Why SELinux not support blocking rules? Can support it？

[yezhibin]

Hi, I configured the blocking rule but it does not work. I read the documents about kubernetes support matrix, so I want to know why kubearmor can not blocking rules when on kubernetes and host OS use SELinux(redhat <= 8.4). Some warning logs of kubearmor-selinux-containerd is printed as follows(I added caller informations on kubearmor log.):

2024-11-04T08:08:34.484Z        INFO    feeder/feeder.go:442    Supported LSMs: lockdown,capability,yama,selinux, call info: enforcer/runtimeEnforcer.go:173
2024-11-04T08:08:35.977Z        WARN    feeder/feeder.go:517    Unable to read the list of SELinux modules (exit status 1), call info: enforcer/SELinuxEnforcer.go:292
2024-11-04T08:08:35.977Z        WARN    feeder/feeder.go:517    Unable to install SELinux modules required by the KubeArmor host profile in centos7, call info: enforcer/SELinuxEnforcer.go:107
2024-11-04T08:08:37.078Z        WARN    feeder/feeder.go:517    Unable to read the list of SELinux modules (exit status 1), call info: enforcer/SELinuxEnforcer.go:292
2024-11-04T08:08:37.078Z        WARN    feeder/feeder.go:517    Unable to install SELinux modules required by the KubeArmor host profile in centos7, call info: enforcer/SELinuxEnforcer.go:107
2024-11-04T08:08:37.078Z        INFO    feeder/feeder.go:429    Disabled KubeArmor Enforcer since No LSM is enabled, call info: core/kubeArmor.go:549

Thank you very much.

[nyrahul]

Hey @yezhibin , #76 essentially investigated how to use SELinux for policy enforcement. However, we found multiple issues supporting SELinux and they are document in the issue. Hope it helps.

We would like to know if you have a better way of supporting SELinux.

[yezhibin]

Hello, I got it, thanks!