-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
selinux: Docs state it works, but issue tracker does not corroborate #1161
Comments
Hello @stephen-fox and thanks for your issue. From a historical perspective, it seems that SELinux support was initially implemented only for containers running on the OS. For example, if you run a container its process will be correctly labelled:
I think that was the main purpose initially. Two things:
FWIW, with ~120 automated tests there are ~10 tests that do not run in enforcing mode. Note: Regarding the umbrella issue, it's this one: #673 |
Maybe a better description is that it doesn't properly work for k8s? |
If I am following along properly @tormath1, it sounds like executing a containerized process via certain tools (like I guess we need to define what "working" means for SELinux to be truly supported. I am concerned that the current default behavior of not enforcing and the documentation stating that SELinux is supported leads to poor assumptions being made by users. What should I say to someone who is interested in Flatcar, but has an application whose security model heavily relies on SELinux? If neither of us are SELinux experts, how would we safely assess that Flatcar fulfills the application's security model requirements? |
I think it is very important that selinux is not only working correctly, but also that the correct tools are available to both identify selinux problems and options to fix them. |
The Flatcar Linux website states that SELinux is not enforcing by default and that it can be set to enforcing if desired:
Based on discussions with @JAORMX and several open GitHub issues, it sounds like SELinux does not work properly or does not work at all. For example:
execsnoop
inenforcing
mode #509A clear answer about Flatcar's support for SELinux in its documentation would be deeply appreciated.
Impact
SELinux is an important building block for the overall security of a Linux machine. It also provides an additional meaningful layer of security for the OS by limiting the blast radius of container escapes. Users of Flatcar Linux should be provided a clear description of the operating system's support for SELinux.
Environment and steps to reproduce
N/A
Expected behavior
Either of the following:
The text was updated successfully, but these errors were encountered: