|
 |
0d5c10 |
From 9c3d35d9c3e1a884fa9e5cd0223172f1c8621b10 Mon Sep 17 00:00:00 2001
|
|
|
0d5c10 |
From: Matus Marhefka <mmarhefk@redhat.com>
|
|
|
0d5c10 |
Date: Tue, 16 Apr 2019 13:28:30 +0200
|
|
|
0d5c10 |
Subject: [PATCH] All SELinux related rules marked as not applicable to
|
|
|
0d5c10 |
containers
|
|
|
0d5c10 |
|
|
|
0d5c10 |
* The rule docker_selinux_enabled moved from system/selinux to services/docker.
|
|
|
0d5c10 |
* SELinux is not namespaced which means that containers do not have their own
|
|
|
0d5c10 |
separate SELinux policies. SELinux will always appear to be disabled when
|
|
|
0d5c10 |
inside a container (https://danwalsh.livejournal.com/73099.html). Therefore,
|
|
|
0d5c10 |
all the rules from the system/selinux were marked with 'platform: machine'
|
|
|
0d5c10 |
which will make them not applicable when scanning container filesystems.
|
|
|
0d5c10 |
---
|
|
|
0d5c10 |
.../docker}/docker_selinux_enabled/oval/rhel7.xml | 0
|
|
|
0d5c10 |
.../selinux => services/docker}/docker_selinux_enabled/rule.yml | 0
|
|
|
0d5c10 |
linux_os/guide/system/selinux/group.yml | 2 ++
|
|
|
0d5c10 |
.../system/selinux/selinux_confinement_of_daemons/rule.yml | 2 --
|
|
|
0d5c10 |
linux_os/guide/system/selinux/selinux_policytype/rule.yml | 2 --
|
|
|
0d5c10 |
linux_os/guide/system/selinux/selinux_state/rule.yml | 2 --
|
|
|
0d5c10 |
linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml | 2 --
|
|
|
0d5c10 |
7 files changed, 2 insertions(+), 8 deletions(-)
|
|
|
0d5c10 |
rename linux_os/guide/{system/selinux => services/docker}/docker_selinux_enabled/oval/rhel7.xml (100%)
|
|
|
0d5c10 |
rename linux_os/guide/{system/selinux => services/docker}/docker_selinux_enabled/rule.yml (100%)
|
|
|
0d5c10 |
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/selinux/docker_selinux_enabled/oval/rhel7.xml b/linux_os/guide/services/docker/docker_selinux_enabled/oval/rhel7.xml
|
|
|
0d5c10 |
similarity index 100%
|
|
|
0d5c10 |
rename from linux_os/guide/system/selinux/docker_selinux_enabled/oval/rhel7.xml
|
|
|
0d5c10 |
rename to linux_os/guide/services/docker/docker_selinux_enabled/oval/rhel7.xml
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/selinux/docker_selinux_enabled/rule.yml b/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml
|
|
|
0d5c10 |
similarity index 100%
|
|
|
0d5c10 |
rename from linux_os/guide/system/selinux/docker_selinux_enabled/rule.yml
|
|
|
0d5c10 |
rename to linux_os/guide/services/docker/docker_selinux_enabled/rule.yml
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/selinux/group.yml b/linux_os/guide/system/selinux/group.yml
|
|
|
0d5c10 |
index e1863d4d03..6525cb4919 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/selinux/group.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/selinux/group.yml
|
|
|
0d5c10 |
@@ -29,3 +29,5 @@ description: |-
|
|
|
0d5c10 |
{{% elif product == "ol7" %}}
|
|
|
0d5c10 |
For more information on SELinux, see {{{ weblink(link="https://docs.oracle.com/cd/E52668_01/E54669/html/ol7-s1-syssec.html") }}}.
|
|
|
0d5c10 |
{{% endif %}}
|
|
|
0d5c10 |
+
|
|
|
0d5c10 |
+platform: machine
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml
|
|
|
0d5c10 |
index 35c47fbd08..9f224c9340 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml
|
|
|
0d5c10 |
@@ -42,5 +42,3 @@ warnings:
|
|
|
0d5c10 |
Automatic remediation of this control is not available. Remediation
|
|
|
0d5c10 |
can be achieved by amending SELinux policy or stopping the unconfined
|
|
|
0d5c10 |
daemons as outlined above.
|
|
|
0d5c10 |
-
|
|
|
0d5c10 |
-platform: machine
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml
|
|
|
0d5c10 |
index 934c0dfa17..e8c82a147a 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml
|
|
|
0d5c10 |
@@ -56,5 +56,3 @@ ocil_clause: 'it does not'
|
|
|
0d5c10 |
ocil: |-
|
|
|
0d5c10 |
Check the file <tt>/etc/selinux/config</tt> and ensure the following line appears:
|
|
|
0d5c10 |
SELINUXTYPE=<sub idref="var_selinux_policy_name" />
|
|
|
0d5c10 |
-
|
|
|
0d5c10 |
-platform: machine
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml
|
|
|
0d5c10 |
index df0295e043..d993398060 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/selinux/selinux_state/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/selinux/selinux_state/rule.yml
|
|
|
0d5c10 |
@@ -47,5 +47,3 @@ ocil_clause: 'SELINUX is not set to enforcing'
|
|
|
0d5c10 |
ocil: |-
|
|
|
0d5c10 |
Check the file <tt>/etc/selinux/config</tt> and ensure the following line appears:
|
|
|
0d5c10 |
SELINUX=<sub idref="var_selinux_state" />
|
|
|
0d5c10 |
-
|
|
|
0d5c10 |
-platform: machine
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml b/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml
|
|
|
0d5c10 |
index 80844cad14..fc1f87b410 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml
|
|
|
0d5c10 |
@@ -54,5 +54,3 @@ ocil: |-
|
|
|
0d5c10 |
All authorized non-administrative
|
|
|
0d5c10 |
users must be mapped to the <tt>user_u</tt> role or the appropriate domain
|
|
|
0d5c10 |
(user_t).
|
|
|
0d5c10 |
-
|
|
|
0d5c10 |
-platform: machine
|