# COMPOSE-SEC-012: SELinux Separation Disabled > **Severity:** MEDIUM | **CWE:** CWE-732 - **Language:** Docker Compose - **Category:** Security - **URL:** https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-012 - **Detection:** `pathfinder scan --ruleset docker-compose/COMPOSE-SEC-012 --project .` ## Description This rule detects docker-compose services that explicitly disable SELinux separation by setting `security_opt: - label:disable`. SELinux provides mandatory access control (MAC) that acts as an additional security layer beyond traditional discretionary access control, significantly limiting the impact of container compromises. ## Vulnerable Code ```python version: '3' services: web: image: nginx security_opt: - label:disable # CRITICAL: Disables SELinux protection # Container can now bypass SELinux MAC controls ``` ## Detection Rule (Python SDK) ```python from rules.container_decorators import compose_rule from rules.container_matchers import service_has @compose_rule( id="COMPOSE-SEC-012", name="SELinux Separation Disabled", severity="MEDIUM", cwe="CWE-732", category="security", tags="docker-compose,compose,selinux,security,mac,mandatory-access-control,isolation,hardening,rhel", message="Service has 'label:disable' in security_opt, which disables SELinux mandatory " "access control. This removes a critical security layer and increases the impact " "of container compromises. Remove label:disable or use custom SELinux labels instead." ) def selinux_disabled(): """ Detects services that explicitly disable SELinux separation. Matches services with security_opt containing: - label:disable - label=disable """ return service_has( key="security_opt", contains="label:disable" ) ``` ## How to Fix - Review your Dockerfile to address the selinux separation disabled issue - Follow Docker official best practices for image building - Use docker build --check to validate Dockerfile syntax and best practices ## Security Implications - **Container Escape Prevention:** SELinux confines containers even if they run as root, preventing access to host resources. - **Lateral Movement Blocking:** Prevents compromised containers from accessing other containers' files and networks. - **Host Protection:** Restricts container processes from interacting with the host system, even with root privileges. - **Zero-Day Mitigation:** Provides protection against unknown vulnerabilities by enforcing mandatory access controls. Real-world impact without SELinux: ```bash # Container running as root with label:disable # Attacker exploits vulnerability to get shell # Without SELinux, can access host filesystem ls /var/lib/docker/volumes # Can see other containers' data cat /etc/shadow # Can read host files # With SELinux, all of above would be denied: # Permission denied (SELinux MAC blocks access) ``` ## FAQ **Q: Why does this rule flag selinux separation disabled?** Service has label:disable in security_opt, which disables SELinux mandatory access control. This removes an important defense-in-depth layer for container isolation. **Q: How do I fix this?** Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml. ## References - [CWE-732: Incorrect Permission Assignment for Critical Resource](https://cwe.mitre.org/data/definitions/732.html) - [www.redhat.com](https://www.redhat.com/en/topics/linux/what-is-selinux) - [docs.docker.com](https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label) - [SELinux Project](https://selinuxproject.org/) - [OWASP A05:2021 - Security Misconfiguration](https://owasp.org/www-project-top-ten/) --- Source: https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-012 Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis