My Profile Photo

Sheogorath's Blog

Hetzner Fedora Cloud image with bad SELinux defaults

Today I learned that Hetzner’s Fedora cloud image, which allows to deploy a machine with Fedora on Hetzner cloud out of the box, is starting with SELinux in permissive mode, instead of enforcing. As a result SELinux doesn’t protect the system, just writes logs about this. From a provider perspective it might makes sense to disable SELinux so your own tooling to e.g. reset passwords or alike doesn’t break a user’s machine, but it defeats the purpose of SELinux. The good news is, it’s at least running in permissive mode, which means the system will be at least labelled correctly.

I came across this while I tested to set up a Kubernetes cluster with SELinux enabled, which worked flawless, even though I had to enable SELinux explicitly using setenforce 1 and adjusting /etc/selinux/config to make this change permanent.