From 9dd2bd34456407acf5a08f9c988863bb8c58c3f3 Mon Sep 17 00:00:00 2001 From: Timothy Asir J Date: Fri, 18 Aug 2017 16:55:32 +0530 Subject: [PATCH 1/3] Run tendrl in SELinux enabled tendrl-bug-id: #241 Signed-off-by: Timothy Asir J --- specs/enable-selinux.adoc | 197 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 197 insertions(+) create mode 100644 specs/enable-selinux.adoc diff --git a/specs/enable-selinux.adoc b/specs/enable-selinux.adoc new file mode 100644 index 0000000..eda572f --- /dev/null +++ b/specs/enable-selinux.adoc @@ -0,0 +1,197 @@ += Enable SELinux for tendrl + +SELinux should be enabled in tendrl for the system which controled by selinux. + +== Problem description + +Tendrl could be installed in a system where SELinux could be already enforced. +Currenlty Tendrl requires selinux to be in disable state. If tendrl disables +the selinux which may brack the existing policy(security concerns) of the system +which runs selinux enabled. + +A SELinux-enabled system that runs in permissive mode is not protected by SELinux. +which will leads to privilege escalation issue. This allows the system +to be attacked if it does not managed by Selinux completely. A normal user +with no specific privileges on the system who is trying to interact with one of +the root-running processes that can suddenly misbehave and give the user +root access or allows the user to launch root access commands. + +Currently tendrl services like gluster-integration, node-agent, api, +monitoring-integration services are running as unconfined services. +ex1: system_u:system_r:unconfined_service_t:s0 18240 ? 02:51:40 tendrl-node-age +ex2: system_u:system_r:unconfined_service_t:s0 18240 ? 02:51:40 tendrl-api +Unconfined Service issue:- This will leads the 'privileges of the process' +being attacked easily. Tendrl process that run as root are prone to be attacked +to get root access on the system. + +Tendrl services does not belong to any selinux domain. Proper selinux domain should +be assigned to every tendrl services to identify what is allowed for this service. + +Currently tendrl does not have enough confined rules for files being used by +its process. Contexts for files used by tendrl should also be specified clearly. +So that the resource can be used with the restricted gated privilege. +The file or directory created in a directory should also acquire same context. + +When the system runs SELinux in permissive mode, users are able to +label files incorrectly. Files created with SELinux in permissive mode are not +labeled correctly while files created while SELinux is disabled are not labeled +at all. This behavior causes problems when changing to enforcing mode. +Also there are some application that know about SELinux status can change their +behavior when selinux is in permissive mode. + +== Use Cases + +* Enable SELinux security system for tendrl +* Retain the existing security measures in an already enabled SELinux system + +== Proposed change + +* Running a tendrl related services in a Specific Security Context + Tendrl can have a selinux policies for all tendrl related services + Each tendrl proces can be assigned to an unique security context which, + just like with the user under which the process runs, helps Linux in + identifying what the application should and shouldn't be allowed to do. + +* Marking only the required type as permissive + In addition to have SELinux policies for tendrl, it would better to mark + only the required type as permissive initially; instead of making the + entire system permissive, tendrl could make only the purticular domain as permissive. + Over the release iterations, testing various test cases, SELinux can be + compleatly enforced. Because it's inevitable to completely block any new + avc errors which might come on any new updates to tendrl. + +=== Alternatives + +None + +=== Data model impact: + +None + +=== Impacted Modules: + +==== Tendrl API impact: + +SELinux policy files will be added in to this tendrl-api module. +This set of policies will be used at tendrl server. + +Sample Policy: +policy_module(tendrl, 1.0.0) + +######################################## +# +# Declarations +# + +type tendrl_t; +type tendrl_exec_t; +init_daemon_domain(tendrl_t, tendrl_exec_t) + +type tendrl_conf_t; +files_config_file(tendrl_conf_t) + +type tendrl_log_t; +logging_log_file(tendrl_log_t) + +type tendrl_var_lib_t; +files_type(tendrl_var_lib_t) + +type tendrl_var_run_t; +files_pid_file(tendrl_var_run_t) + +type tendrl_unit_file_t; +systemd_unit_file(tendrl_unit_file_t) + +type tendrl_custom_port_t; +corenet_port(tendrl_custom_port_t) + +permissive tendrl_t; + +######################################## +# +# tendrl local policy +# +allow tendrl_t self:capability { sys_rawio sys_admin net_admin }; +allow tendrl_t self:fifo_file rw_fifo_file_perms; +allow tendrl_t self:unix_stream_socket create_stream_socket_perms; +allow tendrl_t self:tcp_socket { accept listen }; +- - - +optional_policy(` +          unconfined_domain(tendrl_t) +') + +==== Tendrl commons impact: + +SELinux policy files will be added in to this tendrl-commons module. +This will be used for every nodes participating in the tendrl. + +Sample tendrl AVCs: +type=AVC msg=audit(1502404324.889:1973): avc: denied { connectto } for +pid=22078 comm="gluster" path="/run/glusterd.socket" +scontext=system_u:system_r:collectd_t:s0 +tcontext=system_u:system_r:glusterd_t:s0 tclass=unix_stream_socket + +type=AVC msg=audit(1502404325.445:1975): avc: denied { read write } for +pid=22129 comm="lvm" name="lvm" dev="tmpfs" ino=12517 +scontext=system_u:system_r:collectd_t:s0 +tcontext=system_u:object_r:lvm_lock_t:s0 tclass=dir + +type=AVC msg=audit(1502404325.447:1976): avc: denied { add_name } for +pid=22129 comm="lvm" name="V_cl_dhcp43-71:aux" +scontext=system_u:system_r:collectd_t:s0 +tcontext=system_u:object_r:lvm_lock_t:s0 tclass=dir + +type=AVC msg=audit(1502404265.426:1967): avc: denied { read } for +pid=21307 comm="lvm" name="vda2" dev="devtmpfs" ino=8415 +scontext=system_u:system_r:collectd_t:s0 +tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file + +The above AVC can be read as: +The Trace reporting time: Fri Aug 11 04:01:05 IST 2017, process with PID 21307 +tried to read a file called vda2 on a file system hosted on the devtmpfs device. +This file has inode number 8415, and has the security context +system_u:object_r:fixed_disk_device_t assigned to it. +The Trace process itself is running with the system_u:system_r:collectd_t context. + +=== Performance impact: + +None + +=== Other deployer impact: + +None + +=== Developer impact: + +None + +== Implementation: + + +=== Assignee(s): + +tjeyasing@redhat.com + +If more than one person is working on the implementation, please designate the +primary author and contact. + +Primary assignee: + tjeyasin + +=== Work Items: + + + +== Dependencies: + +None + +== Testing: + +== Documentation impact: + +The apis mentioned above need to be documented. + +== References: + +None From b8745d911132d1b5894e86e5fcc9e2899b1cb3ac Mon Sep 17 00:00:00 2001 From: Timothy Asir J Date: Mon, 21 Aug 2017 16:57:25 +0530 Subject: [PATCH 2/3] Security: Run tendrl in SELinux enabled tendrl-bug-id: #241 Signed-off-by: Timothy Asir J --- specs/enable-selinux.adoc | 91 +++++++++++++++++++++------------------ 1 file changed, 48 insertions(+), 43 deletions(-) diff --git a/specs/enable-selinux.adoc b/specs/enable-selinux.adoc index eda572f..b3b1d37 100644 --- a/specs/enable-selinux.adoc +++ b/specs/enable-selinux.adoc @@ -4,39 +4,39 @@ SELinux should be enabled in tendrl for the system which controled by selinux. == Problem description -Tendrl could be installed in a system where SELinux could be already enforced. -Currenlty Tendrl requires selinux to be in disable state. If tendrl disables -the selinux which may brack the existing policy(security concerns) of the system -which runs selinux enabled. - -A SELinux-enabled system that runs in permissive mode is not protected by SELinux. -which will leads to privilege escalation issue. This allows the system -to be attacked if it does not managed by Selinux completely. A normal user -with no specific privileges on the system who is trying to interact with one of -the root-running processes that can suddenly misbehave and give the user -root access or allows the user to launch root access commands. - +* Policy violation:- +Currently tendrl needs selinux in permissive mode. A SELinux-enabled system that +runs in permissive mode is not protected by SELinux. if tendrl needs selinux to be +disabled in an already selinux enforced system, it may break the security rule +of the system. + +* Privilege escalation issue:- +Disabling selinux in a system, can lead to privilege escalation issue. For example, +A normal user with no specific privileges on the system who is trying to interact +with one of the root-running processes that can suddenly misbehave and give +the user root access or allows the user to launch root access commands. + +* Service are not belongs to any proper selinux domain:- Currently tendrl services like gluster-integration, node-agent, api, monitoring-integration services are running as unconfined services. ex1: system_u:system_r:unconfined_service_t:s0 18240 ? 02:51:40 tendrl-node-age ex2: system_u:system_r:unconfined_service_t:s0 18240 ? 02:51:40 tendrl-api -Unconfined Service issue:- This will leads the 'privileges of the process' -being attacked easily. Tendrl process that run as root are prone to be attacked -to get root access on the system. - -Tendrl services does not belong to any selinux domain. Proper selinux domain should -be assigned to every tendrl services to identify what is allowed for this service. - -Currently tendrl does not have enough confined rules for files being used by -its process. Contexts for files used by tendrl should also be specified clearly. -So that the resource can be used with the restricted gated privilege. -The file or directory created in a directory should also acquire same context. - -When the system runs SELinux in permissive mode, users are able to -label files incorrectly. Files created with SELinux in permissive mode are not -labeled correctly while files created while SELinux is disabled are not labeled -at all. This behavior causes problems when changing to enforcing mode. -Also there are some application that know about SELinux status can change their +Unconfined Service issue:- This will lead the 'privileges of the process' +being attacked easily. Tendrl processes that run as root are prone to +be attacked to get root access on the system. + +* Unclear or undefined context for files and directory:- +Currently tendrl does not have enough confined rules for the files and +directories being used by its process. Contexts for files are unclear in tendrl. +By having proper contexts for the files and directories used by tendrl, +the resources can have restricted gated privilege. + +* Incorrect or missing lable:- +Continues use of permissive mode might causes the users to label files +incorrectly. Any file or files created when selinux in permissive/disable mode, +will not be labeled correctly or will not be labled at all. +This behavior could create problems when its changed to enforcing mode. +Also there are few applications that know about SELinux status can change their behavior when selinux is in permissive mode. == Use Cases @@ -46,19 +46,24 @@ behavior when selinux is in permissive mode. == Proposed change -* Running a tendrl related services in a Specific Security Context - Tendrl can have a selinux policies for all tendrl related services - Each tendrl proces can be assigned to an unique security context which, - just like with the user under which the process runs, helps Linux in - identifying what the application should and shouldn't be allowed to do. +* Running tendrl related services in a Specific Security Context + Every tendrl process must be set to work according to its personal security + environment. Every tendrl process should have its own well defined + selinux policy. It should be given a definite determination for tendrl process + of which any user is permitted to work with, which products or application + can be accessed and what can be run. * Marking only the required type as permissive - In addition to have SELinux policies for tendrl, it would better to mark - only the required type as permissive initially; instead of making the - entire system permissive, tendrl could make only the purticular domain as permissive. - Over the release iterations, testing various test cases, SELinux can be - compleatly enforced. Because it's inevitable to completely block any new - avc errors which might come on any new updates to tendrl. + In addition to have SELinux policies for tendrl + Instead of allowing a complete system to "permissive", It would be better + to temporarily allow/configure a particular domain to "permissive" + in addition to have individual selinux policies for tendrl processes. + Because, in an emerging application, it is impossible to know all the possible + avc errors beforehand and add all the required selinux rules. + Over the release iterations and testing various test cases additional selinux + rules can be added into the existing policy to make the system + compleatly enforced. + === Alternatives @@ -72,8 +77,8 @@ None ==== Tendrl API impact: -SELinux policy files will be added in to this tendrl-api module. -This set of policies will be used at tendrl server. +SELinux policy files will be added for tendrl-api module. +These set of policies will be used at tendrl server. Sample Policy: policy_module(tendrl, 1.0.0) @@ -190,7 +195,7 @@ None == Documentation impact: -The apis mentioned above need to be documented. +None == References: From 4f3735eecc2a115ff551cfa72823c9b725b34dc2 Mon Sep 17 00:00:00 2001 From: Timothy Asir J Date: Thu, 7 Sep 2017 10:40:21 +0530 Subject: [PATCH 3/3] Security: Run tendrl in SELinux enabled tendrl-bug-id: #241 Signed-off-by: Timothy Asir J --- specs/enable-selinux.adoc | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/specs/enable-selinux.adoc b/specs/enable-selinux.adoc index b3b1d37..4143dad 100644 --- a/specs/enable-selinux.adoc +++ b/specs/enable-selinux.adoc @@ -121,13 +121,10 @@ allow tendrl_t self:fifo_file rw_fifo_file_perms; allow tendrl_t self:unix_stream_socket create_stream_socket_perms; allow tendrl_t self:tcp_socket { accept listen }; - - - -optional_policy(` -          unconfined_domain(tendrl_t) -') ==== Tendrl commons impact: -SELinux policy files will be added in to this tendrl-commons module. +SELinux policy files will be added to tendrl-commons module. This will be used for every nodes participating in the tendrl. Sample tendrl AVCs: @@ -184,7 +181,7 @@ Primary assignee: tjeyasin === Work Items: - +https://github.com/Tendrl/node-agent/issues/604 == Dependencies: