From dd02df34040418ebfb13b7df915dc2cc2775b4b6 Mon Sep 17 00:00:00 2001 From: Josh Curl Date: Mon, 22 Feb 2016 15:27:34 -0800 Subject: [PATCH] Created SELinux (markdown) --- SELinux.md | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 SELinux.md diff --git a/SELinux.md b/SELinux.md new file mode 100644 index 0000000..7ac3992 --- /dev/null +++ b/SELinux.md @@ -0,0 +1,43 @@ +# Enabling SELinux + +Due to compatibility issues between OverlayFS and SELinux, you must use a custom kernel and version of Docker. In `build.conf.amd64`, modify these URLs to be the following. + +``` +COMPILED_KERNEL_URL=https://github.com/rancher/os-kernel/releases/download/SELinux-4.4.2-rancher/linux-4.4.2-rancher-x86.tar.gz +DOCKER_BINARY_URL=https://github.com/rancher/docker/releases/download/v1.10.1-selinux/docker-1.10.1 +``` + +Add the `--selinux-enabled` flag to both System Docker and User Docker in `os-config.yml`. + +``` +system_docker: + args: [daemon, --log-opt, max-size=25m, --log-opt, max-file=2, -s, overlay, -b, docker-sys, + --fixed-cidr, 172.18.42.1/16, --restart=false, -g, /var/lib/system-docker, -G, root, + -H, 'unix:///var/run/system-docker.sock', --userland-proxy=false, --selinux-enabled] +``` +``` +docker: + args: [daemon, --log-opt, max-size=25m, --log-opt, max-file=2, -s, overlay, -G, docker, -H, 'unix:///var/run/docker.sock', --selinux-enabled] +``` + +Rebuild RancherOS and then upon reboot it should be making use of the default policy in permissive mode. + +# Customizing Policy + +By default, RancherOS comes with a policy that contains only the modules needed for Docker to run with `--selinux-enabled`. To make policy modifications, RancherOS comes with a tools shell that includes various SELinux userspace utilities and the RancherOS policy source. To enter this shell run `ros selinux`. + +## SELinux Shell Setup + +The SELinux shell includes the source code for the RancherOS policy, but with an extended set of modules. Upon starting the shell for the first time, navigate to the RancherOS policy source and run `make load` to load these additional modules. + +``` +cd /usr/src/refpolicy +make load +``` + +## Adding Additional Modules + +Userspace SELinux tools, such as `semodule`, are now available for use. Suppose we have a module `example.pp` that we wish to enable. To enable it you can run `semodule -i example.pp` which will rebuild and reload the policy with this module included. + +# Setting SELinux to Enforcing Mode +To temporarily switch to enforcing mode, run `setenforce 1` inside of the SELinux shell. To permanently switch to enforcing mode, edit `/etc/selinux/config` and change `SELINUX` from `permissive` to `enforcing`. \ No newline at end of file