Skip to main content

SELinux Overview

This guide describes how to enable SELinux in Kubernetes environment provided by Chef 360 Platform (k0s) on CentOS and Red Hat Enterprise Linux (RHEL).

SELinux enforces mandatory access control policies that confine user programs and system services, as well as access to files and network resources. Limiting privileges to the minimum required to work reduces or eliminates the ability of these programs and daemons to cause harm if faulty or compromised.

Warning

This is an experimental setting.

Requirements

  • SELinux is enabled on host OS of the worker nodes.
  • SELinux has the container-selinux policy installed.
  • SELinux labels are correctly set for k0s installation files of the worker nodes.
  • SELinux is enabled in container runtime such as containerd on the worker nodes.

Check whether SELinux is enabled on host OS

SELinux is enabled on CentOS and RHEL by default. Use the following command to verify that SELinux is enabled:

getenforce

It returns the following:

Enforcing

Install container-selinux

You must install container-selinux. In most Fedora-based distributions—including Fedora 37; Red Hat Enterprise Linux 7, 8, and 9; CentOS 7 and 8; and Rocky Linux 9—you can achieve this by installing the container-selinux package.

In Red Hat Enterprise Linux 7 and CentOS 7, run:

yum install -y container-selinux

In the rest of the mentioned distributions, run:

dnf install -y container-selinux

Set SELinux labels for k0s install files

Run the following commands on the host OS of the worker nodes:

DATA_DIR="/var/lib/k0s"
sudo semanage fcontext -a -t container_runtime_exec_t "${DATA_DIR}/bin/containerd.*"
sudo semanage fcontext -a -t container_runtime_exec_t "${DATA_DIR}/bin/runc"
sudo restorecon -R -v ${DATA_DIR}/bin
sudo semanage fcontext -a -t container_var_lib_t "${DATA_DIR}/containerd(/.*)?"
sudo semanage fcontext -a -t container_ro_file_t "${DATA_DIR}/containerd/io.containerd.snapshotter.*/snapshots(/.*)?"
sudo restorecon -R -v ${DATA_DIR}/containerd

Enable SELinux in containerd of k0s

Add following lines to /etc/k0s/containerd.toml on the worker nodes.

[plugins."io.containerd.grpc.v1.cri"]
  enable_selinux = true

Restart k0s service on the node to make the change take effect.

Thank you for your feedback!

×