问题
This is related to this question: How to audit the selinux denial inside a docker container
I have a container that does not work after enforcing selinux, the "ls /app" command failed with access denial:
# docker exec -it XXX ls -lZ /app
ls: cannot open directory /app: Permission denied
the first problem is that selinux denial messages not logged for accessing inside my container,after turnoff the "dontaudit", the selinux denial info appears, but it shows the container is trying to "read" an "unlabeled_t",
type=AVC msg=audit(1537323105.938:115360): avc: denied { read } for pid=11891 comm="ls" path="/app" dev="vdb" ino=917696 scontext=system_u:system_r:container_t:s0:c136,c536 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
but per the below info, it is of "container_file_t"
# docker exec -it XXX ls -dZ /app
drwxr-xr-x. root root system_u:object_r:container_file_t:s0:c136,c536 /app
I don't think it is proper that I add a rule to allow (container_t read "unlabeled_t" dir), though it does work.
So I want to know why the "/app" dir(and many others) inside the container deemed as "unlabeled_t" by the SELinux, and how can I fix the problem?
来源:https://stackoverflow.com/questions/52397387/why-selinux-denies-access-to-container-internal-files-and-claims-them-as-unlabl