container selinux policy support in ECS task definition

Question

HI,

We are using Amazon Linux 2 AMI for ECS machine. seLinux enabled at host level. But not clear on how to implement the selinux policies at container level in task definition.

Steps followed to install container linux:

$ sudo yum update -y

$ sudo amazon-linux-extras enable selinux-ng

$ sudo amazon-linux-extras install selinux-ng

$ yum install container-selinux

Can you confirm if it is supported or not? If supported please guide on the steps to create selinux policy and apply the same at the container level using ECS task definition.

Thanks in advance.

Answer

Good Day @rePost-User-5512672,

Thanks for your query and apologies for delay in sending a response to your query here. As I can understand that you want to apply policies at container-level with seLinux enabled at the Host-Level (EC2 Machine). Please correct me if I have misunderstood your query here.

As I can see and test-replicate as well at my level, this feature is already out and can be tracked via this closed issue [1]. Along with that, I followed to use AL2 with SELinux Enforcing Mode [2] and went ahead directly to use "yum install container-selinux" which helped me to cutomized and list all the policies.

Coming to container-level, it purely depends in what shell/OS base image you're using for your container. Accordingly, you can reach out to AmazonLinux Development Team at [3] for further help and guidance.

I hope this information will help you to get-started with your use-case. Thanks for connecting with us at AWS re:Post.

References:
1. https://github.com/amazonlinux/amazon-linux-2022/issues/56
2. https://aws.amazon.com/marketplace/pp/prodview-yapnhwu5qgreo
3. https://github.com/amazonlinux/amazon-linux-2022/issues

container selinux policy support in ECS task definition

관련 콘텐츠