0

Question:

Can somebody explain to me why selinux rules are applied in case of running container in daemon mode but not in interactive mode ?

Use case:

I am running a docker container with nvidia-gpu support.

When I am trying to run it interactive mode, everythong works fine:

docker run -ti --runtime=nvidia --user jovyan -p 81:8888 hub-nbk-gpu:stable nvidia-smi
Thu Aug 30 14:07:53 2018
+-----------------------------------------------------------------------------+
| NVIDIA-SMI 396.26                 Driver Version: 396.26                    |
|-------------------------------+----------------------+----------------------+
| GPU  Name        Persistence-M| Bus-Id        Disp.A | Volatile Uncorr. ECC |
| Fan  Temp  Perf  Pwr:Usage/Cap|         Memory-Usage | GPU-Util  Compute M. |
|===============================+======================+======================|
|   0  Tesla P100-PCIE...  Off  | 00000000:00:1F.0 Off |                    0 |
| N/A   32C    P0    28W / 250W |      0MiB / 16280MiB |      0%      Default |
+-------------------------------+----------------------+----------------------+

+-----------------------------------------------------------------------------+
| Processes:                                                       GPU Memory |
|  GPU       PID   Type   Process name                             Usage      |
|=============================================================================|
|  No running processes found                                                 |
+-----------------------------------------------------------------------------+

But when I want to run it in daemon mode, selinux seems to block it:

docker run -d --runtime=nvidia --user jovyan -p 81:8888 hub-nbk-gpu:stable
4ad334909bb963aa29d63c0929f79a3beb0ce015685d1a5835dda4137cbff367
docker: Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "permission denied": unknown.

Of course, if I disable selinux everything works fine:

getenforce
Enforcing

sudo setenforce 0

getenforce
Permissive

docker run -d --runtime=nvidia --user jovyan -p 81:8888 hub-nbk-gpu:stable
83fd5ca737523c8757005ce80999c52081c23360b3deb9603e8d86eb357aa64a
talonmies
  • 70,661
  • 34
  • 192
  • 269
Minux
  • 56
  • 5
  • Are there relevant AVC log entries in audit log (`/var/log/audit/audit.log`)? – sebasth Sep 14 '18 at 07:42
  • Are you quite familiar with selinux? If not, I suggest you not enable it. If you do, I think you may figure it out all by yourself. I have been doomed by selinux once, badly. Too hard... – Light.G Oct 24 '18 at 12:48
  • Yes, I am a little bit familiar with selinux but Im agree with you. Unfortunately I cannot disable it in my company for security reason :-( – minux Oct 24 '18 at 21:52
  • Nope @sebasth, nothing interesting in logs :-( – minux Oct 24 '18 at 21:53
  • @minux there is possibly *dontaudit* rules which suppress some of the error messages. Logging can be enabled by rebuilding the policy without *dontaudit* rules using `semodule -DB`. It is also possible to set only docker in permissive mode by `semanage permissive -a docker_t`. – sebasth Oct 25 '18 at 06:09
  • My question is more around "why I can run my docker container in interactive mode **with** selinux enabled" ? SElinux block daemon mode execution, thats normal but why it dont block interactive execution too ? – Minux Oct 29 '18 at 13:21

0 Answers0