Skip to main content

Configure SELinux for Chef 360 Platform

This guide explains how to enable SELinux in the Kubernetes environment provided by Chef 360 Platform (k0s) on CentOS and Red Hat Enterprise Linux (RHEL).

SELinux enforces mandatory access control policies that restrict user programs and system services, as well as access to files and network resources. By limiting privileges to only what’s needed, SELinux helps prevent programs and daemons from causing harm if they’re faulty or compromised.

Warning

This is an experimental setting.

Requirements

  • SELinux must be enabled and set to permissive mode on the host OS of the worker nodes.
  • The container-selinux policy must be installed.
  • SELinux labels must be set correctly for k0s installation files on the worker nodes.
  • SELinux must be enabled in the container runtime, such as containerd, on the worker nodes.

Set SELinux to permissive

By default, SELinux is enabled and set to enforcing on CentOS and RHEL. Chef 360 Platform requires SELinux to run in permissive mode. To set SELinux to permissive mode, follow these steps:

  1. Open the /etc/selinux/config file.

  2. Change the SELinux mode to permissive:

    SELINUX=permissive

  3. Restart your system.

  4. After the system restarts, verify that SELinux is set to permissive mode:

    getenforce

    The output should be:

    Permissive

Install container-selinux

You need to install container-selinux. On most Fedora-based distributions—including Fedora 37, Red Hat Enterprise Linux 7, 8, and 9, CentOS 7 and 8, and Rocky Linux 9—you can install the container-selinux package.

  • On Red Hat Enterprise Linux 7 and CentOS 7, run:

    yum install -y container-selinux

  • On all other supported distributions, run:

    dnf install -y container-selinux

Set SELinux labels for k0s install files

Run the following commands on the host OS of the worker nodes:

DATA_DIR="/var/lib/k0s"
sudo semanage fcontext -a -t container_runtime_exec_t "${DATA_DIR}/bin/containerd.*"
sudo semanage fcontext -a -t container_runtime_exec_t "${DATA_DIR}/bin/runc"
sudo restorecon -R -v ${DATA_DIR}/bin
sudo semanage fcontext -a -t container_var_lib_t "${DATA_DIR}/containerd(/.*)?"
sudo semanage fcontext -a -t container_ro_file_t "${DATA_DIR}/containerd/io.containerd.snapshotter.*/snapshots(/.*)?"
sudo restorecon -R -v ${DATA_DIR}/containerd

Enable SELinux in containerd for k0s

To enable SELinux support in containerd, add the following lines to /etc/k0s/containerd.toml on each worker node:

[plugins."io.containerd.grpc.v1.cri"]
  enable_selinux = true

Restart the k0s service on the node for the changes to take effect.

Thank you for your feedback!

×