How to enable SE linux only at container level

0

I am using an ECS and I am using a default base image of AL2 for the ec2 which I dont want to change. Say my ec2 host do not have SE linux enabled and I want the se linux to be configured and set to permissive/ enforced mode only at container level and also want the audit logs for the same.

I created a simple docker image for the same when I spawned a new container,

FROM amazonlinux:2
RUN yum install -y selinux-policy selinux-policy-targeted policycoreutils
RUN yum install -y audit audit-libs auditd audit-libs-python
RUN sudo systemctl enable auditd 
RUN sed -i 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config
# Start the auditd service when the container runs 
CMD ["/usr/sbin/init"]
CMD ["sleep", "3600"] # Sleep for 1 hour (3600 seconds)

but

  1. the se linux is still disabled inside the container. Is it mandatory for the host ec2 instance to have se-linux configured for the container to honor se linux as well ?
  2. Also will audit logs be available for container level for se linux denial ?

How do i set up se linux only to containers at the moment they spin up without having to reboot my containers / ec2 ?

1 Answer
1

Hi,

Have a look at section dockerSecurityOptions on https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDefinition.html#ECS-Type-ContainerDefinition-dockerSecurityOptions

In particular,

Note
The Amazon ECS container agent running on a container instance must register 
with the ECS_SELINUX_CAPABLE=true or ECS_APPARMOR_CAPABLE=true environment 
variables before containers placed on that instance can use these security options. 
For more information, see Amazon ECS Container Agent Configuration in the Amazon 
Elastic Container Service Developer Guide.

Please, also follow this detailled tutorial to enable SELinux within a container: https://opensource.com/article/20/11/selinux-containers

Best,

Didier

profile pictureAWS
EXPERT
answered a year ago
profile pictureAWS
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions