to use the /var/run/docker.socket I'm always getting permission denied

portainer_agent.0.k9c6uqifwohk@localhost    | 2020/03/14 13:24:11 [ERROR] [main,docker] [message: Unable to retrieve information from Docker] [error: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.24/info: dial unix /var/run/docker.sock: connect: permission denied]

I've already tried to disable SELinux (setenforce 0) to ensure the problem comes from SELinux,

Info

docker.socket

srw-rw----. 1 root docker system_u:object_r:container_var_run_t:s0 0 Mar 14 13:14 /var/run/docker.sock

Here a docker-compose.yaml I'm using for my tests

version: '3.2'

services:
  agent:
    image: portainer/agent
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:z      
      - /var/lib/docker/volumes:/var/lib/docker/volumes:z
    networks:
      - agent_network
    deploy:
      mode: global
      placement:
        constraints: [node.platform.os == linux]


networks:
  agent_network:
    driver: overlay
    attachable: true

Thanks for you help!

Answer 1

I've finally succeeded, using dockersock.te from this GitHub

Here the function I use in my installation script:

function fix_socket_permission()
{
    echo "Downloading docker socket policy"
    sudo rpm-ostree install policycoreutils-python-utils
    echo "Need reboot"
    # need to reboot

    curl https://raw.githubusercontent.com/dpw/selinux-dockersock/master/dockersock.te -o /tmp/dockersock.te

    echo "Applying policy to system"
    checkmodule -M -m -o dockersock.mod /tmp/dockersock.te
    semodule_package -o dockersock.pp -m dockersock.mod
    sudo semodule -i dockersock.pp
    rm -rf /tmp/dockersock.te
}

Answer 2

Unlike CL (Container Linux), FCOS (Fedora CoreOS) comes with SELinux "targeted" policy set to "enforced". If you are expecting the same behavior as in CL you should set "SELINUX=permissive" in /etc/selinux/config.

Here is CL /etc/selinux/config:

# This file controls the state of SELinux on the system on boot.

# SELINUX can take one of these three values:
#   enforcing - SELinux security policy is enforced.
#   permissive - SELinux prints warnings instead of enforcing.
#   disabled - No SELinux policy is loaded.
SELINUX=permissive

# SELINUXTYPE can take one of these four values:
#   targeted - Only targeted network daemons are protected.
#   strict   - Full SELinux protection.
#   mls      - Full SELinux protection with Multi-Level Security
#   mcs      - Full SELinux protection with Multi-Category Security 
#              (mls, but only one sensitivity level)
SELINUXTYPE=mcs

Here is FCOS /etc/selinux/config:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Answer 3

You can now allow a single container to opt out of the SELinux enforcement by adding --security-opt label=disable to the docker command. This passes a seccomp profile to the container. See details

This is an improvement from a security perspective vs the answer which changes SELinux policy to allow all containers to mount the socket. With this approach only the single container with the flag can do it and others remain restricted.

For example:

docker run -d --name watchtower --security-opt label=disable -v /var/run/docker.sock:/var/run/docker.sock:z  --restart=always containrrr/watchtower 

Note that the :z on the end of the mount is potentially required to have docker setup the permissions correctly for mounting files and folders under SELinux. See details