SELinux create custom role

Toasty asked:

I have a folder shared out via Samba, and a Docker container which I would like to give access to said folder by adding it as a volume to the Docker container (yes, I know that’s not portable).

SELinux blocks the container from accessing the folder since the folder and its contents are labeled as samba_share_t, not svirt_sandbox_file_t

I know that the smbd_t domain has access to a number of SELinux labels (e.g. httpd_sys_content_t, though sesearch -s smbd_t --allow provides a full list), but svirt_sandbox_file_t is not one of them.

I see a few ways around this problem:

  • Access the samba share from the container over the network (not desirable as that requires samba to be installed in the container, and there’s network overhead)

  • Relabel the folder and its contents as svirt_sandbox_file_t (which prevents Samba from accessing the folder)

  • Relabel the folder and its contents as public_content_rw_t (but that also gives access to a number of other services which I don’t want to have access to this folder)

  • Create a policy to give svirt_lxc_net_t access to the samba_share_t label (generated by audit2allow, but that gives any container access to any file/folder labeled as samba_share_t)

The other option I can think of is to create my own SELinux role with its own label that gives access only to Samba and svirt (which I haven’t done before, but am willing to try).

Am I missing something here? Is there an easier way to do this?

My answer:

You should be able to set the appropriate SELinux boolean, virt_use_samba.

setsebool -P virt_use_samba 1

I’m not 100% certain of this, though; it applies to regular virtual machines, but I’m not completely sure about its applicability to containers.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.