Selinux updates #1496
Selinux updates #1496
Conversation
|
One possible improvement is taking |
…_use_shell_app. This will better support LHA and other uses of SSH
|
I thought about it more, and I don't think we should modify contexts of I still need to do more testing on webdev02 to further try different things inside OnDemand with SELinux in both Permissive and Enforce mode. |
… interacting with Kubernetes
|
I think this is ready. I tested webdev02 with SELinux in Enforce mode and caught some dontaudit blocks that had to allow, mostly around being able to execute sudo for kubectl bootstrap. |
|
The 2.0 change in #1497 deprecates |
The |
| ## Allow OnDemand to use Shell app | ||
| ## Allow OnDemand to use SSH | ||
| ## </p> | ||
| ## </desc> | ||
| gen_tunable(ondemand_use_shell_app, true) |
There was a problem hiding this comment.
I take it the doc for this removal?
There was a problem hiding this comment.
The ondemand docs need updated for both removal and additional new booleans. I updated description with Doc changes required for this and 2.0 PR.
| allow ood_pun_t self:capability { setuid setgid sys_resource audit_write }; | ||
| allow ood_pun_t self:process { setrlimit setsched }; | ||
| allow ood_pun_t self:key write; | ||
| allow ood_pun_t self:passwd { passwd rootok }; |
There was a problem hiding this comment.
This caught my eye. Admittedly I don't know much about selinux. Can you tell me why we need this directive?
There was a problem hiding this comment.
I believe this is needed for sudo. Because kubectl during bootstrap uses sudo, there are a lot of changes here that are necessary for ood_pun_t context to run the sudo command. I could not find a viable template helper to make this simpler but the repo where I pull a lot of helpers from and example I found a popular monitoring application ( I used to use in Texas ) Zabbix using sudo with similar policy changes: https://github.com/fedora-selinux/selinux-policy/blob/7e50553feb19abeab49911db46c15b50b6bda47e/policy/modules/contrib/zabbix.te#L159-L175
I think the passwd is so the process can access it's own passwd entry, hence the self:passwd. Since there is no /etc/passwd entry, this doesn't really change anything at OSC but /etc/passwd is likely still searched. At least I think that's what is happening.
There was a problem hiding this comment.
I see. In combination with setuid setgid it's probably this.
These are opt-in policies right? Seems like this bootstrapping may need to be rethought. There may be less unobtrusive way to pass this the user.
There was a problem hiding this comment.
I think maybe doing su might be one alternative but there could be issues with how $HOME is set and what not.
The setuid and setgid are likely because sudo is is setuid/setgid executable.
This part of policy that involves a lot of sudo is opt-in, disabled by default, and intended for sites using Kubernetes.
I will open a different pull request for 2.0 once I've had more chances to test this.
Marking WIP for now as still need to further test. So far what I've tested is that on a Permissive system, adding these policy changes and enabling the SELinux booleans and then running
audit2allowshows all are now allowed under current policy:The only denial we get now would be allowed with this:
This is from the initializer we deploy at our site to read
/var/lib/node_exporter/textfile_collector/autofs-file-test.prom. I don't think it's necessarily appropriate to account for that in this repo.FOR DOCS:
New booleans
Removed booleans