Search code examples
linuxdockerredhatselinux

Unable to use docker cache because of the SELINUX

I try to build a cache volume for my docker image (my host is RedHat 7.7, image is based on ubuntu:bionic):

docker run -v /tmp/cache:/cache:z --entrypoint true --name cache image-dev
docker run --rm --volumes-from cache image-dev

Unfortunately I'm unable to use files that were cached.

ERROR: Could not install packages due to an EnvironmentError: [Errno 13] Permission denied: '/cache/pip/wheels/c6/8c/80/527c233e7cb169f828b7168ebeab0fc5206d09b0fa133472fb/mysqlclient-1.4.6-cp36-cp36m-linux_x86_64.whl'
Consider using the `--user` option or check the permissions.

I noticed that when I disable SELINUX everything works fine.

I tried to investigate it using:

ausearch -m avc -ts recent | audit2allow

#============= container_t ==============

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
#   mlsconstrain file { ioctl read lock execute execute_no_trans } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain file { write setattr append unlink link rename } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain file { create relabelto } ((h1 dom h2 -Fail-)  and (l2 eq h2)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain file { relabelfrom } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED

#   Possible cause is the source level (s0:c46,c613) and target level (s0:c241,c588) are different.
allow container_t container_file_t:file { ioctl read };

And I created custom SELinux policy container_cache.te and I loaded it into the system:

policy_module(container_cache, 1.0)
require {
    type container_t;
    type container_file_t;
}
allow container_t container_file_t:file { ioctl read read lock execute execute_no_trans write setattr append unlink link rename create relabelto relabelfrom };

Unfortunately it didn't help.

Does anyone knows how to fix it without disabling SELinux?

Solution

  • The answer to this question are different MCS/MLS labels for each container. This labels can be set by flag i.e.:

    --security-opt label=level:s0:c100,c200

    More information on https://docs.docker.com/engine/reference/run/#security-configuration