Enable SELinux on Centos7 LXC container with Ubuntu 14.04 host
I'm trying to setup an LXC container for testing which is running CentOS 7 with SELinux enabled to meet the requirements for a test I'm trying to run.
Despite all my efforts, I'm still unable to get the output of getenforce to return anything except "Disabled".
The container was initially created using the following lxc command:
sudo lxc-create -n <name> -t download -- -d centos -r 7 -a amd64
I've set the container config file to use the fedora.common.conf to resolve issues with a slow startup and performed some other bits of bootstrapping, but nothing that I can think of that would effect SELinux.
I have tried/checked the following to try and get it enabled (and probably some more stuff I've forgotten!)
- Setting SELINUX=enforcing in /etc/selinux/config
- Removing the symlink to /bin/false that the template pointed /usr/sbin/selinuxenabled to and reinstated the original file
- Set /selinux/enforce to 1
- Installed the selinux-policy-targeted package that was previously missing
- Checked my kernel supports SELinux
- Created /.autorelabel to attempt to re-label the filesystem, which doesn't appear to have been picked up on a restart of the container (the file is still there)
- Tried to use fixfiles to relabel to fs manually, which results in an error stating that SELinux isn't enabled.
I've not yet gone so far as to enable SELinux on the host as I am pretty sure I have seen docker containers running CentOS7 which manage to run it without the host needing SELinux installed or running.
I've googled everything I can think of and had a search around here and can't find any other suggestions as to why I can't get SELinux to enable inside this LXC container, can anyone help?
I'm just about ready to give up and create a CentOS7 host for running my CentOS7 containers on, but I'm really hoping that won't be necessary.
Selinux
needs to be running in your physical host, because Selinux
runs in the kernel side and your container share the kernel with physical host.
Container is a normal process that run in other namespace
SELinux is not namespaced, so individual containers cannot have their own separate SELinux policies. SELinux will always appear to be "disabled" in a container, though it is running on the host.
For more information, see Introduction to Linux Containers.
If it is SELinux policies that you are testing, use a full virtual machine.