docs: mention SELinux in README

Signed-off-by: Ben Cressey <bcressey@amazon.com>
bottlerocket-os · Feb 21, 2020 · 4acc181 · 4acc181
1 parent dea4da6
commit 4acc181
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -320,6 +320,9 @@ Only a few locations are made writable:
 * some through [tmpfs mounts](workspaces/preinit/laika), used for configuration, that don't persist over a restart.
 * one [persistent location](packages/release/var-lib-bottlerocket.mount) for the data store.
 
+We enable [SELinux](https://selinuxproject.org/) in enforcing mode.
+This protects the data store from tampering, and blocks modification of sensitive files such as container archives.
+
 Almost all first-party components are written in [Rust](https://www.rust-lang.org/).
 Rust eliminates some classes of memory safety issues, and encourages design patterns that help security.