Bug 23887

Summary: Include SELinux for the next generation of mageia to better secure docker containers
Product: Mageia Reporter: Anthony BILLETTE <billette>
Component: RPM PackagesAssignee: Kernel and Drivers maintainers <kernel>
Status: NEW --- QA Contact:
Severity: enhancement    
Priority: Low CC: marja11, ngompa13, thierry.vignaud, tmb
Version: Cauldron   
Target Milestone: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Source RPM: kernel CVE:
Status comment:

Description Anthony BILLETTE 2018-11-23 15:00:08 CET 
Description:
I have inquired about the security of docker containers. It is recommended to use SELinux. The little problem I'm currently having is that mageia doesn't include SElinux in its kernel. I don't know if it would be possible to pre-install it. While allowing its activation or not. To see if it's possible?
Anthony BILLETTE 2018-11-23 15:01:35 CET

Keywords: (none) => Security
Priority: Normal => Low

David Walser 2018-11-23 15:46:43 CET

QA Contact: security => (none)
Component: Security => RPM Packages
Keywords: Security => (none)

Comment 1 Marja Van Waes 2018-11-24 11:35:23 CET 
See also Neal's reply in bug #23873, comment #2 :

> The fundamental issue is caused by the kernel, so marking that as the
> correct source RPM.
> 
> If you'd like to request SELinux to be enabled, please file a bug report for
> Cauldron for this.

Assigning to the kernel maintainers and CC'ing tmb and Neal.

Assignee: bugsquad => kernel
Source RPM: selinux-policy-3.13.1-7.mg6 => kernel
CC: (none) => marja11, ngompa13, tmb

Comment 2 Thierry Vignaud 2018-11-24 13:48:11 CET 
It was decided years ago not to include SeLinux...

CC: (none) => thierry.vignaud

Comment 3 Neal Gompa 2018-11-24 15:00:39 CET 
(In reply to Thierry Vignaud from comment #2)
> It was decided years ago not to include SeLinux...

We can definitely revisit this decision. It's not difficult to make it optionally available. Do we have a discussion recorded somewhere from when this was initially decided?

And we could ship the minimal policy by default instead of the targeted one, which would give us the time and the ability to at least work on making the targeted policy work for our default desktop configuration. I'm somewhat confident that our distribution would probably even work with the targeted policy derived from fedora-selinux[1]. I'm very confident that we could contribute our enhancements to fedora-selinux upstream, so we wouldn't have to maintain a patch diff against it.

In the last couple of years, the SELinux policy development was heavily revamped, and it's much easier now than it ever was to support policies coupled with applications (that is, policy modules in their own packages with applications). And developing policy modules is pretty easy these days.

As the maintainer of the SELinux packages in Mageia, I do intend on rebasing everything on the latest stable versions in Cauldron ASAP, which will give us these improvements for free.

[1]: https://github.com/fedora-selinux/