Showing posts with label SELinux. Show all posts
Showing posts with label SELinux. Show all posts

Sunday, April 5, 2020

Understanding SELinux How it works

SELinux on Ubuntu

Here is a simple objective of this post is to install, activate and disable the SELinux on Ubunutu.

How does SELinux works?


What is actually SELinux?

Security-Enhanced Linux (SELinux) is a security architecture for Linux® systems that allows administrators to have more control over who can access the system. Security-Enhanced Linux is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls. SELinux is a set of kernel modifications and user-space tools that have been added to various Linux distributions.

Here I'll explore the possible options on Ubuntu.

How to install SELinux on Ubuntu?

This regular package installation 
apt install policycoreutils selinux-utils selinux-basics -y

How to activate SELinux on Ubuntu?

To activate the SELinux we need to edit the config file. 
selinux-activate

To get this effected need to reboot the Linux VM/machine.

Understanding Configure SELinux


SELinux configuration file available at /etc/selinux/config
The configuration contains two directives in the config file:
I. SELINUX that dictates SELinux Mode and it can have three values as shown
SELinux modules can take one of these three values
1. enforcing - any unauthorized access attempts by users and processes are denied
2. permissive - semi-enabled state, SELinux doesn't apply its policy in Permissive mode, so no access is denied instead it gives a warning
3. disabled - No SELinux policy is loaded

II. SELINUXTYPE tells that what policy will be used.
 SELINUXTYPE= can take one of these three values:
 default - equivalent to the old strict and targeted policies
 mls     - Multi-Level Security (for military and educational use)
 src     - Custom policy built from source

How to disable SELinux on Ubuntu?

To disable this feature edit the config file and change 
SELINUX=permissive
to 
SELINUX=disable
after disabled



How do you know the current mode of SELinux?

There are two options to know about the SELinux current status which includes a current mode.





getenforce # to check the current SELinux mode
sestatus # SELinux status

Example output of 'sestatus' command








before reboot sestatus output



When it has no changes in configuration

This is the requirement for running Docker and Kubernetes.




Troubleshooting on SELinux Configuration



Here is a very minute mistake instead 'disabled' used 'disable' then the sestatus shows the 'error' :
































Posted by



at





2 comments:
  


















Labels:
,
,
,
,






















          

        

          

        

Saturday, December 21, 2019


          

        









Docker Security










Hey, dear Docker DevOps enthusiast! In this post we will discuss about docker security, docker service security, docker engine-level security, etc.





SELinux is Security-Enhanced Linux

it provides a mechanism for supporting access control security policies

SELinux is a set of kernel modifications and user-space tools that have been added to various Linux distros.



The 'root' user by default owns the processes spawned by a container are run.



secgroup limits the disk quota.





Security Issue



Rotate your join-token for both worker and manager when there is a suspicion that someone might have got access to the token for adding managers to the cluster.



Secretes are immutable in a docker swarm cluster. They cannot be updated sof if you want to modify the secret then you have to create a new secret file and update that to the existing service.

step 1: First we need to Create new secret,

step 2: Attach the newly created secret with an update option the service to use this new secret.

step 3: The Service resart may require - docker swarm cluster would take car of that

step 4: and delete the old secret






 docker service update --help |grep secret

      --secret-add secret                  Add or update a secret on a service

      --secret-rm list                     Remove a secret






secrets and configs are encrypted during transit and at rest in a docker swarm.

Configs operate in a similar way to secrets, except that they are not encrypted at rest and are mounted directly into the container’s filesystem without the use of RAM disks. Configs can be added or removed from a service at any time, and services can share a config.









The default location of secrets inside a Docker container '/run/secrets/'. The default locaiton of a config file when using Docker config '/'.





References:













Posted by



at





1 comment:
  


















Labels:
,
,
,
,
,






















        

      









Subscribe to:
Posts (Atom)









Categories




Kubernetes
(25)


Docker
(20)


git
(15)


Jenkins
(12)


AWS
(7)


Jenkins CI
(5)


Vagrant
(5)


K8s
(4)


VirtualBox
(4)


CentOS7
(3)


docker registry
(3)


docker-ee
(3)


ucp
(3)


Jenkins Automation
(2)


Jenkins Master Slave
(2)


Jenkins Project
(2)


containers
(2)


create deployment
(2)


docker EE
(2)


docker private registry
(2)


dockers
(2)


dtr
(2)


kubeadm
(2)


kubectl
(2)


kubelet
(2)


openssl
(2)


Alert Manager CLI
(1)


AlertManager
(1)


Apache Maven
(1)


Best DevOps interview questions
(1)


CentOS
(1)


Container as a Service
(1)


DevOps Interview Questions
(1)


Docker 19 CE on Ubuntu 19.04
(1)


Docker Tutorial
(1)


Docker UCP
(1)


Docker installation on Ubunutu
(1)


Docker interview questions
(1)


Docker on PowerShell
(1)


Docker on Windows
(1)


Docker version
(1)


Docker-ee installation on CentOS
(1)


DockerHub
(1)


Features of DTR
(1)


Fedora
(1)


Freestyle Project
(1)


Git Install on CentOS
(1)


Git Install on Oracle Linux
(1)


Git Install on RHEL
(1)


Git Source based installation
(1)


Git line ending setup
(1)


Git migration
(1)


Grafana on Windows
(1)


Install DTR
(1)


Install Docker on Windows Server
(1)


Install Maven on CentOS
(1)


Issues
(1)


Jenkins CI server on AWS instance
(1)


Jenkins First Job
(1)


Jenkins Installation on CentOS7
(1)


Jenkins Master
(1)


Jenkins automatic build
(1)


Jenkins installation on Ubuntu 18.04
(1)


Jenkins integration with GitHub server
(1)


Jenkins on AWS Ubuntu
(1)


Kubernetes Cluster provisioning
(1)


Kubernetes interview questions
(1)


Kuberntes Installation
(1)


Maven
(1)


Maven installation on Unix
(1)


Operations interview Questions
(1)


Oracle Linux
(1)


Personal access tokens on GitHub
(1)


Problem in Docker
(1)


Prometheus
(1)


Prometheus CLI
(1)


RHEL
(1)


SCM
(1)


SCM Poll
(1)


SRE interview questions
(1)


Troubleshooting
(1)


Uninstall Git
(1)


Uninstall Git on CentOS7
(1)


Universal Control Plane
(1)


Vagrantfile
(1)


amtool
(1)


aws IAM Role
(1)


aws policy
(1)


caas
(1)


chef installation
(1)


create organization on UCP
(1)


create team on UCP
(1)


docker CE
(1)


docker UCP console
(1)


docker command line
(1)


docker commands
(1)


docker community edition
(1)


docker container
(1)


docker editions
(1)


docker enterprise edition
(1)


docker enterprise edition deep dive
(1)


docker for windows
(1)


docker hub
(1)


docker installation
(1)


docker node
(1)


docker releases
(1)


docker secure registry
(1)


docker service
(1)


docker swarm init
(1)


docker swarm join
(1)


docker trusted registry
(1)


elasticBeanStalk
(1)


global configurations
(1)


helm installation issue
(1)


mvn
(1)


namespaces
(1)


promtool
(1)


service creation
(1)


slack
(1)