☑️ Prevent SELinux containers from setting a user

SELinux defines access controls for the applications, processes, and files on a system. SELinux uses security policies, which are a set of rules that tell SELinux what can or can't be accessed, to enforce the access allowed by a policy.
SELinux options can be used to escalate privileges and should not be allowed.

Targeted objects by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job

Complexity: easy (What does this mean?)

Policy as code identifier: EKS_INVALID_SELINUXOPTIONS_USER_VALUE

This rule will fail

If an SELinux user is set:

spec:
  containers:
    - securityContext:
        seLinuxOptions:
          user: usr

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent SELinux containers from setting a user [1 occurrence]
💡 Invalid key `user` - refrain from setting this key to prevent potential access to the host filesystem

How to fix this failure

spec:
  containers:
  - securityContext:
      seLinuxOptions:
        type: container_kvm_t

This rule will fail​

Rule output in the CLI​

How to fix this failure​

Read more​

This rule will fail

Rule output in the CLI

How to fix this failure

Read more