DCA Exam - Question 3

SELinux (Security-Enhanced Linux) could potentially block a user's attempts to set the system time from inside a Docker container. SELinux is a security feature that provides mandatory access control policies, and it can restrict certain system operations, including actions taken within a container.

SELinux (Security-Enhanced Linux) is a security mechanism that enforces access control policies. However, SELinux is not responsible for blocking the ability to set the system time from inside a Docker container. The actual reason for this restriction lies in Docker’s default isolation mechanisms and Linux capabilities. * Docker’s Security Model: • Docker containers operate in a sandboxed environment and lack access to host-level kernel features, including system-wide time changes. • This restriction is in place to prevent containers from interfering with the host system or other containers.

Setting system time inside a Docker container is controlled by Linux capabilities, not SELinux. Specifically, it requires the CAP_SYS_TIME capability. By default, Docker drops most capabilities, including CAP_SYS_TIME, for security reasons. This means that containers cannot modify the system time unless explicitly granted this capability. While SELinux can restrict various container operations, the ability to set system time is specifically controlled by Linux capabilities, not SELinux policies.

• Setting system time requires privileged access because system time is a kernel-level setting. • Docker containers run with limited permissions by default, so a non-privileged container cannot change the system time. • SELinux does not directly block this operation; rather, it is restricted due to the container's unprivileged nature. • To change the system time inside a container, you would need to run it with --privileged mode, which grants elevated permissions.