5.2 Verify SELinux security options, if applicable

Information

SELinux is an effective and easy-to-use Linux application security system. It is available on quite a few Linux distributions by default such asRed Hat and Fedora.SELinux provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model.You can thus add an extra layer of safety by enabling SELinux on your Linux host, if applicable.

Solution

If SELinuxis applicable for your Linux OS, use it. You may have to follow below set of steps-
1. Set the SELinux State.
2. Set the SELinux Policy.
3. Create or import a SELinux policy template for Docker containers.
4. Start Docker in daemon mode with SELinux enabled. For example,
docker daemon --selinux-enabled
5. Start your Docker container using the security options. For example,
docker run --interactive --tty --security-opt label=level-TopSecret centos /bin/bash
Impact-
The container (process) would have set of restrictions as defined in SELinux policy. If your SELinux policy is mis-configured, then the container may not entirely work as expected.Default Value-
By default, no SELinux security options are applied on containers.

See Also

https://workbench.cisecurity.org/files/516

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3(3)

Plugin: Unix

Control ID: e5700482ade8733768b4a3ffc76f4c964899c771a22c6a65d7c68994b71dea10