Ensure SELinux support is enabled in Docker
An XCCDF Rule
Description
To enable the SELinux for the Docker service, the Docker service must be
configured to run the Docker daemon with --selinux-enabled option.
In /etc/sysconfig/docker configuration file, add or correct
the following line to enable SELinux support in the Docker daemon:
OPTIONS='--selinux-enabled'
Rationale
If SELinux is not explicitely enabled in the Docker daemon configuration, Docker does not use SELinux which means Docker runs unconfined, and SELinux will not provide security separation for Docker container processes. However enabling SELinux for the Docker service prevents an attacker or rogue container from attacking other container processes and content as well as prevents taking over the host operating system.
- ID
- xccdf_org.ssgproject.content_rule_docker_selinux_enabled
- Severity
- High
- References
- Updated