Skip to content

Commit

Permalink
Mention reqirements for AL2 selinux
Browse files Browse the repository at this point in the history
Signed-off-by: Derek Nola <[email protected]>
  • Loading branch information
dereknola committed Oct 21, 2024
1 parent 8f44d1c commit a0cf071
Showing 1 changed file with 16 additions and 2 deletions.
18 changes: 16 additions & 2 deletions docs/security/selinux.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ for the non-standard location(s) which containerd is installed and places persis

Note: In some circumstances, a reboot of the node may be required after installing the rke2-selinux package and before starting the rke2 service. If you encounter denials in your selinux audit log despite installation of the rke2-selinux and container-selinux packages, please reboot the node.

#### Custom Context Labels
### Custom Context Labels

RKE2 runs control-plane services as static pods which require access to multiple
[`container_var_lib_t`](https://github.com/containers/container-selinux/blob/RHEL7.5/container.te#L59)
Expand All @@ -21,7 +21,21 @@ introduces the [`rke2_service_db_t`](https://github.com/rancher/rke2-selinux/blo
[`rke2_service_t`](https://github.com/rancher/rke2-selinux/blob/v0.3.latest.1/rke2.te#L9-L13) context labels for
read-write and read-only access, respectively. These labels will only be applied to the RKE2 control-plane static pods.

#### Configuration
### Specific OS Requirements

<Tabs groupId="os-reqs" queryString>
<TabItem value="Amazon Linux 2">
Amazon Linux 2 requires additional selinux packages to be installed:

```bash
sudo amazon-linux-extras enable selinux-ng; sudo yum install selinux-policy-targeted -y
```

</TabItem>
</Tabs>


### Configuration

RKE2 support for SELinux amounts to a single configuration item, the `--selinux` boolean flag. This is a pass-through
to the [`enable_selinux` boolean in the cri section of the containerd/cri toml](https://github.com/containerd/cri/blob/release/1.4/docs/config.md).
Expand Down

0 comments on commit a0cf071

Please sign in to comment.