My Profile Photo

Sheogorath's Blog

Depending on the time of the day a friend, a colleague, a wise guy. The beauty of the world is its sense of humor to show humans their way by letting them search their own.

Cover image for this blog post

Hetzner Fedora Cloud image with bad SELinux defaults

Today I learned that Hetzner’s Fedora cloud image, which allows to deploy a machine with Fedora on Hetzner cloud out of the box, is starting with SELinux in permissive mode, instead of enforcing. As a result SELinux doesn’t protect the system, just writes logs about this. From a provider perspective it might makes sense to disable SELinux so your own tooling to e.g. reset passwords or alike doesn’t break a user’s machine, but it defeats the purpose of SELinux. The good news is, it’s at least running in permissive mode, which means the system will be at least labelled correctly.

I came across this while I tested to set up a Kubernetes cluster with SELinux enabled, which worked flawless, even though I had to enable SELinux explicitly using setenforce 1 and adjusting /etc/selinux/config to make this change permanent.