如何添加“ProcessLabel”在 docker 容器中
对于我的 Docker 容器,Selinux 已启用并设置为“强制”模式。 我们的系统中有 2 个容器正在运行。但是对于一个容器,“MountLabel”和“ProcessLabel”都已配置,如下所示:
docker inspect <container1_ID> | grep "Label"
"MountLabel": "USER_u:ROLE_r:svirt_lxc_file_t:s0:c204,c558",
"ProcessLabel": "USER_u:ROLE_r:svirt_lxc_net_t:s0:c204,c558",
而对于另一个容器,缺少“ProcessLabel”配置 -
docker inspect <container2_ID> | grep "Label"
"MountLabel": "USER_u:ROLE_r:svirt_lxc_file_t:s0:c212,c227",
"ProcessLabel": "",
您能否帮助我知道,如何为 docker 容器配置进程标签以及这个类别编号(c204,c558)代表什么?
For my Docker container Selinux is enabled and set to "Enforcing" mode.
We have 2 container running in our system. But for one container both "MountLabel" and "ProcessLabel" is configured , as shown below :
docker inspect <container1_ID> | grep "Label"
"MountLabel": "USER_u:ROLE_r:svirt_lxc_file_t:s0:c204,c558",
"ProcessLabel": "USER_u:ROLE_r:svirt_lxc_net_t:s0:c204,c558",
And for another container, "ProcessLabel" configuration is missing -
docker inspect <container2_ID> | grep "Label"
"MountLabel": "USER_u:ROLE_r:svirt_lxc_file_t:s0:c212,c227",
"ProcessLabel": "",
Could you please help me to know ,how can I configure Process label for a docker container and what this category number(c204,c558) signifies ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
当容器启动时,包含该容器的进程将被标记为 SELinux 上下文。您可以运行“ps -eZ”或“docker inform …”来查看容器的上下文
为了使进程能够写入卷,需要使用进程上下文可以访问的 SELinux 上下文来标记该卷。这就是“[zZ]”标志的用途。如果启动没有 z 标志的容器,您将收到权限被拒绝错误,因为 SELinux 卷级别和进程级别不匹配。
语法类似于 docker run --name yourcontainername --rm -it -v /foo:/foo:Z
你可以在这里找到更详细的解释 https://prefetch.net/blog/2017/09/30/using-docker-volumes-on-selinux-enabled-servers/
如果您想了解有关类别编号的更多信息,您可以阅读以下文档https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/chap-security-enhanced_linux-selinux_contexts
When a container starts the processes comprising that container will be labeled with an SELinux context. You can run ‘ps -eZ’ or ‘docker inspect …’ to view the context of a container
In order for the process to be able to write to a volume, the volume needs to be labeled with a SELinux context that the process context has access to. This is the purpose of the ‘[zZ]’ flags. If you start a container without the z flag you will receive a permission denied error because the SELinux volume level and the process level don’t match.
The syntax will go something like
docker run --name yourcontainername --rm -it -v /foo:/foo:ZYo can find a more detailed explanation here https://prefetch.net/blog/2017/09/30/using-docker-volumes-on-selinux-enabled-servers/
If you want to know more about the category numbers you can read the following document https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/chap-security-enhanced_linux-selinux_contexts
您可以使用以下 docker 运行选项:
--security-opt label=...。例如:
--security-opt label=level:s0:c100,c200。请参阅: https://docs.docker.com/engine/reference/run /#安全配置
You can use the following docker run option:
--security-opt label=....For example:
--security-opt label=level:s0:c100,c200.See: https://docs.docker.com/engine/reference/run/#security-configuration