-
Notifications
You must be signed in to change notification settings - Fork 522
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add initial selinux implementation #683
Conversation
2176ab7
to
e8999bd
Compare
Changes since initial draft: Dropped SELinux enablement for Docker. This was done for consistency with Widened access to Refocused policy to deny writes to critical files: containerd's pristine layer archives and the settings for our API. Expanded the policy to cover all file-like classes and permissions. |
077ea9f
to
530120f
Compare
Various applications expect this path to exist in order to detect the active SELinux policy and to discover contexts for labeling processes and files. Signed-off-by: Ben Cressey <bcressey@amazon.com>
Signed-off-by: Ben Cressey <bcressey@amazon.com>
We enable the audit subsystem in order to log AVC denials. The SELinux options are mandated by the kernel config, but including them on the kernel command line makes the behavior visible to simple tools. Signed-off-by: Ben Cressey <bcressey@amazon.com>
Signed-off-by: Ben Cressey <bcressey@amazon.com>
These directories are created for us by tmpfiles.d. Signed-off-by: Ben Cressey <bcressey@amazon.com>
Hit a couple of denials when testing the EFS CSI driver:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is fine to merge. I'd like to see issues opened to track what we're going to remove permissive bits around and at what point we feel confident removing those.
Signed-off-by: Ben Cressey <bcressey@amazon.com>
Also sets noatime, nodev, and nosuid for our squashfs mounts, for consistency with the others. Signed-off-by: Ben Cressey <bcressey@amazon.com>
"spc_t" has elevated privileges relative to "container_t", and fits the intended use case of "breaking glass" to debug the host system with minimal friction. Signed-off-by: Ben Cressey <bcressey@amazon.com>
Signed-off-by: Ben Cressey <bcressey@amazon.com>
Disabling them removes surface area from containerd, and lets us defer the work of figuring out how they should interact with our SELinux policy. Signed-off-by: Ben Cressey <bcressey@amazon.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm good with this, assuming we add the docs/comments we just talked about/you have notes on :)
Notes:
|
Signed-off-by: Ben Cressey <bcressey@amazon.com>
Issue #, if available:
N/A
Description of changes:
This implements a policy for SELinux aimed at closing vectors for persistence of malicious code across container restarts and reboots.
The initial goals are that containerized processes:
/var/lib/thar
Testing done:
Processes on a running system are labeled as indicated in
subject.cil
, and files and directories have the labels indicated inobject.cil
.Launched a new node and ran
sonobuoy
conformance tests. No AVC denials were logged.By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.