Selinux & RancherOS & EC2

Hi,

I need to activate SElinux on rancherOS with an EC2 instance.

I have my EC2 instance running rancherOS, when testing selinux (getenforcing : command not found).
I followed this tuto: https://github.com/rancher/os/wiki/SELinux
But when fetch the “build.conf.amd64” file I can’t find it.
when using : https://github.com/rancher/os/wiki/Build-time-customization to customise my os version I didn’t find the build.conf.amd64 in github.com/rancher/os

Any Idea plz?

A custom kernel isn’t needed anymore so those tests can be skipped. You’ll have to use Docker 1.13 though.

SELinux is nearly done, but it hasn’t been tested in a while. If you run into any issues with it please report them in the Github issue!

Thank you for replaying,

this is my docker and os version:
[rancher@ip-xxxxxxxxx ~]$ sudo docker version
Client:
Version: 1.12.3
API version: 1.24
Go version: go1.6.3
Git commit: 6b644ec
Built: Wed Oct 26 23:26:11 2016
OS/Arch: linux/amd64

Server:
Version: 1.12.3
API version: 1.24
Go version: go1.6.3
Git commit: 6b644ec
Built: Wed Oct 26 23:26:11 2016
OS/Arch: linux/amd64
[rancher@ip-xxxxxxxxx ~]$ sudo ros os version
v0.7.1

What I need to do exactly please?
Upgrade versions? I need to install the Selinux or it was installed by defeault?
Any tuto, video, document …?

If you ros os upgrade is should upgrade your system to boot with v0.8.1 (and in a few days v0.9.0) which comes with a 4.9.12 kernel with SELinux built in.

ros engine switch docker-1.13.0 will change your Docker engine to 1.13.1 - in both cases, there’s a ros <component> list command that will give you a list of options.

Thank you,

I updated my os to v0.8.1 and docker to 1.13.1
and reboot system.
sudo ros selinux to activate selinux
and sudo system-docker ps to be sure it start

[root@ip-xxxxxxx /]# getenforce
Disabled
Now it respond.
I will test somethings, If I will be blocked, I come back to you.

Hi,

I am back, I have a concern, when I run selinux with system-docker ros selinux the docker instance start and I found my self with a special root shell session (getenforce work – disabled).
When I exit this special session the selinux container stop.
When I start a new shell session and execute getenforce (or sudo getenforce) result: command not found (selinux container still work).


Help please.

Hi SvenDowideit,

I create a script to start automaically selinux (a script under /opt/rancher/bin to start selinux container at boot)
But when getenforce and setenforce don’t work.

I missed something!!

ros selinux isn’t necessary to turn on SELinux and isn’t useful except for very specific use cases.

There are only two things needed to turn on SELinux.

  1. Modify /etc/selinux/config to make SELINUX=enforcing.
  2. Turn on selinux-enabled flag for User Docker (https://docs.rancher.com/os/configuration/docker/)

Hi,
I did all these but no news:
[rancher@rancher ~]$ cat /etc/selinux/config
SELINUX=enforcing
SELINUXTYPE=ros

and
sudo ros config set rancher.docker.selinux_enabled true.

reboot

When I test
[rancher@rancher ~]$ sudo system-docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5bf99b61d068 rancher/os-console:v0.8.1 “/usr/bin/ros entrypo” 4 hours ago Up 4 hours console
3d693d5ed798 rancher/os-docker:1.12.6 “ros user-docker” 8 hours ago Up 4 hours docker
4f50f0c0fae2 rancher/os-base:v0.8.1 “/usr/bin/ros entrypo” 8 hours ago Up 4 hours ntp
5a6e85bfeeec rancher/os-base:v0.8.1 “/usr/bin/ros entrypo” 8 hours ago Up 4 hours network
cd2755f0d9a4 rancher/os-base:v0.8.1 “/usr/bin/ros entrypo” 8 hours ago Up 4 hours udev
70c1f051c981 rancher/os-acpid:v0.8.1 “/usr/bin/ros entrypo” 8 hours ago Up 4 hours acpid
5ac254b678bb rancher/os-base:v0.8.1 “/usr/bin/ros entrypo” 8 hours ago Up 4 hours syslog

and the enforcing mode didn’t work.

I missed something !!
thank you for helping

SELinux is only available for User Docker at the moment.

Thanks,

My needs are test some security features on rancheros.
Ex: userA run one or more docker containers and userB will make some changes.
In case when userB mount the same volume (used by containers from userA) userB can, always, change files like he wanna. With SElinux I can prevent this.
But now, have you any idea?
thank you for helping.