diff --git a/specs/enable-selinux.adoc b/specs/enable-selinux.adoc new file mode 100644 index 0000000..4143dad --- /dev/null +++ b/specs/enable-selinux.adoc @@ -0,0 +1,199 @@ += Enable SELinux for tendrl + +SELinux should be enabled in tendrl for the system which controled by selinux. + +== Problem description + +* Policy violation:- +Currently tendrl needs selinux in permissive mode. A SELinux-enabled system that +runs in permissive mode is not protected by SELinux. if tendrl needs selinux to be +disabled in an already selinux enforced system, it may break the security rule +of the system. + +* Privilege escalation issue:- +Disabling selinux in a system, can lead to privilege escalation issue. For example, +A normal user with no specific privileges on the system who is trying to interact +with one of the root-running processes that can suddenly misbehave and give +the user root access or allows the user to launch root access commands. + +* Service are not belongs to any proper selinux domain:- +Currently tendrl services like gluster-integration, node-agent, api, +monitoring-integration services are running as unconfined services. +ex1: system_u:system_r:unconfined_service_t:s0 18240 ? 02:51:40 tendrl-node-age +ex2: system_u:system_r:unconfined_service_t:s0 18240 ? 02:51:40 tendrl-api +Unconfined Service issue:- This will lead the 'privileges of the process' +being attacked easily. Tendrl processes that run as root are prone to +be attacked to get root access on the system. + +* Unclear or undefined context for files and directory:- +Currently tendrl does not have enough confined rules for the files and +directories being used by its process. Contexts for files are unclear in tendrl. +By having proper contexts for the files and directories used by tendrl, +the resources can have restricted gated privilege. + +* Incorrect or missing lable:- +Continues use of permissive mode might causes the users to label files +incorrectly. Any file or files created when selinux in permissive/disable mode, +will not be labeled correctly or will not be labled at all. +This behavior could create problems when its changed to enforcing mode. +Also there are few applications that know about SELinux status can change their +behavior when selinux is in permissive mode. + +== Use Cases + +* Enable SELinux security system for tendrl +* Retain the existing security measures in an already enabled SELinux system + +== Proposed change + +* Running tendrl related services in a Specific Security Context + Every tendrl process must be set to work according to its personal security + environment. Every tendrl process should have its own well defined + selinux policy. It should be given a definite determination for tendrl process + of which any user is permitted to work with, which products or application + can be accessed and what can be run. + +* Marking only the required type as permissive + In addition to have SELinux policies for tendrl + Instead of allowing a complete system to "permissive", It would be better + to temporarily allow/configure a particular domain to "permissive" + in addition to have individual selinux policies for tendrl processes. + Because, in an emerging application, it is impossible to know all the possible + avc errors beforehand and add all the required selinux rules. + Over the release iterations and testing various test cases additional selinux + rules can be added into the existing policy to make the system + compleatly enforced. + + +=== Alternatives + +None + +=== Data model impact: + +None + +=== Impacted Modules: + +==== Tendrl API impact: + +SELinux policy files will be added for tendrl-api module. +These set of policies will be used at tendrl server. + +Sample Policy: +policy_module(tendrl, 1.0.0) + +######################################## +# +# Declarations +# + +type tendrl_t; +type tendrl_exec_t; +init_daemon_domain(tendrl_t, tendrl_exec_t) + +type tendrl_conf_t; +files_config_file(tendrl_conf_t) + +type tendrl_log_t; +logging_log_file(tendrl_log_t) + +type tendrl_var_lib_t; +files_type(tendrl_var_lib_t) + +type tendrl_var_run_t; +files_pid_file(tendrl_var_run_t) + +type tendrl_unit_file_t; +systemd_unit_file(tendrl_unit_file_t) + +type tendrl_custom_port_t; +corenet_port(tendrl_custom_port_t) + +permissive tendrl_t; + +######################################## +# +# tendrl local policy +# +allow tendrl_t self:capability { sys_rawio sys_admin net_admin }; +allow tendrl_t self:fifo_file rw_fifo_file_perms; +allow tendrl_t self:unix_stream_socket create_stream_socket_perms; +allow tendrl_t self:tcp_socket { accept listen }; +- - - + +==== Tendrl commons impact: + +SELinux policy files will be added to tendrl-commons module. +This will be used for every nodes participating in the tendrl. + +Sample tendrl AVCs: +type=AVC msg=audit(1502404324.889:1973): avc: denied { connectto } for +pid=22078 comm="gluster" path="/run/glusterd.socket" +scontext=system_u:system_r:collectd_t:s0 +tcontext=system_u:system_r:glusterd_t:s0 tclass=unix_stream_socket + +type=AVC msg=audit(1502404325.445:1975): avc: denied { read write } for +pid=22129 comm="lvm" name="lvm" dev="tmpfs" ino=12517 +scontext=system_u:system_r:collectd_t:s0 +tcontext=system_u:object_r:lvm_lock_t:s0 tclass=dir + +type=AVC msg=audit(1502404325.447:1976): avc: denied { add_name } for +pid=22129 comm="lvm" name="V_cl_dhcp43-71:aux" +scontext=system_u:system_r:collectd_t:s0 +tcontext=system_u:object_r:lvm_lock_t:s0 tclass=dir + +type=AVC msg=audit(1502404265.426:1967): avc: denied { read } for +pid=21307 comm="lvm" name="vda2" dev="devtmpfs" ino=8415 +scontext=system_u:system_r:collectd_t:s0 +tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file + +The above AVC can be read as: +The Trace reporting time: Fri Aug 11 04:01:05 IST 2017, process with PID 21307 +tried to read a file called vda2 on a file system hosted on the devtmpfs device. +This file has inode number 8415, and has the security context +system_u:object_r:fixed_disk_device_t assigned to it. +The Trace process itself is running with the system_u:system_r:collectd_t context. + +=== Performance impact: + +None + +=== Other deployer impact: + +None + +=== Developer impact: + +None + +== Implementation: + + +=== Assignee(s): + +tjeyasing@redhat.com + +If more than one person is working on the implementation, please designate the +primary author and contact. + +Primary assignee: + tjeyasin + +=== Work Items: +https://github.com/Tendrl/node-agent/issues/604 + + +== Dependencies: + +None + +== Testing: + +== Documentation impact: + +None + +== References: + +None