-
Notifications
You must be signed in to change notification settings - Fork 511
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
privileged containers running under Docker cannot write to their rootfs #1011
Comments
When a container is We can add a patch removing the injection of |
By default, Docker injects the equivalent of --security-opt label:disable for containers launched with the --privileged option with the intent of providing as much privilege as possible. This option disables both process and mount labeling for the container. Unfortunately, disabling labeling does not provide additional privileges when Bottlerocket's SELinux policy is enforced but instead reduces privileges. This change removes the injection of the label:disable option so privileged containers receive the same default labels as non-privileged containers. To launch a container with all SELinux labeling disabled, the explicit --security-opt label:disable can still be used. To launch a container with a label that provides additional privileges, --security-opt label:type:super_t can be used. Fixes: bottlerocket-os#1011
Image I'm using:
aws-dev
What I expected to happen:
Running a privileged container under docker should add the "context=" option so that the rootfs is writable.
What actually happened:
The context option not added and an AVC denial is logged when attempting to write to the rootfs.
How to reproduce the problem:
The text was updated successfully, but these errors were encountered: