{"id":13509486,"url":"https://github.com/containers/selinuxd","last_synced_at":"2025-04-09T00:30:47.379Z","repository":{"id":37487895,"uuid":"433091519","full_name":"containers/selinuxd","owner":"containers","description":"A daemon that manages SELinux policies on a filesystem","archived":false,"fork":false,"pushed_at":"2024-03-05T04:21:52.000Z","size":8572,"stargazers_count":37,"open_issues_count":20,"forks_count":13,"subscribers_count":7,"default_branch":"main","last_synced_at":"2025-03-23T19:44:36.818Z","etag":null,"topics":["kubernetes","selinux"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/containers.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"security/selinuxd-seccomp-fedora-34.json","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-11-29T15:14:55.000Z","updated_at":"2024-10-29T00:16:46.000Z","dependencies_parsed_at":"2023-12-14T10:54:25.795Z","dependency_job_id":"4dd8d917-9bb2-4512-b222-ec84b4b7b119","html_url":"https://github.com/containers/selinuxd","commit_stats":{"total_commits":208,"total_committers":7,"mean_commits":"29.714285714285715","dds":0.5865384615384616,"last_synced_commit":"202a693c001e36d0aa938870e7e461f714c298e1"},"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containers%2Fselinuxd","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containers%2Fselinuxd/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containers%2Fselinuxd/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containers%2Fselinuxd/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/containers","download_url":"https://codeload.github.com/containers/selinuxd/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247949685,"owners_count":21023368,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kubernetes","selinux"],"created_at":"2024-08-01T02:01:08.470Z","updated_at":"2025-04-09T00:30:42.371Z","avatar_url":"https://github.com/containers.png","language":"Go","funding_links":[],"categories":["Go","kubernetes"],"sub_categories":[],"readme":"selinuxd\n========\n\nThis a daemon that has the purpose of installing and removing policies as they are\nlaid in a specific directory. This directory is `/etc/selinux.d` by default.\n\nThe intent is to follow a infrastructure-as-code approach for installing SELinux\npolicies. With this, installing policies is a matter of persisting policy files\nin a specific directory, which the daemon will immediately pick up and try to\ninstall them.\n\nBuilding\n========\n\nGolang 1.15 and GNU make are required. In Fedora 33, the installation is a matter of doing:\n\n```\n$ sudo dnf install golang make libsemanage-devel policycoreutils\n```\n\nWith this, you can build the daemon's binary with `make build`, or simply\n`make`. the binary will be persisted to the `bin/` directory.\n\nRunning\n=======\n\nOnce you have built the binary, simply do:\n\n```\n$ sudo ./bin/selinuxdctl daemon\n```\n\nor\n\n```\n$ make run\n```\n\nNote that `sudo` is needed as it'll attempt to install SELinux policies, which\nrequires root. Also note that the `run` target will attempt to create\n`/etc/selinux.d`.\n\nThis will:\n\n* Listen for file changes in the `/etc/selinux.d` directory\n\n  - When a file is added or modified, it'll attempt to install the policy\n\n  - When a file is removed, it'll uninstall the policy\n\nTesting (for demo purposes)\n===========================\n\nWith the daemon running, do:\n\n```\n$ sudo cp tests/data/testport.cil /etc/selinux.d/\n```\n\nNotice that the policy will be installed in the system shortly:\n\n```\n$ sudo semodule -l | grep testport\n```\n\nNow, remove the policy:\n\n```\n$ sudo rm /etc/selinux.d/testport.cil\n```\n\nNotice that the policy will no longer be there:\n\n```\n$ sudo semodule -l | grep testport\n```\n\nWhy?\n====\n\nThis enables an easy way to install policies by establishing intent, as opposed to\nhaving to tell a system how to do things. This way, all we need to do is tell a system\nthat we want a file in a specific path in the file system, and the rest will be taken care of.\n\nSELinux policies often are used to secure workloads on nodes and should be\ntreated as part of the workload deployment. By getting this daemon to dynamically\ninstall and track these policies, we're able to more closely link the policies\nto the workloads that require them. Policies, in this context, are not\nconfiguration files for the node, but instead and statements on how to secure a\nrunning workload.\n\nOpenShift/Machine Config Operator\n---------------------------------\n\nThe [Machine Config Operator](https://github.com/openshift/machine-config-operator)\nis an [operator](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/) that\nensures that the nodes belonging to an OpenShift cluster are in a certain state.\n\nIf this daemon would be running on a node in the cluster, all we would need to do\nto install a policy is:\n\n```\napiVersion: machineconfiguration.openshift.io/v1\nkind: MachineConfig\nmetadata:\n  labels:\n    machineconfiguration.openshift.io/role: worker\n  name: 50-example-sepolicy\nspec:\n  config:\n    ignition:\n      version: 2.2.0\n    storage:\n      files:\n      - contents:\n          source: data:,%3B%20Declare%20a%20test_port_t%20type%0A%28type%20test_port_t%29%0A%3B%20Assign%20the%20type%20to%20the%20object_r%20role%0A%28roletype%20object_r%20test_port_t%29%0A%0A%3B%20Assign%20the%20right%20set%20of%20attributes%20to%20the%20port%0A%28typeattributeset%20defined_port_type%20test_port_t%29%0A%28typeattributeset%20port_type%20test_port_t%29%0A%0A%3B%20Declare%20tcp%3A1440%20as%20test_port_t%0A%28portcon%20tcp%201440%20%28system_u%20object_r%20test_port_t%20%28%28s0%29%20%28s0%29%29%29%29\n        filesystem: root\n        mode: 0600\n        path: /etc/selinux.d/testport.cil\n```\n\nThis `MachineConfig` object tells the operator to put the policy in the specified path, with\nthe specified permissions. Note that the policy is URL encoded due\nto what the [ignition format](https://github.com/coreos/ignition) requires.\n\nWithout this daemon, each policy installation would require us to persist the file\non the node, then run a one-off systemd unit to install the policy. As policies\nget added to the system, the number of systemd units increases, which is neither scalable\nnor user-friendly.\n\nUses\n====\n\nThis daemon is currently being used [in the security-profiles-operator](\nhttps://github.com/kubernetes-sigs/security-profiles-operator) in order to do\nthe heavy lifting of installing SELinux policies. The operator itself manages the policies\nas Kubernetes objects, and the daemon makes sure that they are actually installed in\nthe nodes of the cluster.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontainers%2Fselinuxd","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcontainers%2Fselinuxd","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontainers%2Fselinuxd/lists"}