How to add "ProcessLabel" in a docker container

Question

For my Docker container Selinux is enabled and set to "Enforcing" mode. We have 2 container running in our system. But for one container both "MountLabel" and "ProcessLabel" is configured , as shown below :

 docker inspect <container1_ID> | grep "Label"
    "MountLabel": "USER_u:ROLE_r:svirt_lxc_file_t:s0:c204,c558",
    "ProcessLabel": "USER_u:ROLE_r:svirt_lxc_net_t:s0:c204,c558",

And for another container, "ProcessLabel" configuration is missing -

docker inspect <container2_ID> | grep "Label"
    "MountLabel": "USER_u:ROLE_r:svirt_lxc_file_t:s0:c212,c227",
    "ProcessLabel": "",  

   

Could you please help me to know ,how can I configure Process label for a docker container and what this category number(c204,c558) signifies ?

Answer 1

You can use the following docker run option: --security-opt label=....

For example: --security-opt label=level:s0:c100,c200.

See: https://docs.docker.com/engine/reference/run/#security-configuration

Answer 2

When a container starts the processes comprising that container will be labeled with an SELinux context. You can run ‘ps -eZ’ or ‘docker inspect …’ to view the context of a container In order for the process to be able to write to a volume, the volume needs to be labeled with a SELinux context that the process context has access to. This is the purpose of the ‘[zZ]’ flags. If you start a container without the z flag you will receive a permission denied error because the SELinux volume level and the process level don’t match.

The syntax will go something like docker run --name yourcontainername --rm -it -v /foo:/foo:Z

Yo can find a more detailed explanation here https://prefetch.net/blog/2017/09/30/using-docker-volumes-on-selinux-enabled-servers/

If you want to know more about the category numbers you can read the following document https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/chap-security-enhanced_linux-selinux_contexts