Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remove permissive types from SELinux policy #945

Merged
merged 2 commits into from
Jun 22, 2020
Merged

remove permissive types from SELinux policy #945

merged 2 commits into from
Jun 22, 2020

Conversation

bcressey
Copy link
Contributor

@bcressey bcressey commented Jun 16, 2020
edited
Loading

Issue number:
#764

Description of changes:
This removes all permissive types from the policy, meaning that actions will be denied and not simply logged, as they are today.

Testing done:

Ran sonobuoy on a k8s 1.16 cluster.

$ sonobuoy run --kube-conformance-image-version v1.16.8 --mode certified-conformance
$ sonobuoy results $(sonobuoy retrieve)
Plugin: e2e
Status: passed
Total: 4731
Passed: 276
Failed: 0
Skipped: 4455

Confirmed that the policy is enforced.

# echo -n 'system_u:system_r:container_t:s0' > /proc/self/attr/current
bash: echo: write error: Permission denied

[  289.111027] audit: type=1400 audit(1591976578.536:3): avc:  denied  { dyntransition } for  pid=8105 comm="bash" scontext=system_u:system_r:super_t:s0 tcontext=system_u:system_r:container_t:s0 tclass=process permissive=0

# cat /proc/self/attr/current
system_u:system_r:super_t:s0

Verified that the operator can upgrade the system when the policy is enforced.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

bcressey added 2 commits June 10, 2020 15:28
@bcressey
selinux-policy: remove permissive mode from all domains
7eb2530 
Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey
docs: update to reflect current SELinux policy
6c7c1ed 
Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey bcressey requested review from iliana and tjkirch June 16, 2020 21:33
tjkirch
tjkirch approved these changes Jun 16, 2020
View reviewed changes
Copy link
Contributor

@tjkirch tjkirch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a little worried about losing some debugging ability in the admin container, but if you OK your other testing and you could check that normal debugging is still OK, I'm fine.

@bcressey bcressey marked this pull request as ready for review June 22, 2020 17:36
@bcressey
Copy link
Contributor Author

I've updated my testing results to indicate that the operator can upgrade nodes when the policy is enforced.

@iliana iliana added this to the v0.4.0 milestone Jun 22, 2020
@bcressey bcressey merged commit 0d03db4 into bottlerocket-os:develop Jun 22, 2020
@bcressey bcressey deleted the no-permissive-types branch June 22, 2020 18:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webern webern webern approved these changes

@iliana iliana iliana approved these changes

@tjkirch tjkirch tjkirch approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.4.0
Development

Successfully merging this pull request may close these issues.
4 participants
@bcressey @tjkirch @iliana @webern