yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled

semgrep

Author

228

Download Count*

License

Service '$SERVICE' is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove 'label:disable' to prevent this.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: selinux-separation-disabled
    patterns:
      - pattern-inside: |
          version: ...
          ...
          services:
            ...
      - pattern: |
          $SERVICE:
            ...
            image: ...
            ...
            security_opt:
              - ...
              - label:disable
    message: Service '$SERVICE' is explicitly disabling SELinux separation. This
      runs the service as an unconfined type. Remove 'label:disable' to prevent
      this.
    metadata:
      cwe:
        - "CWE-284: Improper Access Control"
      references:
        - https://www.projectatomic.io/blog/2016/03/dwalsh_selinux_containers/
        - https://docs.docker.com/engine/reference/run/#security-configuration
      category: security
      technology:
        - docker-compose
      owasp:
        - A05:2017 - Broken Access Control
        - A01:2021 - Broken Access Control
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization
    languages:
      - yaml
    severity: WARNING

Examples

selinux-separation-disabled.test.yaml

version: "3.9"
services:
  # ok: selinux-separation-disabled
  web:
    image: nginx:alpine
  # ok: selinux-separation-disabled
  worker:
    image: my-worker-image:latest
    security_opt:
      - label:user:testuser
  # ruleid: selinux-separation-disabled
  db:
    image: mysql
    security_opt:
      - label:disable

Short Link: https://sg.run/qryb