SELinux on Flatcar Container Linux
SELinux is a fine-grained access control mechanism integrated into Flatcar Container Linux and rkt. Each container runs in its own independent SELinux context, increasing isolation between containers and providing another layer of protection should a container be compromised.
Flatcar Container Linux implements SELinux, but currently does not enforce SELinux protections by default. This allows deployers to verify container operation before enabling SELinux enforcement. This document covers the process of checking containers for SELinux policy compatibility, and switching SELinux into
Check a container’s compatibility with SELinux policy
To verify whether the current SELinux policy would inhibit your containers, enable SELinux logging. In the following set of commands, we delete the rules that suppress this logging by default, and copy the policy store from Flatcar Container Linux’s read-only
/usr to a writable file system location.
cp -a /usr/lib/selinux/mcs /etc/selinux
cp -a /usr/lib/selinux/policy /var/lib/selinux
systemctl restart audit-rules
Now run your container. Check the system logs for any messages containing
avc: denied. Such messages indicate that an
enforcing SELinux would prevent the container from performing the logged operation. Please open an issue on
, including the full avc log message.
Enable SELinux enforcement
Once satisfied that your container workload is compatible with the SELinux policy, you can temporarily enable enforcement by running the following command as root:
$ setenforce 1
A reboot will reset SELinux to
Make SELinux enforcement permanent
To enable SELinux enforcement across reboots, replace the symbolic link
/etc/selinux/config with the file it targets, so that the file can be written. You can use the
readlink command to dereference the link, as shown in the following one-liner:
$ cp --remove-destination $(readlink -f /etc/selinux/config) /etc/selinux/config
/etc/selinux/config to replace
- SELinux enforcement is currently incompatible with Btrfs volumes and volumes that are shared between multiple containers.
- Starting from Flannel-0.15 installed via
kube-flannel.yml, SELinux enforcement will prevent the CNI installation on the host. (See: flatcar-linux/Flatcar#635 )