Disallow SELinux

Description

Setting the SELinux type is restricted, and setting a custom SELinux user or role option is forbidden.

Restricted Fields for SELinux type

  • spec.securityContext.seLinuxOptions.type
  • spec.containers[*].securityContext.seLinuxOptions.type
  • spec.initContainers[*].securityContext.seLinuxOptions.type
  • spec.ephemeralContainers[*].securityContext.seLinuxOptions.type

Allowed Values for SELinux type

  • Undefined/""
  • container_t
  • container_init_t
  • container_kvm_t

Restricted Fields for SELinux user

  • spec.securityContext.seLinuxOptions.user
  • spec.containers[*].securityContext.seLinuxOptions.user
  • spec.initContainers[*].securityContext.seLinuxOptions.user
  • spec.ephemeralContainers[*].securityContext.seLinuxOptions.user
  • spec.securityContext.seLinuxOptions.role
  • spec.containers[*].securityContext.seLinuxOptions.role
  • spec.initContainers[*].securityContext.seLinuxOptions.role
  • spec.ephemeralContainers[*].securityContext.seLinuxOptions.role

Allowed Values for SELinux user

  • Undefined/""

Risks

Privilege escalation may result from allowing users, roles, or custom SELinux types that are not part of the predefined set (container_t, container_init_t, container_kvm_t). Configurations of SELinux that are too liberal or customized may provide containers greater access than necessary.

Kyverno Policy

Refer to the Nirmata curated policies - disallow-selinux.yaml

References

Configuration Settings

The below configuration indicates that if the deployed resource contains one of ephemeralContainers or initContainers or containers in their spec field, AND if securityContext.seLinuxOptions.type field is present, then the only acceptable value is container_t, container_init_t, or container_kvm_t to be conformant with this security control. If the securityContext field is not present, then the resource is conformant by default.

=(securityContext):
  =(seLinuxOptions):
    =(type): "container_t | container_init_t | container_kvm_t"
=(ephemeralContainers):
  - =(securityContext):
      =(seLinuxOptions):
        =(type): "container_t | container_init_t | container_kvm_t"
=(initContainers):
  - =(securityContext):
    =(seLinuxOptions):
      =(type): "container_t | container_init_t | container_kvm_t"
containers:
  - =(securityContext):
    =(seLinuxOptions):
      =(type): "container_t | container_init_t | container_kvm_t"

The below configuration indicates that if the deployed resource contains one of ephemeralContainers or initContainers or containers in their spec field, AND if securityContext.seLinuxOptions.user or securityContext.seLinuxOptions.role field is present, then the only acceptable value is container_t, container_init_t, or container_kvm_t to be conformant with this security control. If the securityContext field is not present, then the resource is conformant by default.

=(securityContext):
  =(seLinuxOptions):
    X(user): "null"
    X(role): "null"
=(ephemeralContainers):
  - =(securityContext):
    =(seLinuxOptions):
      X(user): "null"
      X(role): "null"
=(initContainers):
  - =(securityContext):
    =(seLinuxOptions):
      X(user): "null"
      X(role): "null"
containers:
  - =(securityContext):
    =(seLinuxOptions):
      X(user): "null"
      X(role): "null"

Resource Example

Below is a Deployment resource example where securityContext.seLinuxOptions.type is set to one of container_init_t, container_t, or container_kvm_t for both initContainers and containers.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      initContainers:
      - name: initcontainer01
        image: dummyimagename
        securityContext:
          seLinuxOptions:
            type: container_init_t
      - name: initcontainer02
        image: dummyimagename
        securityContext:
          seLinuxOptions:
            type: container_t
      containers:
      - name: container01
        image: dummyimagename

Below is a Deployment resource example where securityContext.seLinuxOptions.type is set to one of container_init_t, container_t, or container_kvm_t and securityContext.seLinuxOptions.user and securityContext.seLinuxOptions.role is not defined for both initContainers and containers.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: selur-gooddeployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      initContainers:
      - name: initcontainer01
        image: dummyimagename
        securityContext:
          seLinuxOptions:
            type: container_t
      - name: initcontainer02
        image: dummyimagename
        securityContext:
          seLinuxOptions:
            level: "s0:c123,c456"
      containers:
      - name: container01
        image: dummyimagename