-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New Package Request: selinuxd #854
Comments
Hi @jhrozek, A few questions:
|
On that topic, we did discuss this issue with the SELinux team some time back and IIRC I think part of what we hashed out was a similar design where the policy is recompiled on boot. If you haven't already, it would probably be good to chat with them and see whether they have any plans in that area. |
I will get back to you with a more thorough (and tested!) answer tomorrow, but #701 includes a link to a discussion thread where the user adds a CIL to the Ignition file and then runs
Yes, it does. I'm afraid we don't have great docs (the project is really new and was mostly used as an implementation detail of security profiles operator upstream so far), but I'll try to fix them tomorrow. |
We did show a demo of both selinuxd and the security profiles operator to the SELinux team, but either way it won't hurt to tag @wrabcak to see if he has any insights. |
We discussed this in the community meeting today.
@jhrozek - is there an rpm we could use to play with? Also do you have any demos to share where you show off the features of selinuxd beyond https://github.com/JAORMX/selinuxd#testing-for-demo-purposes It was mentioned in the meeting that ideally we would handle selinux changes in |
Ahh yes, this is where I mentioned this in the past: #368 (comment). |
I built one:
So I was trying to prepare some demo today and ran into some issues. For one, I wasn't able to get the service enabled for an overlaid package and I wasn't able to produce my own FCOS image with the package. Those probably boil down to my ignorance of how FCOS works -- so far I was mostly just interacting with RHCOS through openshift and could probably be solved by reading the docs better. But the bigger issue I found was that installing the policy module with selinuxd still triggers recompiling of the policy and modifies the
|
I'm sorry I don't have better news than "we talked with the SELinux team and they're looking into the issue". Petr Lautrbach from the SELinux team suggested a compile change to SELinux that moves the DB from /etc/selinux to /var/selinux. The basic things seemed to work but more work is needed and tracked in https://issues.redhat.com/browse/SELINUX-2695 |
We're interested in exploring selinuxd - it sounds like it'd be a great fit for our use case. I'm trying to build an RPM to play with locally, but the systemd service units don't exist in the source as far as I can tell. I can cobble something together, but do you have anything you can share @jhrozek? I also don't have access to view or vote on the issue referenced above (SELINUX-2695). Is there any progress being made on this internally? @wrabcak is that something you could speak to? |
@justinkinney, yes internal ticket talks about following PR already merged by ostree developers. @WOnder93 can share more details. |
I did get through the motions of packaging selinuxd as an RPM some time ago (for this reason) and the branch is still available here: https://github.com/jhrozek/selinuxd/tree/make_install |
Thinking out loud here and asking a dumb question.. Where does this sit now that ostreedev/ostree#2569 has merged (related to #701)? |
Honestly, if you think that running oneshot systemd units that install the modules is OK for the FCOS use-case then I'm not sure if having selinuxd as a package on the host itself brings that much. Where having selinuxd on the host would be beneficial would be in the context of OCP/OKD/k8s where you could deploy the policies as MachineConfigs. But then again, this use-case is probably better served with the Security Profiles Operator. This probably leaves the (edge?) case of pushing policies for static pods on k8s/OCP/OKD, but I wonder if it's worth it..? |
I don't actually. oneshot systemd units can be awkward to write. I think it's much easier to drop down a config file that tells the machine what you want. In that context selinuxd is still useful IMO. Thank you for refreshing my memory. |
Big overlap/intersection with OCP CoreOS Layering here. I think the dividing line here is that the selinuxd approach inherently supports live/rebootless updates, but I also think we should support that in a uniform way via |
This ticket is a follow-up or a branch of openshift/enhancements@9984669#r645083951 As said in that thread, it is not absolutely required that the package is part of the OS, but I do think it would be beneficial. In that thread, @travier said that he'd like to see a demo and I'll be happy to provide one, just let me know in what form (should I join some meeting? Record something in e.g. asciinema along with a write-up? ...)
Please note that selinuxd is not packaged in Fedora at the moment, although there's nothing inherently preventing it. We're trying to find a suitable home for selinuxd at the moment.
Please try to answer the following questions about the package you are requesting:
No python or perl, selinuxd is written in go. The full list dependency list is:
My local build of the binary is 14MB. The dependencies above come from the following packages:
What problem are you trying to solve with this package? Or what functionality does the package provide?
Custom SELinux policy management for containers, in particular in the context of OpenShift. While it is possible at the moment to set custom policies for containers, the management is not practical - the admin needs to log in to the node and call
semodule -i
to install the policy.selinuxd watches the
/etc/selinux.d
directory for files and installs any selinux policies dropped there, so all that is needed is to drop the policy file there. There is also a very simple REST API to query the installed modules and get information such as any error messages that were generated when a policy was installed.In the OpenShift context, the idea would be to drop the selinux policy file to the nodes with a
MachineConfig
(hopefully in the future without a node reboot) and then selinuxd would install the policy.Also note that selinuxd is used by the Security Profiles Operator that is currently being proposed to be added to OpenShift.
Can the software provided by the package be run from a container? Explain why or why not.
Yes, it can. Having the daemon on the node has the benefit of allowing to install policies before nodes start up -- in the OpenShift context, this means e.g. containing the static pods.
Can the tool(s) provided by the package be helpful in debugging container runtime issues?
Indirectly maybe? I think the REST API provides a nicer way of debugging which SELinux policies are installed over having to ssh to the node and run
semodule
Can the tool(s) provided by the package be helpful in debugging networking issues?
No
Is it possible to layer the package onto the base OS as a day 2 operation? Explain why or why not.
Yes, this is not an inherent OS feature, but an add-on.
In the case of packages providing services and binaries, can the packaging be adjusted to just deliver binaries?
There's a single binary called
selinuxdctl
Can the tool(s) provided by the package be used to do things we’d rather users not be able to do in FCOS? (e.g. can it be abused as a Turing complete interpreter?)
I don't think so, the REST API is read-only and the only other inteface is dropping a policy to the directory.
Does the software provided by the package have a history of CVEs?
No, the project is very new.
The text was updated successfully, but these errors were encountered: