If you can't read please download the document
Upload
openshift-origin
View
3.292
Download
2
Embed Size (px)
Citation preview
Dan WalshTwitter: #rhatdanBlog: danwalsh.livejournal.comEmail: [email protected]
OpenShift & SELinux
SELinux is a LABELING System
Everything has a labelProcess,file,dir, chr_file, blk_file, port, node.
SELinux Policy defines that access between process labels and all other labels.
The Kernel controls the access.
Security Goals
http://en.wikipedia.org/wiki/Maginot_line
When writing SELinux policy, the first thing to understand, what is your security goal. For most people the security goal is to get to as close as minimal access to allow the confined application to get its job done and prevent its ability to effect other applications.
For a lot of applications, you can configure the application to run in different Ways. Ftp for example can be configured to allow anonymous access to files, or access to users home directories, or access to the entire system. When you have an application like this, you can use booleans to allow administratorsto reconfigure the policy, for their environment.
When you are writing policy it is always good to ask experts about the policy you have written to see if you are allowing more access then necessary or if they know a better way to write the policy.
SELinux is Type Enforcement
system_u:system_r:openshift_t:s0:c1,c2
SELinux is Type Enforcement
seinfo -t | grep openshiftopenshift_mail_tmp_t, httpd_openshift_content_t, openshift_cgroup_read_tmp_t, openshift_initrc_tmp_t, openshift_var_lib_t, openshift_var_run_t, openshift_app_t, openshift_min_t, openshift_net_t, openshift_tmp_t, openshift_min_app_t, openshift_net_app_t, openshift_cgroup_read_t, httpd_openshift_script_exec_t, openshift_cron_tmp_t, openshift_initrc_t, httpd_openshift_script_t, openshift_cron_exec_t, openshift_initrc_exec_t, openshift_rw_file_t, openshift_log_t, openshift_cron_t, openshift_mail_t, openshift_port_t, httpd_openshift_ra_content_t, httpd_openshift_rw_content_t, httpd_openshift_htaccess_t, openshift_cgroup_read_exec_t, openshift_t, openshift_tmpfs_t
SELinux is Type Enforcement
Process Labels can be on Files
File Labels can not on Processes
openshift_t -> Process
openshift_var_lib_t -> File
SELinux is MCS
system_u:system_r:openshift_t:s0:c1,c2
Multi Category System
MCS Separation is for like types, but totally separated
openshift_t:s0:c1,c2 -> openshift_var_lib_t:s0:c1,c2
openshift_t:s0:c3,c4 -> openshift_var_lib_t:s0:c3,c4
Kernel
Host Hardwarememory, storage, etc.
openshift_t:MCS2
openshift_t:MCS1
Libvirt Dynamic Labeling in action
openshift_t:MCS2
openshift_t:MCS1
SELinuxThis slide shows one Virtual machine running as svirt_t:MCS1 and the other virtual machine running as svirt_t:MCS2. Which their image files labeled as svirt_image_t:MCS1 and svirt_image_t:MCS2. The same attack we saw before is being blocked by SELinux in the host kernel, and this protects Host as well as all virtual machines from attacking each other.
MCS Labeling based on UID
def gen_level(uid): SETSIZE=1023 TIER=SETSIZE ORD=uid; while ORD > TIER: ORD = ORD - TIER; TIER= TIER - 1; TIER = SETSIZE - TIER; ORD = ORD + TIER; return "s0:c%d,c%d" % (TIER, ORD)
How do the labels get on gears
Host receives packet for a gearOpenShift server launches application with correct SELinux label.
Sends packet to application
If connection comes in via git or sshSsh uses pam_openshiftLaunch sh with correct context
Launch git with correct context
DEMO
Monitoring Logs
Problems with OpenShift Security
Gear Application == Administrator of GearSame UID
Same SELinux Label openshift_t
Solution:openshift_t Administrator of gear
openshift_app_tType of the application
openshift_var_lib_topenshift_t can read/write/execute
openshift_app_t can read/execute
openshift_rw_file_t openshift_t & openshift_app_t can read/write/execute
Problem with OpenShift Security
All gears run as openhift_tAll have same network access.openshift_t/openshift_app_t
openshift_net_t/openshift_net -app_t
openshift_min_t/openshift_min_app_t
What about trust between nodes.
IPTables not enough
Node1:Gear1 can not attack Node1:gear2
Node1:Gear1 can attack Node2:gear2
Labeled Networking between NodesBased on MLS CIPSO Labels
Labeled Networking SELinux rulesNode1:Gear1 can use Node2:gear1
Node1:Gear1 attacking Node2:gear2 blocked
Requires UID being the same between nodes.
Problems with SELinux Confinement
Node Separation127.0.0.1 blocked to all.
We do not want multiple Domains binding to 127.0.0.1:8080First one wins
Apps trying to do SELinux stuff
SELinux blocks access to processes but it knows they are there.
Secure Linux Containers
Containers != Security
Running root in a container, machine pwned
Local Privilege Escalation, machine pwned
Much of the system is not containerized.Audit
/sysselinuxfs, cgroupfs, sysfs
Need to block mount
Need to block mknod
Linux Namespaces
Mount : mounting/unmounting filesystems Currently used by Openshift for /tmp, /var/tmp and /dev/shm
UTS : hostname, domainname
IPC : SysV message queues, semaphore/shared memory segments
Network: IPv4/IPv6 stacks, routing, firewall, proc/net /sys/class/net directory trees, sockCritical to fix localhost problem
Pid: Private /proc, multiple pid 1's
UID: Just showing up in the Kernel now..
Libvirt-lxc
Boot init binary
SELinux Types + MCS
Firewall ebtables/ip[6]tables
Host FS passthrough bind mounts
CGroups resource control
Available in RHEL6.4But your on your own...
Package to help managing Linux Containers
virt-sandbox
DEMO
Click to edit the title
Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline LevelSeventh Outline LevelEighth Outline LevelNinth Outline Level