Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable SELinux for tendrl #241

Open
TimothyAsirJeyasing opened this issue Aug 15, 2017 · 1 comment
Open

Enable SELinux for tendrl #241

TimothyAsirJeyasing opened this issue Aug 15, 2017 · 1 comment

Comments

@TimothyAsirJeyasing
Copy link

TimothyAsirJeyasing commented Aug 15, 2017
edited
Loading

The following are the identified security issues should be fixed in tendrl.

  1. Currently tendrl does not work with selinux enabled. A SELinux-enabled system that runs in permissive mode is not protected by SELinux. which will leads to privilege escalation issue. This allows the system to be attacked if it does not managed by Selinux completely. A normal user with no specific privileges on the system who is trying to interact with one of the root-running processes that can suddenly misbehave and give the user root access or allows the user to launch root access commands.

  2. Currently tendrl services like gluster-integration, node-agent, api, monitoring-integration services are running as unconfined services.

ex1: system_u:system_r:unconfined_service_t:s0 18240 ? 02:51:40 tendrl-node-age
ex2: system_u:system_r:unconfined_service_t:s0 18240 ? 02:51:40 tendrl-api

Unconfined Service issue:- This will leads the 'privileges of the process' being attacked easily. Tendrl process that run as root are prone to be attacked to get root access on the system.

  1. From the (Ex1, ex2) tendrl-node-agent, tendrl-api or tendrl-monitoring-integration service and its spawns, it is clear that it does not belong to any selinux domain. Proper selinux domain should be assigned to every tendrl services to identify what is allowed for this service.

  2. Currently tendrl does not have enough confined rules for files being used by its process. Contexts for files used by tendrl should also be specified clearly. So that the resource can be used with the restricted gated privilege. The file or directory created in a directory should also acquire same context.

  3. Currently, tendrl needs SElinux in permissive mode, It can not be left to see later. Because
    When the system runs SELinux in permissive mode, users are able to label files incorrectly. Files created with SELinux in permissive mode are not labeled correctly while files created while SELinux is disabled are not labeled at all. This behavior causes problems when changing to enforcing mode.
TimothyAsirJeyasing added a commit to TimothyAsirJeyasing/specifications that referenced this issue Aug 18, 2017
@TimothyAsirJeyasing
Run tendrl in SELinux enabled
9dd2bd3 
tendrl-bug-id: Tendrl#241
Signed-off-by: Timothy Asir J <[email protected]>
@TimothyAsirJeyasing TimothyAsirJeyasing mentioned this issue Aug 18, 2017
Open
TimothyAsirJeyasing added a commit to TimothyAsirJeyasing/specifications that referenced this issue Aug 21, 2017
@TimothyAsirJeyasing
Security: Run tendrl in SELinux enabled
b8745d9 
tendrl-bug-id: Tendrl#241

Signed-off-by: Timothy Asir J <[email protected]>
TimothyAsirJeyasing added a commit to TimothyAsirJeyasing/specifications that referenced this issue Sep 7, 2017
@TimothyAsirJeyasing
Security: Run tendrl in SELinux enabled
4f3735e 
tendrl-bug-id: Tendrl#241

Signed-off-by: Timothy Asir J <[email protected]>
@mbukatov mbukatov mentioned this issue Oct 2, 2017
Closed
5 tasks
@r0h4n
Copy link
Contributor

r0h4n commented Jan 30, 2018

What is the summary of this, where do we stand today?

@TimothyAsir @mbukatov

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@r0h4n @TimothyAsirJeyasing