kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add content about SELinux recording and moved selinuxd

This commit is contained in:
Jakub Hrozek 2021-12-07 23:09:31 +01:00
parent b32c348ff2
commit a2e3f11d22
1 changed files with 24 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
content/en/blog/_posts/2021-12-13-security-profiles-operator-v0.4.0/index.md
View File

@ -59,15 +59,33 @@ which has changed is that the seccomp profile type `Architectures` now points to
### SELinux enhancements
<!--
- Selinuxd now uses containers from quay.io/security-profiles-operator (#750, @jhrozek)
-->
Managing SELinux policies (an equivalent to using `semodule` that
you would normally call on a single server) is not done by SPO
itself, but by another container called selinuxd to provide better
isolation. This release switched to using selinuxd containers from
a personal reposiroty to images located under [our team's quay.io repository](https://quay.io/organization/security-profiles-operator).
The selinuxd repo has moved as well to [the containers github organization](https://github.com/containers/selinuxd).
Please note that selinuxd links dynamically to libsemanage and mounts the
SELinux directories from the nodes, which means that the selinuxd container
must be running the same distribution as the cluster nodes. SPO defaults
to using CentOS-8 based containers, but we also build Fedora based ones.
If you are using another distribution and would like us to add support for
it, please file [an issue against selinuxd](https://github.com/containers/selinuxd/issues).
#### Profile Recording
<!--
- #592, @jhrozek
-->
This release adds support for recording of SELinux profiles.
The recording itself is managed via an instance of a `ProfileRecording` CR
as seen in an [example](https://github.com/kubernetes-sigs/security-profiles-operator/blob/main/examples/profilerecording-selinux-logs.yaml)
in our repo and from user's point of view works pretty much the same as
recording of seccomp profiles.
Under the hood, to know what the workload is doing SPO installs a special
permissive policy called [selinuxrecording](https://github.com/kubernetes-sigs/security-profiles-operator/blob/main/deploy/base/profiles/selinuxrecording.cil)
on startup which allows everything and logs all AVCs to audit.log.
These AVC messages are scraped by the log enricher component and when
the recorded workload exits, the policy is created.
#### `SELinuxProfile` CRD graduation