--- title: >- SELinux security options should be properly configured for effective application security description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > OOTB Rules > SELinux security options should be properly configured for effective application security --- # SELinux security options should be properly configured for effective application security Classification:complianceFramework:cis-dockerControl:5.2 ## Description{% #description %} SELinux is an effective and easy-to-use Linux application security system. It is available by default on some distributions such as Red Hat and Fedora. ## Rationale{% #rationale %} SELinux provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model. You can therefore add an extra layer of safety to your containers by enabling SELinux on your Linux host. ## Audit{% #audit %} Run this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` This command returns all the security options currently configured on the containers listed. ## Remediation{% #remediation %} If SELinux is applicable for your Linux OS, you should use it. 1. Set the SELinux State. 1. Set the SELinux Policy. 1. Create or import a SELinux policy template for Docker containers. 1. Start Docker in daemon mode with SELinux enabled. For example: `docker daemon --selinux-enabled` 1. Start your Docker container using the security options. For example, `docker run --interactive --tty --security-opt label=level:TopSecret centos /bin/bash` ## Impact{% #impact %} Any restrictions defined in the SELinux policy will be applied to your containers. It should be noted that if your SELinux policy is misconfigured, this may have an impact on the correct operation of the affected containers. ## Default value{% #default-value %} By default, no SELinux security options are applied on containers. ## References{% #references %} 1. [https://docs.docker.com/engine/security/security/#other-kernel-security-features](https://docs.docker.com/engine/security/security/#other-kernel-security-features) 1. [https://docs.docker.com/engine/reference/run/#security-configuration](https://docs.docker.com/engine/reference/run/#security-configuration) 1. [http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/](http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/) 1. [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/container_security_guide/docker_selinux_security_policy](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/container_security_guide/docker_selinux_security_policy) ## CIS controls{% #cis-controls %} Version 6 14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. Version 7 14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.