SELinux on Flatcar Container Linux

    SELinux is a fine-grained access control mechanism integrated into Flatcar Container Linux and rkt. Each container runs in its own independent SELinux context, increasing isolation between containers and providing another layer of protection should a container be compromised.

    Flatcar Container Linux implements SELinux, but currently does not enforce SELinux protections by default. This allows deployers to verify container operation before enabling SELinux enforcement. This document covers the process of checking containers for SELinux policy compatibility, and switching SELinux into enforcing mode.

    Check a container’s compatibility with SELinux policy

    To verify whether the current SELinux policy would inhibit your containers, enable SELinux logging. In the following set of commands, we delete the rules that suppress this logging by default, and copy the policy store from Flatcar Container Linux’s read-only /usr to a writable file system location.

    rm /etc/audit/rules.d/80-selinux.rules
rm /etc/audit/rules.d/99-default.rules
rm /etc/selinux/mcs
cp -a /usr/lib/selinux/mcs /etc/selinux
rm /var/lib/selinux
cp -a /usr/lib/selinux/policy /var/lib/selinux
semodule -DB
systemctl restart audit-rules

    Now run your container. Check the system logs for any messages containing avc: denied. Such messages indicate that an enforcing SELinux would prevent the container from performing the logged operation. Please open an issue on github , including the full avc log message.

    Enable SELinux enforcement

    Once satisfied that your container workload is compatible with the SELinux policy, you can temporarily enable enforcement by running the following command as root:

    $ setenforce 1

    A reboot will reset SELinux to permissive mode.

    Make SELinux enforcement permanent

    To enable SELinux enforcement across reboots, replace the symbolic link /etc/selinux/config with the file it targets, so that the file can be written. You can use the readlink command to dereference the link, as shown in the following one-liner:

    $ cp --remove-destination $(readlink -f /etc/selinux/config) /etc/selinux/config

    Now, edit /etc/selinux/config to replace SELINUX=permissive with SELINUX=enforcing.

    Limitations

    • SELinux enforcement is currently incompatible with Btrfs volumes and volumes that are shared between multiple containers.
    • Starting from Flannel-0.15 installed via kube-flannel.yml, SELinux enforcement will prevent the CNI installation on the host. (See: flatcar-linux/Flatcar#635 )
    Edit this page File documentation issue