SELinux create custom role

Question

I have a folder shared out via Samba, and a Docker container which I would like to give access to said folder by adding it as a volume to the Docker container (yes, I know that's not portable).

SELinux blocks the container from accessing the folder since the folder and its contents are labeled as samba_share_t, not svirt_sandbox_file_t

I know that the smbd_t domain has access to a number of SELinux labels (e.g. httpd_sys_content_t, though sesearch -s smbd_t --allow provides a full list), but svirt_sandbox_file_t is not one of them.

I see a few ways around this problem:

• Access the samba share from the container over the network (not desirable as that requires samba to be installed in the container, and there's network overhead)

• Relabel the folder and its contents as svirt_sandbox_file_t (which prevents Samba from accessing the folder)

• Relabel the folder and its contents as public_content_rw_t (but that also gives access to a number of other services which I don't want to have access to this folder)

• Create a policy to give svirt_lxc_net_t access to the samba_share_t label (generated by audit2allow, but that gives any container access to any file/folder labeled as samba_share_t)

The other option I can think of is to create my own SELinux role with its own label that gives access only to Samba and svirt (which I haven't done before, but am willing to try).

Am I missing something here? Is there an easier way to do this?

Answer 1

I would go the route of adding the rule to allow samba to write to svirt_sandbox_file_t. Since you want samba to be allowed to upload content to the container. Is samba only needs to read the content, then just add the allow rules to make this happen.

Answer 2

You should be able to set the appropriate SELinux boolean, virt_sandbox_use_samba.

setsebool -P virt_sandbox_use_samba 1

Answer 3

In case someone runs into the same issue, I opted for an alternative solution, ie to allow smbd_t to access stuff labeled svirt_sandbox_file_t. This is a 1:1 copy from the samba_share_t in a CentOS 7 system.

# cat >samba_docker_policy.te<<EOF
module samba_docker_policy 1.0;
require {
    type smbd_t;
        type svirt_sandbox_file_t;
        class dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open };
        class lnk_file { ioctl read write create getattr setattr lock append unlink link rename };
        class file { ioctl read write create getattr setattr lock append unlink link rename open };
        class filesystem { getattr quotaget };
        class fifo_file { ioctl read write create getattr setattr lock append unlink link rename open };
        class sock_file { ioctl read write create getattr setattr lock append unlink link rename open };
}

#============= svirt_sandbox_file_t ==============

allow smbd_t svirt_sandbox_file_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;
allow smbd_t svirt_sandbox_file_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ;
allow smbd_t svirt_sandbox_file_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow smbd_t svirt_sandbox_file_t : filesystem { getattr quotaget } ;
allow smbd_t svirt_sandbox_file_t : fifo_file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow smbd_t svirt_sandbox_file_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ;
EOF
# checkmodule -M -m -o samba_docker_policy.mod samba_docker_policy.te
# semodule_package -o samba_docker_policy.pp -m samba_docker_policy.mod
# semodule -i samba_docker_policy.pp