---
title: "Disallow SELinux"
url: https://docs.nirmata.io/docs/policy-sets/podsecurity/baseline/disallow-selinux/
---



### Description
Setting the SELinux type is restricted, and setting a custom SELinux user or role option is forbidden.

**Restricted Fields for SELinux type**
* spec.securityContext.seLinuxOptions.type
* spec.containers[*].securityContext.seLinuxOptions.type
* spec.initContainers[*].securityContext.seLinuxOptions.type
* spec.ephemeralContainers[*].securityContext.seLinuxOptions.type

**Allowed Values for SELinux type**
* Undefined/""
* container_t
* container_init_t
* container_kvm_t

**Restricted Fields for SELinux user**
* spec.securityContext.seLinuxOptions.user
* spec.containers[*].securityContext.seLinuxOptions.user
* spec.initContainers[*].securityContext.seLinuxOptions.user
* spec.ephemeralContainers[*].securityContext.seLinuxOptions.user
* spec.securityContext.seLinuxOptions.role
* spec.containers[*].securityContext.seLinuxOptions.role
* spec.initContainers[*].securityContext.seLinuxOptions.role
* spec.ephemeralContainers[*].securityContext.seLinuxOptions.role

**Allowed Values for SELinux user**
* Undefined/""

### Risks
Privilege escalation may result from allowing users, roles, or custom SELinux types that are not part of the predefined set (`container_t`, `container_init_t`, `container_kvm_t`). Configurations of SELinux that are too liberal or customized may provide containers greater access than necessary.

### Kyverno Policy
Refer to the Nirmata curated policies - [disallow-selinux.yaml](https://github.com/nirmata/kyverno-policies/blob/main/pod-security/baseline/disallow-selinux/disallow-selinux.yaml)

### References
#### Configuration Settings
The below configuration indicates that if the deployed resource contains one of `ephemeralContainers` or `initContainers` or `containers` in their `spec` field, **AND** if `securityContext.seLinuxOptions.type` field is present, then the only acceptable value is `container_t`, `container_init_t`, or `container_kvm_t` to be conformant with this security control. If the `securityContext` field is not present, then the resource is conformant by default.

```bash
=(securityContext):
  =(seLinuxOptions):
    =(type): "container_t | container_init_t | container_kvm_t"
=(ephemeralContainers):
  - =(securityContext):
      =(seLinuxOptions):
        =(type): "container_t | container_init_t | container_kvm_t"
=(initContainers):
  - =(securityContext):
    =(seLinuxOptions):
      =(type): "container_t | container_init_t | container_kvm_t"
containers:
  - =(securityContext):
    =(seLinuxOptions):
      =(type): "container_t | container_init_t | container_kvm_t"
```

The below configuration indicates that if the deployed resource contains one of `ephemeralContainers` or `initContainers` or `containers` in their `spec` field, **AND** if `securityContext.seLinuxOptions.user` or `securityContext.seLinuxOptions.role` field is present, then the only acceptable value is `container_t`, `container_init_t`, or `container_kvm_t` to be conformant with this security control. If the `securityContext` field is not present, then the resource is conformant by default.

```bash
=(securityContext):
  =(seLinuxOptions):
    X(user): "null"
    X(role): "null"
=(ephemeralContainers):
  - =(securityContext):
    =(seLinuxOptions):
      X(user): "null"
      X(role): "null"
=(initContainers):
  - =(securityContext):
    =(seLinuxOptions):
      X(user): "null"
      X(role): "null"
containers:
  - =(securityContext):
    =(seLinuxOptions):
      X(user): "null"
      X(role): "null"
```

#### Resource Example
Below is a `Deployment` resource example where `securityContext.seLinuxOptions.type` is set to one of `container_init_t`, `container_t`, or `container_kvm_t` for both `initContainers` and `containers`.

```bash
apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      initContainers:
      - name: initcontainer01
        image: dummyimagename
        securityContext:
          seLinuxOptions:
            type: container_init_t
      - name: initcontainer02
        image: dummyimagename
        securityContext:
          seLinuxOptions:
            type: container_t
      containers:
      - name: container01
        image: dummyimagename
```

Below is a `Deployment` resource example where `securityContext.seLinuxOptions.type` is set to one of `container_init_t`, `container_t`, or `container_kvm_t` and `securityContext.seLinuxOptions.user` and `securityContext.seLinuxOptions.role` is not defined for both `initContainers` and `containers`.

```bash
apiVersion: apps/v1
kind: Deployment
metadata:
  name: selur-gooddeployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      initContainers:
      - name: initcontainer01
        image: dummyimagename
        securityContext:
          seLinuxOptions:
            type: container_t
      - name: initcontainer02
        image: dummyimagename
        securityContext:
          seLinuxOptions:
            level: "s0:c123,c456"
      containers:
      - name: container01
        image: dummyimagename
```text