☑️ Prevent SELinux containers from setting a role
SELinux defines access controls for the applications, processes, and files on a system. SELinux uses security policies, which are a set of rules that tell SELinux what can or can't be accessed, to enforce the access allowed by a policy.
SELinux options can be used to escalate privileges and should not be allowed.
Targeted objects by this rule (types of
kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job
Complexity: easy (What does this mean?)
Policy as code identifier: EKS_INVALID_SELINUXOPTIONS_ROLE_VALUE
This rule will fail
If an SELinux
role is set:
Rule output in the CLI
$ datree test *.yaml
>> File: failExample.yaml
❌ Prevent SELinux containers from setting a role [1 occurrence]
💡 Invalid key `role` - refrain from setting this key to prevent potential access to the host filesystem
How to fix this failure