Disabling SELinux is ill-advised

[dawud]

In the documentation it is stated that:

The SAP workload requires some specific settings on all worker nodes:
Disabling SELinux

SELinux is a major protection mechanism and ensures isolation between processes, which is critical in containerised platforms.

Instead of disabling SELinux, an appropriate solution should be found to allow the process in the container to operate correctly.

[wrabcak]

Hi All,
I agree with the issue definition.

Because SAP software will be in containers, SELinux sees container as atomic unit and there should not be any reason to disable SELinux to avoid SAP permission denies.

Is there any list of collected SELinux issues ? I would like to help here to address them to make the project working with SELinux.

Thanks,
Lukas.

[miminar]

Just my 2 cents: SAP Data Intelligence (SDI) comprises of dozens of containerized components, one of them is a small HANA instance running in a pod. The SDI has been validated on OpenShift 4 with all the nodes in enforcing mode since the beginning.
Some of the pods (including the HANA pod) run unconfined (spc_t). Confining them is a topic for future discussions.