From 160dc79db095767de74deb75b8e1ae86f213593c Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Mon, 11 May 2015 18:28:36 -0400 Subject: [PATCH] Modify volume mounts SELinux labels on the fly based on :Z or :z This patch is extending the qualifiers on the -v command to allow an admin to tell the system to relabel, content. There might be a need for something similar for changing the DAC Permissions. Signed-off-by: Jessica Frazelle --- docs/man/docker-run.1.md | 15 +++++++++++++++ docs/sources/reference/commandline/cli.md | 15 ++++++++++++++- runconfig/config_test.go | 8 ++++++++ 3 files changed, 37 insertions(+), 1 deletion(-) diff --git a/docs/man/docker-run.1.md b/docs/man/docker-run.1.md index eec0f1cefc..1544c35458 100644 --- a/docs/man/docker-run.1.md +++ b/docs/man/docker-run.1.md @@ -396,6 +396,21 @@ used in other containers using the **--volumes-from** option. read-only or read-write mode, respectively. By default, the volumes are mounted read-write. See examples. +Labeling systems like SELinux require proper labels be placed on volume content +mounted into a container, otherwise the secuirty system might prevent the +processes running inside the container from using the content. By default, +volumes are not relabeled. + +Two suffixes :z or :Z can be added to the volume mount. These suffixes tell +Docker to relabel file objects on the shared volumes. The 'z' option tells +Docker that the volume content will be shared between containers. Docker will +label the content with a shared content label. Shared volumes labels allow all +containers to read/write content. The 'Z' option tells Docker to label the +content with a private unshared label. Private volumes can only be used by the +current container. + +Note: Multiple Volume options can be added separated by a "," + **--volumes-from**=[] Mount volumes from the specified container(s) diff --git a/docs/sources/reference/commandline/cli.md b/docs/sources/reference/commandline/cli.md index 3d92b3ed67..c5e276e3a3 100644 --- a/docs/sources/reference/commandline/cli.md +++ b/docs/sources/reference/commandline/cli.md @@ -2181,6 +2181,19 @@ mount the volumes in read-only or read-write mode, respectively. By default, the volumes are mounted in the same mode (read write or read only) as the reference container. +Labeling systems like SELinux require proper labels be placed on volume content +mounted into a container, otherwise the security system might prevent the +processes running inside the container from using the content. By default, +volumes are not relabeled. + +Two suffixes :z or :Z can be added to the volume mount. These suffixes tell +Docker to relabel file objects on the shared volumes. The 'z' option tells +Docker that the volume content will be shared between containers. Docker will +label the content with a shared content label. Shared volumes labels allow all +containers to read/write content. The 'Z' option tells Docker to label the +content with a private unshared label. Private volumes can only be used by the +current container. + The `-a` flag tells `docker run` to bind to the container's `STDIN`, `STDOUT` or `STDERR`. This makes it possible to manipulate the output and input as needed. @@ -2222,7 +2235,7 @@ flag: $ docker run --device=/dev/sda:/dev/xvdc --rm -it ubuntu fdisk /dev/xvdc Command (m for help): q - $ docker run --device=/dev/sda:/dev/xvdc:r --rm -it ubuntu fdisk /dev/xvdc + $ docker run --device=/dev/sda:/dev/xvdc:ro --rm -it ubuntu fdisk /dev/xvdc You will not be able to write the partition table. Command (m for help): q diff --git a/runconfig/config_test.go b/runconfig/config_test.go index 8b1a49f11b..27727a495e 100644 --- a/runconfig/config_test.go +++ b/runconfig/config_test.go @@ -114,6 +114,14 @@ func TestParseRunVolumes(t *testing.T) { t.Fatalf("Error parsing volume flags, `-v /hostTmp:/containerTmp:ro -v /hostVar:/containerVar:rw` should mount-bind /hostTmp into /containeTmp and /hostVar into /hostContainer. Received %v", hostConfig.Binds) } + if _, hostConfig := mustParse(t, "-v /hostTmp:/containerTmp:roZ -v /hostVar:/containerVar:rwZ"); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], "/hostTmp:/containerTmp:roZ", "/hostVar:/containerVar:rwZ") != nil { + t.Fatalf("Error parsing volume flags, `-v /hostTmp:/containerTmp:roZ -v /hostVar:/containerVar:rwZ` should mount-bind /hostTmp into /containeTmp and /hostVar into /hostContainer. Received %v", hostConfig.Binds) + } + + if _, hostConfig := mustParse(t, "-v /hostTmp:/containerTmp:Z -v /hostVar:/containerVar:z"); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], "/hostTmp:/containerTmp:Z", "/hostVar:/containerVar:z") != nil { + t.Fatalf("Error parsing volume flags, `-v /hostTmp:/containerTmp:Z -v /hostVar:/containerVar:z` should mount-bind /hostTmp into /containeTmp and /hostVar into /hostContainer. Received %v", hostConfig.Binds) + } + if config, hostConfig := mustParse(t, "-v /hostTmp:/containerTmp -v /containerVar"); hostConfig.Binds == nil || len(hostConfig.Binds) > 1 || hostConfig.Binds[0] != "/hostTmp:/containerTmp" { t.Fatalf("Error parsing volume flags, `-v /hostTmp:/containerTmp -v /containerVar` should mount-bind only /hostTmp into /containeTmp. Received %v", hostConfig.Binds) } else if _, exists := config.Volumes["/containerVar"]; !exists {