Tendrl · TimothyAsirJeyasing · Aug 18, 2017 · Aug 21, 2017 · Sep 7, 2017 · shtripat
@@ -0,0 +1,199 @@
+= Enable SELinux for tendrl
+
+SELinux should be enabled in tendrl for the system which controled by selinux.
+
+== Problem description
+
+* Policy violation:-
+Currently tendrl needs selinux in permissive mode. A SELinux-enabled system that
+runs in permissive mode is not protected by SELinux. if tendrl needs selinux to be
+disabled in an already selinux enforced system, it may break the security rule
+of the system.
+
+* Privilege escalation issue:-
+Disabling selinux in a system, can lead to privilege escalation issue.  For example,
+A normal user with no specific privileges on the system who is trying to interact
+with one of the root-running processes that can suddenly misbehave and give
+the user root access or allows the user to launch root access commands.
+
+* Service are not belongs to any proper selinux domain:-
+Currently tendrl services like gluster-integration, node-agent, api,
+monitoring-integration services are running as unconfined services.
+ex1: system_u:system_r:unconfined_service_t:s0 18240 ? 02:51:40 tendrl-node-age
+ex2: system_u:system_r:unconfined_service_t:s0 18240 ? 02:51:40 tendrl-api
+Unconfined Service issue:- This will lead the 'privileges of the process'
+being attacked easily. Tendrl processes that run as root are prone to
+be attacked to get root access on the system.
+
+* Unclear or undefined context for files and directory:-
+Currently tendrl does not have enough confined rules for the files and
+directories being used by its process. Contexts for files are unclear in tendrl.
+By having proper contexts for the files and directories used by tendrl,
+the resources can have restricted gated privilege.
+
+* Incorrect or missing lable:-
+Continues use of permissive mode might causes the users to label files
+incorrectly. Any file or files created when selinux in permissive/disable mode,
+will not be labeled correctly or will not be labled at all.
+This behavior could create problems when its changed to enforcing mode.
+Also there are few applications that know about SELinux status can change their
+behavior when selinux is in permissive mode.
+
+== Use Cases
+
+* Enable SELinux security system for tendrl
+* Retain the existing security measures in an already enabled SELinux system
+
+== Proposed change
+
+* Running tendrl related services in a Specific Security Context
+  Every tendrl process must be set to work according to its personal security
+  environment. Every tendrl process should have its own well defined
+  selinux policy. It should be given a definite determination for tendrl process
+  of which any user is permitted to work with, which products or application
+  can be accessed and what can be run.
+
+* Marking only the required type as permissive
+  In addition to have SELinux policies for tendrl
+  Instead of allowing a complete system to "permissive", It would be better
+  to temporarily allow/configure a particular domain to "permissive"
+  in addition to have individual selinux policies for tendrl processes.
+  Because, in an emerging application, it is impossible to know all the possible
+  avc errors beforehand and add all the required selinux rules.
+  Over the release iterations and testing various test cases additional selinux
+  rules can be added into the existing policy to make the system
+  compleatly enforced.
+
+
+=== Alternatives
+
+None
+
+=== Data model impact:
+
+None
+
+=== Impacted Modules:
+
+==== Tendrl API impact:
+
+SELinux policy files will be added for tendrl-api module.
+These set of policies will be used at tendrl server.
+
+Sample Policy:
+policy_module(tendrl, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type tendrl_t;
+type tendrl_exec_t;
+init_daemon_domain(tendrl_t, tendrl_exec_t)
+
+type tendrl_conf_t;
+files_config_file(tendrl_conf_t)
+
+type tendrl_log_t;
+logging_log_file(tendrl_log_t)
+
+type tendrl_var_lib_t;
+files_type(tendrl_var_lib_t)
+
+type tendrl_var_run_t;
+files_pid_file(tendrl_var_run_t)
+
+type tendrl_unit_file_t;
+systemd_unit_file(tendrl_unit_file_t)
+
+type tendrl_custom_port_t;
+corenet_port(tendrl_custom_port_t)
+
+permissive tendrl_t;
+
+########################################
+#
+# tendrl local policy
+#
+allow tendrl_t self:capability { sys_rawio sys_admin net_admin };
+allow tendrl_t self:fifo_file rw_fifo_file_perms;
+allow tendrl_t self:unix_stream_socket create_stream_socket_perms;
+allow tendrl_t self:tcp_socket { accept listen };
+- - -
+
+==== Tendrl commons impact:
+
+SELinux policy files will be added to tendrl-commons module.
+This will be used for every nodes participating in the tendrl.
+
+Sample tendrl AVCs:
+type=AVC msg=audit(1502404324.889:1973): avc:  denied  { connectto } for
+pid=22078 comm="gluster" path="/run/glusterd.socket"
+scontext=system_u:system_r:collectd_t:s0
+tcontext=system_u:system_r:glusterd_t:s0 tclass=unix_stream_socket
+
+type=AVC msg=audit(1502404325.445:1975): avc:  denied  { read write } for
+pid=22129 comm="lvm" name="lvm" dev="tmpfs" ino=12517
+scontext=system_u:system_r:collectd_t:s0
+tcontext=system_u:object_r:lvm_lock_t:s0 tclass=dir
+
+type=AVC msg=audit(1502404325.447:1976): avc:  denied  { add_name } for
+pid=22129 comm="lvm" name="V_cl_dhcp43-71:aux"
+scontext=system_u:system_r:collectd_t:s0
+tcontext=system_u:object_r:lvm_lock_t:s0 tclass=dir
+
+type=AVC msg=audit(1502404265.426:1967): avc:  denied  { read } for
+pid=21307 comm="lvm" name="vda2" dev="devtmpfs" ino=8415
+scontext=system_u:system_r:collectd_t:s0
+tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
+
+The above AVC can be read as:
+The Trace reporting time: Fri Aug 11 04:01:05 IST 2017, process with PID 21307
+tried to read a file called vda2 on a file system hosted on the devtmpfs device.
+This file has inode number 8415, and has the security context
+system_u:object_r:fixed_disk_device_t assigned to it.
+The Trace process itself is running with the system_u:system_r:collectd_t context.
+
+=== Performance impact:
+
+None
+
+=== Other deployer impact:
+
+None
+
+=== Developer impact:
+
+None
+
+== Implementation:
+
+
+=== Assignee(s):
+
+tjeyasing@redhat.com
+
+If more than one person is working on the implementation, please designate the
+primary author and contact.
+
+Primary assignee:
+  tjeyasin
+
+=== Work Items:
+https://github.com/Tendrl/node-agent/issues/604
+
+
+== Dependencies:
+
+None
+
+== Testing:
+
+== Documentation impact:
+
+None
+
+== References:
+
+None