Understanding SELinux Labels for Container Runtimes

“I’ve just started to deal with some software that is containerized via Docker, and which is ordinarily only ever run on Ubuntu. Naturally this means nobody ever put any thought into how it will interact with SELinux.

“I know that containers get a pair of randomly chosen MCS [Multi-Category Security] labels by default, and that the files they create obviously end up with those same categories. However, when it’s time to rebuild or upgrade the container, the files are now inaccessible because the new container has a different pair of categories.

“Are we supposed to relabel these files with the new categories? Or do we have to pick the categories ourselves and then use Docker’s --security-opt option when we run the container? How do we do so without risk that some other container will end up with the same categories?”

Regarding the first question, when a container runtime like Docker, as well as some of the new ones we have been working on—podman, CRI-O, and Buildah—create a container, they pick a random MCS label to run the container. The MCS labels consist of two random numbers between 0 and 1,023 and have to be unique. They are prefixed with a c or category. SELinux also needs a sensitivity level s0.

Read more at OpenSource.com