Skip to content

rancher/rancher-selinux

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

156 Commits
.github
.github
 
 
hack
hack
 
 
policy
policy
 
 
.gitignore
.gitignore
 
 
CODEOWNERS
CODEOWNERS
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 

Repository files navigation

About rancher-selinux

rancher-selinux contains a set of SELinux policies designed to grant the necessary privileges to various Rancher components running on Linux systems with SELinux enabled. These policies enhance security by defining dedicated types for containers and assigning them the least privileges possible.

For more information about enabling SELinux on Rancher or installing the rancher-selinux RPM, use: https://ranchermanager.docs.rancher.com/reference-guides/rancher-security/selinux-rpm/about-rancher-selinux

Coverage of rancher-selinux

The following Rancher compnents are covered by the policy:

Component Service/Container SELinux Type
Rancher Monitoring Chart node-exporter prom_node_exporter_t
Rancher Monitoring Chart pushprox rke_kubereader_t
Rancher Logging Chart fluentbit rke_logreader_t
RKE1 flannel rke_network_t
RKE1 rke etcd, rke-etcd-backup, kube-{apiserver,controller,scheduler} rke_container_t

Support Matrix

Operating System Version Supported Policy E2E
RHEL/CentOS/Rocky 8 centos8
RHEL/CentOS/Rocky 9 centos9
Fedora 41 fedora41
SUSE SLE/Micro Stable microos 🚧

Versioning/Tagging

The version parsing logic for rancher/rancher-selinux expects tags to be of a certain format (that directly correlates to RPM naming)

The tag format should be as follows: v{rancher-selinux version}.{rpm channel}.{rpm release} where

rancher-selinux-version is like 0.1, 0.2, etc. rpm channel is like testing, production rpm release is like 1, 2

rpm release should index from 1 for released RPM's

The following list shows the expected tag to (example) transformation for RPM's

Tag Tree State Output RPM RPM Channel Notes
master (no tag) Clean rancher-selinux-0.0~0d52f7d8-0.el7.noarch.rpm Testing
master (no tag) Dirty rancher-selinux-0.0~0d52f7d8-0.el7.noarch.rpm Testing
v0.2-alpha1.testing.1 Clean rancher-selinux-0.2~alpha1-1.el7.noarch.rpm Testing
v0.2-alpha2.testing.1 Clean rancher-selinux-0.2~alpha2-1.el7.noarch.rpm Testing
v0.2-rc1.testing.1 Clean rancher-selinux-0.2~rc1-1.el7.noarch.rpm Testing
v0.2-rc2.testing.1 Clean rancher-selinux-0.2~rc2-1.el7.noarch.rpm Testing
v0.2.testing.1 Clean rancher-selinux-0.2-1.el7.noarch.rpm Testing
v0.2.production.1 Clean rancher-selinux-0.2-1.el7.noarch.rpm Production

About

SELinux policy files for Rancher

Topics

rancher selinux rke k3s

Resources

Readme

License

Apache-2.0 license

Security policy

Security policy
Activity
Custom properties

Stars

7 stars

Watchers

46 watching

Forks

11 forks
Report repository

Releases 30

v0.6.production.1 Latest
Apr 18, 2025
+ 29 releases

Packages

No packages published

Contributors 12

Languages