diff --git a/versioned_docs/version-2.14/reference-guides/rancher-security/selinux-rpm/about-rancher-selinux.md b/versioned_docs/version-2.14/reference-guides/rancher-security/selinux-rpm/about-rancher-selinux.md index b3be3dade1c..19e0d846673 100644 --- a/versioned_docs/version-2.14/reference-guides/rancher-security/selinux-rpm/about-rancher-selinux.md +++ b/versioned_docs/version-2.14/reference-guides/rancher-security/selinux-rpm/about-rancher-selinux.md @@ -8,6 +8,12 @@ title: About rancher-selinux To allow Rancher to work with SELinux, some functionality has to be manually enabled for the SELinux nodes. To help with that, Rancher provides an SELinux RPM. +:::tip Why SELinux? + +By assigning a dedicated SELinux type to each container, we ensure that containers are limited to their minimal needs and cannot pivot to other resources if compromised. + +::: + The `rancher-selinux` RPM contains a set of SELinux policies designed to grant the necessary privileges to various Rancher components running on Linux systems with SELinux enabled. The `rancher-selinux` GitHub repository is [here.](https://github.com/rancher/rancher-selinux) @@ -16,7 +22,7 @@ The `rancher-selinux` GitHub repository is [here.](https://github.com/rancher/ra :::note Requirement: -The `rancher-selinux` RPM was tested on openSUSE Tumbleweed and RHEL-based distributions including Centos/RockyLinux 8 and 9. +The `rancher-selinux` RPM was tested on openSUSE MicroOS, Fedora 42, and RHEL-based distributions including CentOS/RockyLinux 8, 9, and 10. ::: @@ -50,6 +56,19 @@ gpgkey=https://rpm.rancher.io/public.key EOF ``` +In order to use the RPM repository, on a CentOS 10 or RHEL 10 system, run the following bash snippet: + +``` +# cat << EOF > /etc/yum.repos.d/rancher.repo +[rancher] +name=Rancher +baseurl=https://rpm.rancher.io/rancher/production/centos/10/noarch +enabled=1 +gpgcheck=1 +gpgkey=https://rpm.rancher.io/public.key +EOF +``` + ### 2. Installing the RPM Install the RPM: @@ -58,14 +77,16 @@ Install the RPM: yum -y install rancher-selinux ``` -## Configuring the Logging and Monitoring Applications to Work with SELinux +## Configuring Applications to Work with SELinux :::note Requirement: -Logging v2 and Monitoring v2 were tested with SELinux on RHEL/CentOS 8, 9, and Tumbleweed. +Logging v2, Monitoring v2, and Rancher AI were tested with SELinux on RHEL/CentOS 8, 9, 10, and Tumbleweed. ::: -Applications do not automatically work once the `rancher-selinux` RPM is installed on the host. They need to be configured to run in an allowed SELinux container domain provided by the RPM. +The `rancher-selinux` RPM currently covers the following charts: **Logging**, **Monitoring**, and **Rancher AI**. -To configure the `rancher-logging` or the `rancher-monitoring` chart to be SELinux aware, change `global.seLinux.enabled` to true in the `values.yaml` when installing the charts. +Applications do not automatically work once the `rancher-selinux` RPM is installed on the host. They need to be configured to run in an allowed SELinux container domain provided by the RPM. + +To configure these charts to be SELinux aware, change `global.seLinux.enabled` to true in the `values.yaml` when installing the charts.