Details
SELinux is an effective and easy-to-use Linux application security system. It is available on
quite a few Linux distributions by default such as Red Hat and Fedora.SELinux provides a Mandatory Access Control (MAC) system that greatly augments the
default Discretionary Access Control (DAC) model. You can thus add an extra layer of safety
by enabling SELinux on your Linux host, if applicable.
Solution
If SELinux is applicable for your Linux OS, use it. You may have to follow below set of steps-1. Set the SELinux State.
2. Set the SELinux Policy.
3. Create or import a SELinux policy template for Docker containers.
4. Start Docker in daemon mode with SELinux enabled. For example,docker daemon –selinux-enabled5. Start your Docker container using the security options. For example,docker run –interactive –tty –security-opt label=level-TopSecret centos
/bin/bashImpact-The container (process) would have set of restrictions as defined in SELinux policy. If your
SELinux policy is mis-configured, then the container may not entirely work as expected.
Default Value-By default, no SELinux security options are applied on containers.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.