How to Enable and Configure SELinux in a CentOS Docker Container


3 views

When working with security-sensitive applications in Docker containers, enabling SELinux becomes crucial. The default CentOS images don't come with SELinux pre-installed or enabled, creating a significant gap for applications that rely on SELinux policies for security enforcement.

Attempting a standard SELinux installation in a container reveals two main problems:


# Inside a CentOS container:
$ docker run -it centos:latest /bin/bash
[root@container-id /]# yum install -y policycoreutils selinux-policy-targeted
[root@container-id /]# sestatus
SELinux status:                 disabled

The traditional reboot requirement doesn't translate well to container environments where system reboots aren't feasible.

Here's a working approach to properly enable SELinux in a CentOS container:


FROM centos:7

RUN yum install -y policycoreutils selinux-policy-targeted \
    && touch /.autorelabel \
    && echo "SELINUX=enforcing" > /etc/selinux/config

# Create custom entrypoint script
COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]

The entrypoint.sh should contain:


#!/bin/bash

# Load SELinux policy
load_policy -i

# Set enforcing mode
setenforce 1

# Execute main command
exec "$@"

When running your container, you'll need to:


docker run --security-opt label=type:container_t -it your-image

This ensures Docker's own SELinux policies don't interfere with your container's SELinux configuration.

After starting your container, verify SELinux status:


[root@container-id /]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing

For applications requiring custom policies, include these in your Dockerfile:


RUN yum install -y selinux-policy-devel \
    && make -f /usr/share/selinux/devel/Makefile your_policy.pp \
    && semodule -i your_policy.pp

When working with Docker containers based on CentOS, you might encounter situations where SELinux (Security-Enhanced Linux) is required for your application's security policies. By default, CentOS Docker images don't come with SELinux enabled, which can be problematic for applications that rely on its security features.

When you first try to check SELinux status in a fresh CentOS container:

$ docker run -it centos:latest /bin/bash
[root@38ae5a98273d /]# sestatus
bash: sestatus: command not found

Even after installing the necessary packages:

[root@38ae5a98273d /]# yum install -y policycoreutils selinux-policy-targeted
[root@38ae5a98273d /]# sestatus
SELinux status:                 disabled

The main issue is that enabling SELinux typically requires a system reboot, which isn't straightforward in a Docker container environment. Traditional methods don't work because containers share the host's kernel and don't support full system reboots.

Here's how to properly set up an SELinux-enabled CentOS container:

# Create a Dockerfile with the following content
FROM centos:latest

RUN yum install -y policycoreutils selinux-policy-targeted \
    && echo "SELINUX=enforcing" > /etc/selinux/config \
    && touch /.autorelabel

# Build the image
docker build -t centos-selinux .

# Run the container with privileged mode and proper security options
docker run --privileged --security-opt label=type:svirt_lxc_net_t -it centos-selinux /bin/bash

Once inside the container, verify SELinux is properly enabled:

[root@container /]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31

For some use cases, you might want to leverage the host's SELinux policies instead:

docker run --security-opt label=type:container_t -it centos:latest /bin/bash
  • Running containers in privileged mode has security implications
  • SELinux policies might need customization for your specific application
  • Consider using volume mounts with proper SELinux contexts when needed
  • Test thoroughly as SELinux might block legitimate operations

If you encounter permission issues, check audit logs:

ausearch -m avc -ts recent

To temporarily put SELinux in permissive mode for debugging:

setenforce 0