Welcome! Log In Create A New Profile

Advanced

SeLinux enforced RHEL9.4 nginx container's capabilites

Posted by dhina_apec 
SeLinux enforced RHEL9.4 nginx container's capabilites
November 26, 2024 03:30AM
I'm running a Openresty nginx container, which is running on top of SeLinux enabled RHEL 9.4 host box.
What are the minimum capabilities the ngnix container should have for the basic ngnix + lua functionalities to work properly? Wanted to know if any functionality will break I remove any of the capabilities?



These are the default capabilities added when I start the container.
cap_chown
cap_dac_override
cap_fowner
cap_fsetid
cap_kill
cap_net_bind_service
cap_setfcap
cap_setgid
cap_setpcap
cap_setuid
cap_sys_chroot

I can understand cap_net_bind_service is required to bind any system port with the container.

Do we need cap_setuid capability?
Re: SeLinux enforced RHEL9.4 nginx container's capabilites
November 26, 2024 04:02AM
Note: Podman container started as non-root user
Re: SeLinux enforced RHEL9.4 nginx container's capabilites
November 26, 2024 05:45AM
I could start the container with just with these 2 capabilities: cap_net_bind_service and cap_setuid

will there be any problem by removing other capabilities?
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 229
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready