23887 – Include SELinux for the next generation of mageia to better secure docker containers

Bug 23887 - Include SELinux for the next generation of mageia to better secure docker containers

Summary: Include SELinux for the next generation of mageia to better secure docker con...

Status:	NEW

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	RPM Packages (show other bugs)
Version:	Cauldron
Hardware:	x86_64 Linux

Priority:	Low Severity: enhancement
Target Milestone:	---
Assignee:	Kernel and Drivers maintainers
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2018-11-23 15:00 CET by Anthony BILLETTE
Modified:	2018-11-24 15:00 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	kernel
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Anthony BILLETTE 2018-11-23 15:00:08 CET

Description:
I have inquired about the security of docker containers. It is recommended to use SELinux. The little problem I'm currently having is that mageia doesn't include SElinux in its kernel. I don't know if it would be possible to pre-install it. While allowing its activation or not. To see if it's possible?

Anthony BILLETTE 2018-11-23 15:01:35 CET

Keywords: (none) => Security
Priority: Normal => Low

David Walser 2018-11-23 15:46:43 CET

QA Contact: security => (none)
Component: Security => RPM Packages
Keywords: Security => (none)

Comment 1 Marja Van Waes 2018-11-24 11:35:23 CET

See also Neal's reply in bug #23873, comment #2 :

> The fundamental issue is caused by the kernel, so marking that as the
> correct source RPM.
> 
> If you'd like to request SELinux to be enabled, please file a bug report for
> Cauldron for this.

Assigning to the kernel maintainers and CC'ing tmb and Neal.

Assignee: bugsquad => kernel
Source RPM: selinux-policy-3.13.1-7.mg6 => kernel
CC: (none) => marja11, ngompa13, tmb

Comment 2 Thierry Vignaud 2018-11-24 13:48:11 CET

It was decided years ago not to include SeLinux...

CC: (none) => thierry.vignaud

Comment 3 Neal Gompa 2018-11-24 15:00:39 CET

(In reply to Thierry Vignaud from comment #2)
> It was decided years ago not to include SeLinux...

We can definitely revisit this decision. It's not difficult to make it optionally available. Do we have a discussion recorded somewhere from when this was initially decided?

And we could ship the minimal policy by default instead of the targeted one, which would give us the time and the ability to at least work on making the targeted policy work for our default desktop configuration. I'm somewhat confident that our distribution would probably even work with the targeted policy derived from fedora-selinux[1]. I'm very confident that we could contribute our enhancements to fedora-selinux upstream, so we wouldn't have to maintain a patch diff against it.

In the last couple of years, the SELinux policy development was heavily revamped, and it's much easier now than it ever was to support policies coupled with applications (that is, policy modules in their own packages with applications). And developing policy modules is pretty easy these days.

As the maintainer of the SELinux packages in Mageia, I do intend on rebasing everything on the latest stable versions in Cauldron ASAP, which will give us these improvements for free.

[1]: https://github.com/fedora-selinux/

Note You need to log in before you can comment on or make changes to this bug.