Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

expand SELinux policy #888

Merged
merged 2 commits into from
Apr 9, 2020
Merged

expand SELinux policy #888

merged 2 commits into from
Apr 9, 2020

Conversation

bcressey
Copy link
Contributor

@bcressey bcressey commented Apr 4, 2020

Issue number:
#764

Description of changes:
Expand the SELinux policy to include all classes and actions in the 5.4 kernel, as well as those expected by systemd and dbus-broker.

Also fixes a minor issue with kubelet using an unknown label.

Testing done:
Verified that the kernel no longer reports missing classes or actions when loading the policy at startup, and that the listed capabilities match the policy.

[    4.880992] SELinux:  policy capability network_peer_controls=1
[    4.885289] SELinux:  policy capability open_perms=1
[    4.889076] SELinux:  policy capability extended_socket_class=1
[    4.893300] SELinux:  policy capability always_check_network=0
[    4.897488] SELinux:  policy capability cgroup_seclabel=1
[    4.901521] SELinux:  policy capability nnp_nosuid_transition=1
[    4.934308] systemd[1]: Successfully loaded SELinux policy in 55.781ms.

Built the aws-dev variant. Ran under KVM. Pulled and started a Docker container. Found no AVC denials.

Built the aws-k8s-1.15 variant; registered as an AMI; joined to a cluster. Ran sonobuoy tests. Launched a pod using an EFS CSI persistent volume claim. Found no AVC denials.

Verified that interactions with systemd from a container_t process generated the expected denials.

# echo -n 'system_u:system_r:container_t:s0' > /proc/self/attr/current
# systemctl stop docker
systemd[1]: selinux: avc:  denied  { stop } for auid=n/a uid=0 gid=0 cmdline="" scontext=system_u:system_r:container_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system permissive=1

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@bcressey
kubernetes: fix SELinux label for kubelet plugins
2e111e3 
Silences the kernel warning during startup:
  "Context system_u:object_r:container_file_t:s0 is not valid"

Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey
selinux-policy: add all classes and actions to policy
7125a10 
This extends the initial implementation of the policy with a complete
set of all classes and available actions as of the 5.4 kernel. We also
include the permissions expected by systemd and dbus-broker. In a few
cases, actions that no longer exist in the kernel have been removed,
for example the "entrypoint" permission for the "chr_file" class.

The more comprehensive policy now denies unknown actions by default,
which creates some risk for kernel updates, but also acts as a nudge
to revisit the policy periodically. Any newly added classes and
actions will be logged by the kernel when the policy is loaded.

The 5.4 kernel added support for restricting file watches through
inotify(), dnotify(), and fanotify(). Related rules were added as a
special case to the policy to prevent processes running in containers
from blocking the host's access to its own files. Other uses are
still allowed.

Since classes related to sockets, networks, and IPCs are now defined
in the policy, it also includes rules to permit almost all actions
without restriction. The only exceptions are the actions related to
SELinux labeling, all of which are reserved for the host OS.

Because the policy defines userspace classes and actions, we can now
restrict interactions with systemd and dbus-broker to the host OS.
These programs are regarded as implementation details and not meant
for direct use by processes running in containers.

Other management functions, notably including the ability to load and
manage the SELinux policy, have also been reserved for the host OS.

We now include all relevant capabilities in the policy, to enable the
full set of policy features, and to ensure that all defined classes
and actions are used.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey bcressey requested review from iliana and jamieand April 4, 2020 17:07
tjkirch
tjkirch approved these changes Apr 6, 2020
View reviewed changes
Copy link
Contributor

@tjkirch tjkirch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The packaging parts seem good to me, and it has good testing, but I can't review the policy bits.

jamieand
jamieand approved these changes Apr 9, 2020
View reviewed changes
Copy link
Contributor

@jamieand jamieand left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see anything concerning here. LGTM

@bcressey bcressey merged commit ba4cc8c into bottlerocket-os:develop Apr 9, 2020
@bcressey bcressey deleted the more-selinux branch April 9, 2020 20:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tjkirch tjkirch tjkirch approved these changes

@iliana iliana iliana approved these changes

@jamieand jamieand jamieand approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@bcressey @tjkirch @iliana @jamieand