rancher/os
1
0
Fork 1
mirror of https://github.com/rancher/os.git synced 2025-07-16 08:05:51 +00:00
Code Issues Releases Wiki Activity

Created SELinux (markdown)

Josh Curl 2016-02-22 15:27:34 -08:00
parent a1381879f0
commit dd02df3404
1 changed files with 43 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
SELinux.md Normal file

@ -0,0 +1,43 @@
# Enabling SELinux
Due to compatibility issues between OverlayFS and SELinux, you must use a custom kernel and version of Docker. In `build.conf.amd64`, modify these URLs to be the following.
```
COMPILED_KERNEL_URL=https://github.com/rancher/os-kernel/releases/download/SELinux-4.4.2-rancher/linux-4.4.2-rancher-x86.tar.gz
DOCKER_BINARY_URL=https://github.com/rancher/docker/releases/download/v1.10.1-selinux/docker-1.10.1
```
Add the `--selinux-enabled` flag to both System Docker and User Docker in `os-config.yml`.
```
system_docker:
args: [daemon, --log-opt, max-size=25m, --log-opt, max-file=2, -s, overlay, -b, docker-sys,
--fixed-cidr, 172.18.42.1/16, --restart=false, -g, /var/lib/system-docker, -G, root,
-H, 'unix:///var/run/system-docker.sock', --userland-proxy=false, --selinux-enabled]
```
```
docker:
args: [daemon, --log-opt, max-size=25m, --log-opt, max-file=2, -s, overlay, -G, docker, -H, 'unix:///var/run/docker.sock', --selinux-enabled]
```
Rebuild RancherOS and then upon reboot it should be making use of the default policy in permissive mode.
# Customizing Policy
By default, RancherOS comes with a policy that contains only the modules needed for Docker to run with `--selinux-enabled`. To make policy modifications, RancherOS comes with a tools shell that includes various SELinux userspace utilities and the RancherOS policy source. To enter this shell run `ros selinux`.
## SELinux Shell Setup
The SELinux shell includes the source code for the RancherOS policy, but with an extended set of modules. Upon starting the shell for the first time, navigate to the RancherOS policy source and run `make load` to load these additional modules.
```
cd /usr/src/refpolicy
make load
```
## Adding Additional Modules
Userspace SELinux tools, such as `semodule`, are now available for use. Suppose we have a module `example.pp` that we wish to enable. To enable it you can run `semodule -i example.pp` which will rebuild and reload the policy with this module included.
# Setting SELinux to Enforcing Mode
To temporarily switch to enforcing mode, run `setenforce 1` inside of the SELinux shell. To permanently switch to enforcing mode, edit `/etc/selinux/config` and change `SELINUX` from `permissive` to `enforcing`.