Skip to content

rancher/rancher-selinux

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

264 Commits
.github
.github
 
 
hack
hack
 
 
policy
policy
 
 
.gitignore
.gitignore
 
 
CODEOWNERS
CODEOWNERS
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 

Repository files navigation

About rancher-selinux OpenSSF Scorecard

rancher-selinux contains a set of SELinux policies designed to grant the necessary privileges to various Rancher components running on Linux systems with SELinux enabled. These policies enhance security by defining dedicated types for containers and assigning them the least privileges possible.

For more information about enabling SELinux on Rancher or installing the rancher-selinux RPM, use: https://ranchermanager.docs.rancher.com/reference-guides/rancher-security/selinux-rpm/about-rancher-selinux

Coverage of rancher-selinux

The following Rancher components are covered by the policy:

Component Service/Container SELinux Type CentOS 9/10 MicroOS Fedora 42 E2E Status
Rancher Monitoring node-exporter prom_node_exporter_t Production
Rancher Monitoring pushprox rke_kubereader_t Production
Rancher Logging fluentbit rke_logreader_t Production
Rancher AI rancher-ai-agent rancher_aiagent_container_t 🚧 🚧 🚧 Testing
Rancher AI rancher-ai-mcp rancher_aimcp_container_t 🚧 🚧 🚧 Testing
RKE1 flannel rke_network_t Production
RKE1 rke etcd, kube-apiserver, etc. rke_container_t Production

Note: Only the specific charts and services listed above are assigned a dedicated SELinux type (within the container domain). Other Rancher components and general workloads will typically inherit the default container_t type provided by the base container-selinux policy.

Support Matrix

Operating System Version Supported Policy E2E
RHEL/CentOS/Rocky 9 centos9
RHEL/CentOS/Rocky 10 centos10
Fedora 42 fedora42
SUSE SLE/Micro Stable microos

Versioning/Tagging

The version parsing logic for rancher/rancher-selinux expects tags to be of a certain format (that directly correlates to RPM naming)

The tag format should be as follows: v{rancher-selinux version}.{rpm channel}.{rpm release} where

rancher-selinux-version is like 0.1, 0.2, etc. rpm channel is like testing, production rpm release is like 1, 2

rpm release should index from 1 for released RPM's

The following list shows the expected tag to (example) transformation for RPM's

Tag Tree State Output RPM RPM Channel Notes
master (no tag) Clean rancher-selinux-0.0~0d52f7d8-0.el7.noarch.rpm Testing
master (no tag) Dirty rancher-selinux-0.0~0d52f7d8-0.el7.noarch.rpm Testing
v0.2-alpha1.testing.1 Clean rancher-selinux-0.2~alpha1-1.el7.noarch.rpm Testing
v0.2-alpha2.testing.1 Clean rancher-selinux-0.2~alpha2-1.el7.noarch.rpm Testing
v0.2-rc1.testing.1 Clean rancher-selinux-0.2~rc1-1.el7.noarch.rpm Testing
v0.2-rc2.testing.1 Clean rancher-selinux-0.2~rc2-1.el7.noarch.rpm Testing
v0.2.testing.1 Clean rancher-selinux-0.2-1.el7.noarch.rpm Testing
v0.2.production.1 Clean rancher-selinux-0.2-1.el7.noarch.rpm Production

About

SELinux policy files for Rancher

Topics

rancher selinux rke k3s

Resources

Readme

License

Apache-2.0 license

Security policy

Security policy
Activity
Custom properties

Stars

9 stars

Watchers

44 watching

Forks

15 forks
Report repository

Releases 33

v0.8.production.1 Latest
Feb 26, 2026
+ 32 releases

Packages

 
 
 

Contributors

Languages