What is SELinux and how its SELinux used in Docker?

  • A+
所属分类:系统文档
What is SELinux and how its SELinux used in Docker?

What is SELinux and how its SELinux used in Docker?

SELinux, or Security-Enhanced Linux, is a part of the Linux security kernel that acts as a protective agent on servers. In the Linux kernel, SELinux relies on mandatory access controls (MAC) that restrict users to rules and policies set by the system administrator. SELinux acts under the least-privilege model.

There are three popular solutions for implementing access control in Linux:

  1. SELinux
  2. AppArmor
  3. GrSecurity
What is SELinux and how its SELinux used in Docker?
What is SELinux and how its SELinux used in Docker?

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies. It is a security feature of the Linux kernel. It is designed to protect the server against misconfigurations and/or compromised daemons. It put limits and instructs server daemons or programs what files they can access and what actions they can take by defining a security policy.

What is SELinux and how its SELinux used in Docker?

SELinux is an implementation of a MAC security mechanism. MAC is an acronym for Mandatory Access Control (MAC). It is built into the Linux kernel and enabled by default on Fedora, CentOS, RHEL and a few other Linux distributions. SELinux allows server admin to define various permissions for all process. It defines how all processes can interact with other parts of the server such as:

  • Pipes
  • Files
  • Network ports
  • Sockets
  • Directories
  • Other process

SELinux puts restrictions on each of the above object according to a policy. For example, an apache user with full permission can only access /var/www/html directory, but can not touch other parts of the system such as /etc directory without policy modification. If an attacker managed to gain access to sendmail mail or bind dns or apache web server, would only have access to exploited server and the files normally has access as defined in the policy for the server. An attacker can not access the other parts of the system or internal LAN. In other words, damage can be now restricted to the particular server and files. The cracker will not able to get a shell on your server via common daemons such as Apache / BIND / Sendmail as SELinux offers the following security features:

  • Protect users’ data from unauthorized access.
  • Protect other daemons or programs from unauthorized access.
  • Protect network ports / sockets / files from unauthorized access.
  • Protect server against exploits.
  • Avoid privilege escalation and much more.

Please note that SELinux is not a silver bullet for protecting the server. You must follow other security practices such as

  • Implementing firewalls policy.
  • Server monitoring.
  • Patching the system on time.
  • Writing and securing cgi/php/python/perl scripts.

The /etc/selinux/config configuration file controls whether SELinux is enabled or disabled, and if enabled, whether SELinux operates in permissive mode or enforc-ing mode.

SETTING OF SELINUX
SELinux is set in three modes.

  • Enforcing – SELinux security policy is enforced. IF this is set SELinux is enabled and will try to enforce the SELinux policies strictly
  • Permissive – SELinux prints warnings instead of enforcing. This setting will just give warning when any SELinux policy setting is breached
  • Disabled – No SELinux policy is loaded. This will totally disable SELinux policies.

SELinux policies
SELinux allows for multiple policies to be installed on the system, but only one policy may be active at any given time. At present, two kinds of SELinux policy exist:

  • Targeted – The targeted policy is designed as a policy where most processes operate without restrictions, and only specific ser-vices are placed into distinct security domains that are confined by the policy.
  • 严格– 严格策略被设计为一种策略,其中所有进程都被划分
    为细粒度的安全域并受策略限制。

What is SELinux and how its SELinux used in Docker?

要将 SELinux 置于强制模式:

$ sudo setenforce 1

查询 SELinux 状态:

$ getenforce

要以简化的方式查看 SELinux 状态,您可以使用 sestatus

$ sestatus

要获取有关 SELinux 在不同服务上的不同状态的详细信息,请使用 sestatus 中的 -b 选项

$ sestatus -b

如何禁用 SElinux?

我们可以通过两种方式做到这一点
1) 永久方式:编辑 /etc/selinux/config
将 SELINUX 的状态从 enforcing 更改为 disabled
SELINUX=enforcing

SELINUX=disabled
保存文件并退出。

2) 临时方法:在命令
echo 0 > /selinux/enforce

setenforce 0下执行

启用 SELinux 怎么样?

Permanent way : edit /etc/selinux/config
change the status of SELINUX from disabled to enforcing
SELINUX=disabled
to
SELINUX=enforcing
Save the file and exit.

Temporary way : Execute below command
echo 1 > /selinux/enforce
or
setenforce 1

Now lets understand Docker with SELinux?

The interaction between SELinux policy and Docker is focused on two concerns: protection of the host, and protection of containers from one another.

SELinux labels consist of 4 parts:

User:Role:Type:level.

SELinux controls access to processes by Type and Level. Docker offers two forms of SELinux protection: type enforcement and multi-category security (MCS) separation.

Docker has the –selinux-enabled flag by default in CentOS 7.4.1708. However, in case your image or your configuration management tool is disabling it, as was the case for our puppet module verify this, you verify by running the following comman

$ docker info | grep 'Security Options'

# more /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are pro
tected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

Refernece
– https://www.cyberciti.biz/faq/what-is-selinux/
– https://en.wikipedia.org/wiki/Security-Enhanced_Linux
– http://jaormx.github.io/2018/selinux-and-docker-notes/

Docker Introduction with Basic Demo in 2020
Docker Advance Tutorial by Rajesh Kumar in 2020 Part-1
Docker Advance Tutorial by Rajesh Kumar in 2020 Part-2
S-1 Docker Advance Tutorial for Beginners with Demo 2020 by Rajesh Kumar
S-3 Docker Advance Tutorial for Beginners with Demo 2020 by Rajesh Kumar
S-2 Docker Advance Tutorial for Beginners with Demo 2020 by Rajesh Kumar
S-4 Docker Advance Tutorial for Beginners with Demo 2020 by Rajesh Kumar
S-5 Docker Advance Tutorial for Beginners with Demo 2020 by Rajesh Kumar
Docker Advance Tutorial for Beginners with Demo [[2020]] — By DevOpsSchool
Step by Step Process of dockerizing Node, Spring Boot and Angular app Tutorials By DevOpsSchool
Step by Step Process of dockerizing Node, Spring Boot and Angular app Tutorials By DevOpsSchool
Step by Step Process of dockerizing Node, Spring Boot and Angular app Tutorials By DevOpsSchool
Step by Step Process of dockerizing Node, Spring Boot and Angular app Tutorials By DevOpsSchool
Docker Advance Tutorial | Part 1 out 16 | — By DevOpsSchool
Docker Advance Tutorial | Part 2 out 16 | — By DevOpsSchool
  • Author
  • Recent Posts

  • 我的微信
  • 这是我的微信扫一扫
  • weinxin
  • 我的微信公众号
  • 我的微信公众号扫一扫
  • weinxin