{"id":5070,"date":"2022-03-10T17:30:03","date_gmt":"2022-03-10T17:30:03","guid":{"rendered":"http:\/\/www.scmgalaxy.com\/tutorials\/?p=5070"},"modified":"2025-07-12T05:41:40","modified_gmt":"2025-07-12T05:41:40","slug":"what-is-selinux-and-how-its-selinux-used-in-docker","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/what-is-selinux-and-how-its-selinux-used-in-docker\/","title":{"rendered":"What is SELinux and how its SELinux used in Docker?"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\"><strong>What is SELinux and how its SELinux used in Docker?<\/strong><\/h2>\n\n\n\n<p>SELinux, or Security-Enhanced Linux, is\u00a0<strong>a part of the Linux security kernel<\/strong>\u00a0that acts as a protective agent on servers. In the Linux kernel, SELinux relies on mandatory access controls (MAC) that restrict users to rules and policies set by the system administrator. SELinux acts under the least-privilege model.<\/p>\n\n\n\n<p><strong>There are three popular solutions for implementing access control in Linux:<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>SELinux<\/li><li>AppArmor<\/li><li>GrSecurity<\/li><\/ol>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/slideplayer.com\/slide\/11865646\/66\/images\/8\/What+is+SELinux+SELinux+is+a+label+based+security+system.jpg\" alt=\"Demystifying SELinux Part II: Who's Policy Is It Anyway - ppt download\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/docs.rockylinux.org\/guides\/images\/selinux_001.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies. It is a security feature of the Linux kernel. It is designed to protect the server against misconfigurations and\/or compromised daemons. It put limits and instructs server daemons or programs what files they can access and what actions they can take by defining a security policy.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><a href=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2018\/07\/red-hat-deep-dive-sessions-selinux-20-638.jpg\"><img loading=\"lazy\" decoding=\"async\" width=\"638\" height=\"479\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2018\/07\/red-hat-deep-dive-sessions-selinux-20-638.jpg\" alt=\"\" class=\"wp-image-13969\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2018\/07\/red-hat-deep-dive-sessions-selinux-20-638.jpg 638w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2018\/07\/red-hat-deep-dive-sessions-selinux-20-638-300x225.jpg 300w\" sizes=\"auto, (max-width: 638px) 100vw, 638px\" \/><\/a><\/figure><\/div>\n\n\n\n<p>SELinux is an implementation of a MAC security mechanism. MAC is an acronym for Mandatory Access Control (MAC). It is built into the Linux kernel and enabled by default on Fedora, CentOS, RHEL and a few other Linux distributions. SELinux allows server admin to define various permissions for all process. It defines how all processes can interact with other parts of the server such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Pipes<\/li><li>Files<\/li><li>Network ports<\/li><li>Sockets<\/li><li>Directories<\/li><li>Other process<\/li><\/ul>\n\n\n\n<p>SELinux puts restrictions on each of the above object according to a policy. For example, an apache user with full permission can only access \/var\/www\/html directory, but can not touch other parts of the system such as \/etc directory without policy modification. If an attacker managed to gain access to sendmail mail or bind dns or apache web server, would only have access to exploited server and the files normally has access as defined in the policy for the server. An attacker can not access the other parts of the system or internal LAN. In other words, damage can be now restricted to the particular server and files. The cracker will not able to get a shell on your server via common daemons such as Apache \/ BIND \/ Sendmail as SELinux offers the following security features:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Protect users\u2019 data from unauthorized access.<\/li><li>Protect other daemons or programs from unauthorized access.<\/li><li>Protect network ports \/ sockets \/ files from unauthorized access.<\/li><li>Protect server against exploits.<\/li><li>Avoid privilege escalation and much more.<\/li><\/ul>\n\n\n\n<p>Please note that SELinux is not a silver bullet for protecting the server. You must follow other security practices such as<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Implementing firewalls policy.<\/li><li>Server monitoring.<\/li><li>Patching the system on time.<\/li><li>Writing and securing cgi\/php\/python\/perl scripts.<\/li><\/ul>\n\n\n\n<p>The \/etc\/selinux\/config configuration file controls whether SELinux is enabled or disabled, and if enabled, whether SELinux operates in permissive mode or enforc-ing mode.<\/p>\n\n\n\n<p><strong>SETTING OF SELINUX<\/strong><br>SELinux is set in three modes.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Enforcing<\/strong> \u2013 SELinux security policy is enforced. IF this is set SELinux is enabled and will try to enforce the SELinux policies strictly<\/li><li><strong>Permissive<\/strong> \u2013 SELinux prints warnings instead of enforcing. This setting will just give warning when any SELinux policy setting is breached<\/li><li><strong>Disabled<\/strong> \u2013 No SELinux policy is loaded. This will totally disable SELinux policies.<\/li><\/ul>\n\n\n\n<p><strong>SELinux policies<\/strong><br>SELinux allows for multiple policies to be installed on the system, but only one policy may be active at any given time. At present, two kinds of SELinux policy exist:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Targeted<\/strong> &#8211; The targeted policy is designed as a policy where most processes operate without restrictions, and only specific ser-vices are placed into distinct security domains that are confined by the policy.<\/li><li><strong>Strict<\/strong> &#8211; The strict policy is designed as a policy where all processes are partitioned<br>into fine-grained security domains and confined by policy.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"893\" height=\"463\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2020\/05\/selinux.jpg\" alt=\"\" class=\"wp-image-13968\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2020\/05\/selinux.jpg 893w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2020\/05\/selinux-300x156.jpg 300w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2020\/05\/selinux-768x398.jpg 768w\" sizes=\"auto, (max-width: 893px) 100vw, 893px\" \/><\/figure>\n\n\n\n<p><strong>To put SELinux into enforcing mode:<\/strong><\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">$ sudo setenforce 1<\/code><\/span><\/pre>\n\n\n<p><strong>To query the SELinux status:<\/strong><\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">$ getenforce<\/code><\/span><\/pre>\n\n\n<p><strong>To see SELinux status in simplified way you can use sestatus<\/strong><\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">$ sestatus<\/code><\/span><\/pre>\n\n\n<p><strong>To get elobrated info on difference status of SELinux on different services use -b option along sestatus<\/strong><\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">$ sestatus -b<\/code><\/span><\/pre>\n\n\n<p><strong>How to disable SElinux?<\/strong><\/p>\n\n\n\n<p><strong>We can do it in two ways<\/strong><br><strong>1) Permanent way<\/strong> : edit \/etc\/selinux\/config<br>change the status of SELINUX from enforcing to disabled<br>SELINUX=enforcing<br>to<br>SELINUX=disabled<br>Save the file and exit.<\/p>\n\n\n\n<p><strong>2) Temporary way<\/strong> : Execute below command<br>echo 0 &gt; \/selinux\/enforce<br>or<br>setenforce 0<\/p>\n\n\n\n<p><strong>How about enabling SELinux?<\/strong><\/p>\n\n\n\n<p><strong>Permanent way : <\/strong>edit \/etc\/selinux\/config<br>change the status of SELINUX from disabled to enforcing<br>SELINUX=disabled<br>to<br>SELINUX=enforcing<br>Save the file and exit.<\/p>\n\n\n\n<p><strong>Temporary way : <\/strong>Execute below command<br>echo 1 &gt; \/selinux\/enforce<br>or<br>setenforce 1<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Now lets understand Docker with SELinux?<\/strong><\/h3>\n\n\n\n<p><br>The interaction between SELinux policy and Docker is focused on two concerns: protection of the host, and protection of containers from one another.<\/p>\n\n\n\n<p><strong>SELinux labels consist of 4 parts:<\/strong><\/p>\n\n\n\n<p>User:Role:Type:level.<\/p>\n\n\n\n<p>SELinux controls access to processes by Type and Level. Docker offers two forms of SELinux protection: type enforcement and multi-category security (MCS) separation.<\/p>\n\n\n\n<p>Docker has the &#8211;selinux-enabled flag by default in CentOS 7.4.1708. However, in case your image or your configuration management tool is disabling it, as was the case for our puppet module verify this, you verify by running the following comman<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-1\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">$ docker info | grep <span class=\"hljs-string\">'Security Options'<\/span>\n\n<span class=\"hljs-comment\"># more \/etc\/selinux\/config<\/span>\n\n<span class=\"hljs-comment\"># This file controls the state of SELinux on the system.<\/span>\n<span class=\"hljs-comment\"># SELINUX= can take one of these three values:<\/span>\n<span class=\"hljs-comment\"># enforcing - SELinux security policy is enforced.<\/span>\n<span class=\"hljs-comment\"># permissive - SELinux prints warnings instead of enforcing.<\/span>\n<span class=\"hljs-comment\"># disabled - No SELinux policy is loaded.<\/span>\nSELINUX=enforcing\n<span class=\"hljs-comment\"># SELINUXTYPE= can take one of three two values:<\/span>\n<span class=\"hljs-comment\"># targeted - Targeted processes are protected,<\/span>\n<span class=\"hljs-comment\"># minimum - Modification of targeted policy. Only selected processes are pro<\/span>\ntected.\n<span class=\"hljs-comment\"># mls - Multi Level Security protection.<\/span>\nSELINUXTYPE=targeted<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-1\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p><strong>Refernece<\/strong><br>&#8211; https:\/\/www.cyberciti.biz\/faq\/what-is-selinux\/<br>&#8211; https:\/\/en.wikipedia.org\/wiki\/Security-Enhanced_Linux<br>&#8211; http:\/\/jaormx.github.io\/2018\/selinux-and-docker-notes\/<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/docs.rockylinux.org\/pt\/guides\/security\/learning_selinux\/\" target=\"_blank\" rel=\"noopener\">https:\/\/docs.rockylinux.org\/pt\/guides\/security\/learning_selinux\/<\/a><\/li><\/ul>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\"  id=\"_ytid_84419\"  width=\"760\" height=\"427\"  data-origwidth=\"760\" data-origheight=\"427\" src=\"https:\/\/www.youtube.com\/embed\/tXNr3gOgrn8?enablejsapi=1&#038;autoplay=0&#038;cc_load_policy=0&#038;cc_lang_pref=&#038;iv_load_policy=1&#038;loop=0&#038;rel=1&#038;fs=1&#038;playsinline=0&#038;autohide=2&#038;theme=dark&#038;color=red&#038;controls=1&#038;disablekb=0&#038;\" class=\"__youtube_prefs__  epyt-is-override  no-lazyload\" title=\"YouTube player\"  allow=\"fullscreen; accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen data-no-lazy=\"1\" data-skipgform_ajax_framebjll=\"\"><\/iframe>\n<\/div><\/figure>\n\n\n<div class=\"epyt-gallery\" data-currpage=\"1\" id=\"epyt_gallery_76341\"><figure class=\"wp-block-embed wp-block-embed-youtube is-type-video is-provider-youtube epyt-figure\"><div class=\"wp-block-embed__wrapper\"><iframe loading=\"lazy\"  id=\"_ytid_19624\"  width=\"760\" height=\"427\"  data-origwidth=\"760\" data-origheight=\"427\" src=\"https:\/\/www.youtube.com\/embed\/?enablejsapi=1&#038;autoplay=0&#038;cc_load_policy=0&#038;cc_lang_pref=&#038;iv_load_policy=1&#038;loop=0&#038;rel=1&#038;fs=1&#038;playsinline=0&#038;autohide=2&#038;theme=dark&#038;color=red&#038;controls=1&#038;disablekb=0&#038;\" class=\"__youtube_prefs__  no-lazyload\" title=\"YouTube player\"  data-epytgalleryid=\"epyt_gallery_76341\"  allow=\"fullscreen; accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen data-no-lazy=\"1\" data-skipgform_ajax_framebjll=\"\"><\/iframe><\/div><\/figure><div class=\"epyt-gallery-list\"><div>Sorry, there was a YouTube error.<\/div><\/div><\/div>","protected":false},"excerpt":{"rendered":"<p>What is SELinux and how its SELinux used in Docker? SELinux, or Security-Enhanced Linux, is\u00a0a part of the Linux security kernel\u00a0that acts as a protective agent on servers. In the Linux kernel, SELinux relies on mandatory access controls (MAC) that restrict users to rules and policies set by the system administrator. SELinux acts under the&#8230;<\/p>\n","protected":false},"author":1,"featured_media":5109,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","_joinchat":[],"footnotes":""},"categories":[4862],"tags":[567,460,4958],"class_list":["post-5070","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-docker","tag-docker","tag-linux","tag-selinux"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/5070","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=5070"}],"version-history":[{"count":13,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/5070\/revisions"}],"predecessor-version":[{"id":28532,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/5070\/revisions\/28532"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media\/5109"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=5070"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=5070"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=5070"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}