👀 Views: 29 💬 Answers: 1 📅 Created: 2025-06-08

docker centos selinux bash

I'm collaborating on a project where I'm stuck on something that should probably be simple. I'm sure I'm missing something obvious here, but I'm running Docker containers on CentOS 7, and I've encountered an scenario with SELinux that seems to block my containers from accessing certain host network resources. Specifically, I'm trying to access a local Redis instance from within a container, but I keep getting a `Connection refused` behavior. I've confirmed that the Redis server is running on the host and listening on `127.0.0.1:6379`. The Docker container is running with `--network host`, so it should theoretically have access to the host's network stack. However, when I check the SELinux logs using `audit2allow`, I see entries like: ``` audit: type=AVC msg=audit(1661234567.890:123): avc: denied { connectto } for pid=1234 comm="redis-cli" path="socket:[123456]" scontext=system_u:system_r:container_t:s0:c123,c456 tcontext=system_u:system_r:default_t:s0 tclass=unix_stream_socket ``` To troubleshoot, I've tried temporarily setting SELinux to permissive mode with `setenforce 0`, and the connection works fine. However, I want to keep SELinux enforcing for security reasons. I've also looked into modifying the SELinux policies but I'm unsure how to proceed. I've attempted to create a custom policy using `audit2allow` but it hasn't resolved the scenario. Here’s what I ran: ``` audit2allow -M mypol semodule -i mypol.pp ``` But the scenario continues. Can anyone provide insights into how I can modify SELinux policies to allow my Docker container to access the host Redis server without switching SELinux to permissive? Is there a specific boolean I should be enabling or a policy adjustment that could fix this? I'm working on a web app that needs to handle this. Thanks in advance! This is part of a larger mobile app I'm building. This is part of a larger mobile app I'm building. Any examples would be super helpful.