由于SELINUX，无法使用docker缓存

我尝试为我的docker映像构建一个缓存卷（我的主机是RedHat 7.7，映像基于 ubuntu:bionic）：

不幸的是，我无法使用缓存的文件

ERROR: Could not install packages due to an EnvironmentError: [Errno 13] Permission denied: '/cache/pip/wheels/c6/8c/80/527c233e7cb169f828b7168ebeab0fc5206d09b0fa133472fb/mysqlclient-1.4.6-cp36-cp36m-linux_x86_64.whl'
Consider using the `--user` option or check the permissions.

我注意到当我禁用SELINUX时，一切正常

我尝试使用以下方法进行调查：

ausearch -m avc -ts recent | audit2allow

#============= container_t ==============

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
#   mlsconstrain file { ioctl read lock execute execute_no_trans } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain file { write setattr append unlink link rename } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain file { create relabelto } ((h1 dom h2 -Fail-)  and (l2 eq h2)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain file { relabelfrom } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED

#   Possible cause is the source level (s0:c46,c613) and target level (s0:c241,c588) are different.
allow container_t container_file_t:file { ioctl read };

我创建了自定义SELinux策略容器_cache.te，并将其加载到系统中：

policy_module(container_cache, 1.0)
require {
    type container_t;
    type container_file_t;
}
allow container_t container_file_t:file { ioctl read read lock execute execute_no_trans write setattr append unlink link rename create relabelto relabelfrom };

不幸的是，这没有帮助

---

有人知道如何在不禁用SELinux的情况下修复它吗？

这个问题的答案是每个容器都有不同的MCS/MLS标签。该标签可通过标志设置，即：

--security-opt label=level:s0:c100,c200

更多有关

---

嗨！如果您有关于Docker的更多问题，我建议您按照本页进行操作：

--security-opt label=level:s0:c100,c200