Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

make SELinux enforcing status configurable #47

Open
MrBatschner opened this issue Aug 4, 2021 · 1 comment
Open

make SELinux enforcing status configurable #47

MrBatschner opened this issue Aug 4, 2021 · 1 comment
Labels
area/os Operation system related kind/enhancement Enhancement, improvement, extension lifecycle/rotten Nobody worked on this for 12 months (final aging stage) os/garden-linux Related to Garden Linux OS priority/4 Priority (lower number equals higher priority)

Comments

@MrBatschner
Copy link
Contributor

How to categorize this issue?

/area os
/kind enhancement
/priority 4
/os garden-linux

What would you like to be added:
Future releases of GardenLinux will come with SELinux tools and policies (packages selinux-basics and selinux-policy-default). Having these packages in Garden Linux will make the system capable of enforcing SELinux policies but by default, SELinux will be in permissive mode.
It should be possible to enable SELinux (i.e. set it to enforcing) individually for shoots or worker pools through the this OS extension.

Why is this needed:
Some workloads might require SELinux and some workloads might fail on worker nodes that have SELinux enabled. For those, it should be possible to enable/disable SELinux for individual shoots or even for worker pools.

@MrBatschner MrBatschner added the kind/enhancement Enhancement, improvement, extension label Aug 4, 2021
@gardener-robot gardener-robot added area/os Operation system related os/garden-linux Related to Garden Linux OS priority/4 Priority (lower number equals higher priority) labels Aug 4, 2021
@marwinski
Copy link

The problem is a bit bigger, unfortunately. Today you can either enable AppArmor or SELinux but not both together. This includes SELinux only running in non-enforcing mode.

This means that if we would enable SELinux in non-enforcing mode today we would have to disable AppArmor. This will most likely break configurations of users.

This is why the AppArmor / SELinux configuration should be part of the OS extension. AppArmor should probably remain the default as this would be backwards compatible.

@gardener-robot gardener-robot added the lifecycle/stale Nobody worked on this for 6 months (will further age) label Apr 18, 2022
@gardener-robot gardener-robot added lifecycle/rotten Nobody worked on this for 12 months (final aging stage) and removed lifecycle/stale Nobody worked on this for 6 months (will further age) labels Oct 15, 2022
LucaBernstein pushed a commit to LucaBernstein/gardener-extension-os-gardenlinux that referenced this issue Jun 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/os Operation system related kind/enhancement Enhancement, improvement, extension lifecycle/rotten Nobody worked on this for 12 months (final aging stage) os/garden-linux Related to Garden Linux OS priority/4 Priority (lower number equals higher priority)
Projects
None yet
Development

No branches or pull requests

3 participants