SELinux create custom role

Toasty asked:

I have a folder shared out via Samba, and a Docker container which I would like to give access to said folder by adding it as a volume to the Docker container (yes, I know that’s not portable).

SELinux blocks the container from accessing the folder since the folder and its contents are labeled as samba_share_t, not svirt_sandbox_file_t

I know that the smbd_t domain has access to a number of SELinux labels (e.g. httpd_sys_content_t, though sesearch -s smbd_t --allow provides a full list), but svirt_sandbox_file_t is not one of them.

I see a few ways around this problem:

  • Access the samba share from the container over the network (not desirable as that requires samba to be installed in the container, and there’s network overhead)

  • Relabel the folder and its contents as svirt_sandbox_file_t (which prevents Samba from accessing the folder)

  • Relabel the folder and its contents as public_content_rw_t (but that also gives access to a number of other services which I don’t want to have access to this folder)

  • Create a policy to give svirt_lxc_net_t access to the samba_share_t label (generated by audit2allow, but that gives any container access to any file/folder labeled as samba_share_t)

The other option I can think of is to create my own SELinux role with its own label that gives access only to Samba and svirt (which I haven’t done before, but am willing to try).

Am I missing something here? Is there an easier way to do this?

My answer:

You should be able to set the appropriate SELinux boolean, virt_sandbox_use_samba.

setsebool -P virt_sandbox_use_samba 1

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.