Deployment Task

When SELinux is enabled on the host, running the Aqua Scanner will result in access denied, similar to the following:

Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/_ping: dial unix /var/run/docker.sock: connect: permission denied


Deployment Steps

Use one of the following options to handle the issue. (The options are listed starting with the best option.):

  1. Create an SELinux policy to allow containers access to the socket. Find additional information in the following links: https://github.com/dpw/selinux-dockersock , https://unix.stackexchange.com/questions/386767/selinux-and-docker-allow-access-to-x-unix-socket-in-tmp-x11-unix (The linked documents are not published or endorsed by Aqua Security).
  2. Disable SELinux restrictions for the scanner-cli container during its run, with the Docker run option ("--security-opt label:disable"). Example:
docker run ---security-opt label:disable -rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/scanner-cli:3.0 scan --user scanner --password <Some Password> --host http://<Server IP>:8080 --local <Image Name>:latest --html --checkonly -n

      3. Run the scanner-cli container as privileged ("--privileged" flag).