Skip to content
This repository was archived by the owner on Oct 11, 2023. It is now read-only.

[Deprecated] SELinux

Jump to bottom
niusmallnan edited this page Oct 7, 2019 · 1 revision

Enabling SELinux

Due to compatibility issues between OverlayFS and SELinux, you must use a custom kernel and version of Docker. In build.conf.amd64, modify these URLs to be the following.

COMPILED_KERNEL_URL=https://github.com/rancher/os-kernel/releases/download/SELinux-4.4.2-rancher/linux-4.4.2-rancher-x86.tar.gz
DOCKER_BINARY_URL=https://github.com/rancher/docker/releases/download/v1.10.3-ros1/docker-1.10.3_amd64

Add the --selinux-enabled flag to both System Docker and User Docker in os-config.tpl.yml.

system_docker:
  args: [daemon, --log-opt, max-size=25m, --log-opt, max-file=2, -s, overlay, -b, docker-sys,
    --fixed-cidr, 172.18.42.1/16, --restart=false, -g, /var/lib/system-docker, -G, root,
    -H, 'unix:///var/run/system-docker.sock', --userland-proxy=false, --selinux-enabled]

docker:
  args: [daemon, --log-opt, max-size=25m, --log-opt, max-file=2, -s, overlay, -G, docker, -H, 'unix:///var/run/docker.sock', --selinux-enabled]

Rebuild RancherOS and then upon reboot it should be making use of the default policy in permissive mode.

Customizing Policy

By default, RancherOS comes with a policy that contains only the modules needed for Docker to run with --selinux-enabled. To make policy modifications, RancherOS comes with a tools shell that includes various SELinux userspace utilities and the RancherOS policy source. To enter this shell run ros selinux.

SELinux Shell Setup

The SELinux shell includes the source code for the RancherOS policy, but with an extended set of modules. Upon starting the shell for the first time, navigate to the RancherOS policy source and run make load to load these additional modules.

mount -t selinuxfs none /sys/fs/selinux
cd /usr/src/refpolicy
make load

Adding Additional Modules

Userspace SELinux tools, such as semodule, are now available for use. Suppose we have a module example.pp that we wish to enable. To enable it you can run semodule -i example.pp which will rebuild and reload the policy with this module included.

Setting SELinux to Enforcing Mode

To temporarily switch to enforcing mode, run setenforce 1 inside of the SELinux shell. To permanently switch to enforcing mode, edit /etc/selinux/config and change SELINUX from permissive to enforcing.

Resources

Clone this wiki locally