Rule Information
Tags
docker-composecomposeselinuxsecuritymacmandatory-access-controlisolationhardeningrhel
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset docker-compose/COMPOSE-SEC-012 --project .1
2
3
4
5
6
7
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
About This Rule
Understanding the vulnerability and how it is detected
This rule detects docker-compose services that explicitly disable SELinux separation by setting `security_opt: - label:disable`. SELinux provides mandatory access control (MAC) that acts as an additional security layer beyond traditional discretionary access control, significantly limiting the impact of container compromises.
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
Container Escape Prevention
SELinux confines containers even if they run as root, preventing access to host resources.
2
Lateral Movement Blocking
Prevents compromised containers from accessing other containers' files and networks.
3
Host Protection
Restricts container processes from interacting with the host system, even with root privileges.
4
Zero-Day Mitigation
Provides protection against unknown vulnerabilities by enforcing mandatory access controls. Real-world impact without SELinux: ```bash # Container running as root with label:disable # Attacker exploits vulnerability to get shell # Without SELinux, can access host filesystem ls /var/lib/docker/volumes # Can see other containers' data cat /etc/shadow # Can read host files # With SELinux, all of above would be denied: # Permission denied (SELinux MAC blocks access) ```
How to Fix
Recommended remediation steps
- 1Review your Dockerfile to address the selinux separation disabled issue
- 2Follow Docker official best practices for image building
- 3Use docker build --check to validate Dockerfile syntax and best practices
References
External resources and documentation
Similar Rules
Explore related security rules for Docker Compose
LOW
Container Filesystem is Writable
Service has writable root filesystem. Consider making it read-only for better security.
MEDIUM
Using Host IPC Mode
Service uses host IPC namespace. Container shares inter-process communication with host.
MEDIUM
Missing no-new-privileges Security Option
Service does not have no-new-privileges security option. Without this, processes inside the container can gain additional privileges via setuid binaries or capability escalation.
Frequently Asked Questions
Common questions about SELinux Separation Disabled
Service has label:disable in security_opt, which disables SELinux mandatory access control. This removes an important defense-in-depth layer for container isolation.
Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.
New feature
Get these findings posted directly on your GitHub pull requests
The SELinux Separation Disabled rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.