Version 1.16. This version is no longer supported. For information about how to upgrade to version 1.28, see Upgrade clusters in the latest documentation. For more information about supported and unsupported versions, see the Versioning page in the latest documentation.
This page shows you how to secure your containers by enabling SELinux. SELinux
is supported for RHEL and CentOS. If your host machines are running RHEL or
CentOS and you want to enable SELinux for your cluster, you must enable SELinux
in all of your host machines. Starting with Distributed Cloud release 1.9.0, you
can enable or disable SELinux before or after cluster creation or cluster
upgrades. When SELinux is enabled on the host, it is enabled for the container
runtime.
Check if SELinux is enabled
SELinux is enabled on RHEL and CentOS by default. To verify, run:
$getenforce
The command returns either Enforcing, Permissive, or Disabled. If the
command returns Enforcing, then you can proceed with upgrading or creating
your clusters.
Enable SELinux
If the getenforce command returns Permissive, you can switch to Enforcing
mode using the setenforce command. Toggling between Permissive and
Enforcing mode using setenforce doesn't require a system reboot. However, if
you want the changes to be persistent across reboots, you must update the
/etc/selinux/config file.
To switch to Enforcing mode, run:
$ sudo setenforce 1# temporary$ sudo sed -i 's/SELINUX=permissive/SELINUX=enforcing/g' /etc/selinux/config# persistent - after reboot
If SELinux is Disabled, to enable it, we recommend to first enable it in
Permissive mode first and reboot the system to verify that the system boots
successfully. If there are no SELinux errors, then you can safely switch SELinux
to Enforcing mode.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eSELinux can be enabled on RHEL and CentOS host machines to secure containers, and it is supported in Distributed Cloud release 1.9.0 and later, allowing for enabling or disabling before or after cluster actions.\u003c/p\u003e\n"],["\u003cp\u003eYou can check if SELinux is enabled by using the \u003ccode\u003egetenforce\u003c/code\u003e command, which will show if it is set to \u003ccode\u003eEnforcing\u003c/code\u003e, \u003ccode\u003ePermissive\u003c/code\u003e, or \u003ccode\u003eDisabled\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eIf \u003ccode\u003egetenforce\u003c/code\u003e shows \u003ccode\u003ePermissive\u003c/code\u003e, you can temporarily switch to \u003ccode\u003eEnforcing\u003c/code\u003e with \u003ccode\u003esetenforce 1\u003c/code\u003e, but for persistent changes, you must modify the \u003ccode\u003e/etc/selinux/config\u003c/code\u003e file.\u003c/p\u003e\n"],["\u003cp\u003eIf SELinux is \u003ccode\u003eDisabled\u003c/code\u003e, the recommendation is to enable it in \u003ccode\u003ePermissive\u003c/code\u003e mode, reboot to check for issues, and if successful, then switch to \u003ccode\u003eEnforcing\u003c/code\u003e mode followed by another reboot.\u003c/p\u003e\n"],["\u003cp\u003eEnabling SELinux in \u003ccode\u003eEnforcing\u003c/code\u003e mode on the host machine will enable it for all processes, including the container runtime.\u003c/p\u003e\n"]]],[],null,["# Secure your containers using SELinux\n\n\u003cbr /\u003e\n\nThis page shows you how to secure your containers by enabling SELinux. SELinux\nis supported for RHEL and CentOS. If your host machines are running RHEL or\nCentOS and you want to enable SELinux for your cluster, you must enable SELinux\nin all of your host machines. Starting with Distributed Cloud release 1.9.0, you\ncan enable or disable SELinux before or after cluster creation or cluster\nupgrades. When SELinux is enabled on the host, it is enabled for the container\nruntime.\n\nCheck if SELinux is enabled\n---------------------------\n\nSELinux is enabled on RHEL and CentOS by default. To verify, run: \n\n $ getenforce\n\nThe command returns either `Enforcing`, `Permissive`, or `Disabled`. If the\ncommand returns `Enforcing`, then you can proceed with upgrading or creating\nyour clusters.\n\nEnable SELinux\n--------------\n\nIf the `getenforce` command returns `Permissive`, you can switch to `Enforcing`\nmode using the `setenforce` command. Toggling between `Permissive` and\n`Enforcing` mode using `setenforce` doesn't require a system reboot. However, if\nyou want the changes to be persistent across reboots, you must update the\n`/etc/selinux/config` file.\n\nTo switch to `Enforcing` mode, run: \n\n $ sudo setenforce 1 # temporary\n $ sudo sed -i 's/SELINUX=permissive/SELINUX=enforcing/g' /etc/selinux/config # persistent - after reboot\n\nIf SELinux is `Disabled`, to enable it, we recommend to first enable it in\n`Permissive` mode first and reboot the system to verify that the system boots\nsuccessfully. If there are no SELinux errors, then you can safely switch SELinux\nto `Enforcing` mode.\n\n1. **Optional** : Enable SELinux in `Permissive` mode:\n\n $ sudo sed -i 's/SELINUX=disabled/SELINUX=permissive/g' /etc/selinux/config\n $ sudo reboot\n\n2. If the system reboots successfully with no SELinux errors, then you can\n enable `Enforcing` mode:\n\n $ sudo sed -i 's/SELINUX=disabled/SELINUX=enforcing/g' /etc/selinux/config\n $ sudo reboot\n\nOnce SELinux is enabled in `Enforcing` mode, SELinux is enabled for all\nprocesses on the host, including the container runtime."]]