Presentation is loading. Please wait.

Presentation is loading. Please wait.

OpenShift & SELinux Dan Walsh Twitter: #rhatdan

Published byAbner Thomas Modified over 7 years ago

Similar presentations

Presentation on theme: "OpenShift & SELinux Dan Walsh Twitter: #rhatdan"— Presentation transcript:

1 OpenShift & SELinux Dan Walsh Twitter: #rhatdan
Blog: danwalsh.livejournal.com OpenShift & SELinux

2 SELinux is a LABELING System
Everything has a label Process,file,dir, chr_file, blk_file, port, node. SELinux Policy defines that access between process labels and all other labels. The Kernel controls the access.

3 Security Goals http://en.wikipedia.org/wiki/Maginot_line
When writing SELinux policy, the first thing to understand, what is your security goal. For most people the security goal is to get to as close as minimal access to allow the confined application to get its job done and prevent its ability to effect other applications. For a lot of applications, you can configure the application to run in different Ways. Ftp for example can be configured to allow anonymous access to files, or access to users home directories, or access to the entire system. When you have an application like this, you can use booleans to allow administrators to reconfigure the policy, for their environment. When you are writing policy it is always good to ask experts about the policy you have written to see if you are allowing more access then necessary or if they know a better way to write the policy.

4 SELinux is Type Enforcement
system_u:system_r:openshift_t:s0: c1,c2 SELinux is Type Enforcement seinfo -t | grep openshift openshift_mail_tmp_t, httpd_openshift_content_t, openshift_cgroup_read_tmp_t, openshift_initrc_tmp_t, openshift_var_lib_t, openshift_var_run_t, openshift_app_t, openshift_min_t, openshift_net_t, openshift_tmp_t, openshift_min_app_t, openshift_net_app_t, openshift_cgroup_read_t, httpd_openshift_script_exec_t, openshift_cron_tmp_t, openshift_initrc_t, httpd_openshift_script_t, openshift_cron_exec_t, openshift_initrc_exec_t, openshift_rw_file_t, openshift_log_t, openshift_cron_t, openshift_mail_t, openshift_port_t, httpd_openshift_ra_content_t, httpd_openshift_rw_content_t, httpd_openshift_htaccess_t, openshift_cgroup_read_exec_t, openshift_t, openshift_tmpfs_t

5 SELinux is Type Enforcement
Process Labels can be on Files File Labels can not on Processes openshift_t -> Process openshift_var_lib_t -> File

6 SELinux is MCS system_u:system_r:openshift_t:s0:c1,c 2
Multi Category System MCS Separation is for like types, but totally separated openshift_t:s0:c1,c2 -> openshift_var_lib_t:s0:c1,c2 openshift_t:s0:c3,c4 -> openshift_var_lib_t:s0:c3,c4

7 Libvirt – Dynamic Labeling in action
openshift_t:MCS1 openshift_t:MCS2 Kernel Host Hardware memory, storage, etc. This slide shows one Virtual machine running as svirt_t:MCS1 and the other virtual machine running as svirt_t:MCS2. Which their image files labeled as svirt_image_t:MCS1 and svirt_image_t:MCS2. The same attack we saw before is being blocked by SELinux in the host kernel, and this protects Host as well as all virtual machines from attacking each other. SELinux openshift_t:MCS2 openshift_t:MCS1

8 MCS Labeling based on UID
def gen_level(uid): SETSIZE=1023 TIER=SETSIZE ORD=uid; while ORD > TIER: ORD = ORD - TIER; TIER= TIER - 1; TIER = SETSIZE - TIER; ORD = ORD + TIER; return "s0:c%d,c%d" % (TIER, ORD)

9 How do the labels get on gears
Host receives packet for a gear OpenShift server launches application with correct SELinux label. Sends packet to application If connection comes in via git or ssh Ssh uses pam_openshift Launch sh with correct context Launch git with correct context

10 DEMO

11 Monitoring Logs

12 Problems with OpenShift Security
Gear Application == Administrator of Gear Same UID Same SELinux Label openshift_t Solution: openshift_t Administrator of gear openshift_app_t Type of the application openshift_var_lib_t openshift_t can read/write/execute openshift_app_t can read/execute openshift_rw_file_t openshift_t & openshift_app_t can read/write/execute

13 Problem with OpenShift Security
All gears run as openhift_t All have same network access. openshift_t/openshift_app_t openshift_net_t/openshift_net -app_t openshift_min_t/openshift_min_app_t

14 What about trust between nodes.
IPTables not enough Node1:Gear1 can not attack Node1:gear2 Node1:Gear1 can attack Node2:gear2 Labeled Networking between Nodes Based on MLS CIPSO Labels Labeled Networking SELinux rules Node1:Gear1 can use Node2:gear1 Node1:Gear1 attacking Node2:gear2 blocked Requires UID being the same between nodes.

15 Problems with SELinux Confinement
Node Separation blocked to all. We do not want multiple Domains binding to :8080 First one wins Apps trying to do SELinux stuff SELinux blocks access to processes but it knows they are there.

16

17 Containers != Security Running root in a container, machine pwned
Local Privilege Escalation, machine pwned Much of the system is not containerized. Audit /sys selinuxfs, cgroupfs, sysfs Need to block mount Need to block mknod

18 Linux Namespaces Mount : mounting/unmounting filesystems
Currently used by Openshift for /tmp, /var/tmp and /dev/shm UTS : hostname, domainname IPC : SysV message queues, semaphore/shared memory segments Network: IPv4/IPv6 stacks, routing, firewall, proc/net /sys/class/net directory trees, sock Critical to fix localhost problem Pid: Private /proc, multiple pid 1's UID: Just showing up in the Kernel now..

19 Libvirt-lxc Boot “init” binary SELinux Types + MCS
Firewall ebtables/ip[6]tables Host FS passthrough bind mounts CGroups resource control Available in RHEL6.4 But your on your own...

20 virt-sandbox Package to help managing Linux Containers

21 DEMO

Download ppt "OpenShift & SELinux Dan Walsh Twitter: #rhatdan"

Similar presentations

AppSec USA 2014 Denver, Colorado Implications & Opportunities at the Bleeding Edge of DevOps Chris Swan, CTO

AppSec USA 2014 Denver, Colorado Implications & Opportunities at the Bleeding Edge of DevOps Chris Swan, CTO
Lightweight virtual system mechanism Gao feng

Lightweight virtual system mechanism Gao feng
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
PlanetLab Operating System support* *a work in progress.

PlanetLab Operating System support* *a work in progress.
1 Emulab Security. 2 Current Security Model Threat model: No malicious authenticated users, Bad Guys are all “outside” –Protect against accidents on the.

1 Emulab Security. 2 Current Security Model Threat model: No malicious authenticated users, Bad Guys are all “outside” –Protect against accidents on the.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
File System and Directory Structure in Linux. What is File System In a computer, a file system is the way in which files are named and where they are.

File System and Directory Structure in Linux. What is File System In a computer, a file system is the way in which files are named and where they are.
Linux Filesystem Management

Linux Filesystem Management
Chapter 10 Networking and the Internet ITSC 1458.

Chapter 10 Networking and the Internet ITSC 1458.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
CIS 191 – Lesson 2 System Administration. CIS 191 – Lesson 2 System Architecture Component Architecture –The OS provides the simple components from which.

CIS 191 – Lesson 2 System Administration. CIS 191 – Lesson 2 System Architecture Component Architecture –The OS provides the simple components from which.
SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.

SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.
Linux Security LINUX SECURITY. Firewall Linux Security Internet Database Application Web Server Firewall.

Linux Security LINUX SECURITY. Firewall Linux Security Internet Database Application Web Server Firewall.
Firewall Technologies Prepared by: Dalia Al Dabbagh - 120090285 Manar Abd Al- Rhman - 120080113 University of Palestine -2010.

Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine
4P13 Week 1 Talking Points. Kernel Organization Basic kernel facilities: timer and system-clock handling, descriptor management, and process Management.

4P13 Week 1 Talking Points. Kernel Organization Basic kernel facilities: timer and system-clock handling, descriptor management, and process Management.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Linux Administration. Pre-Install Different distributions –Redhat, Caldera, mandrake, SuSE, FreeBSD Redhat Server Install –Check HCL –Significant issues.

Linux Administration. Pre-Install Different distributions –Redhat, Caldera, mandrake, SuSE, FreeBSD Redhat Server Install –Check HCL –Significant issues.
Linux Networking Security Sunil Manhapra & Ling Wang Project Report for CS691X July 15, 1998.

Linux Networking Security Sunil Manhapra & Ling Wang Project Report for CS691X July 15, 1998.
Linux Exercise. Download and Install the latest CentOS version and latest Ubuntu/Fedora OS. Configure a unique Host Name and a permanent IP Address for.

Linux Exercise. Download and Install the latest CentOS version and latest Ubuntu/Fedora OS. Configure a unique Host Name and a permanent IP Address for.
Container Security Daniel J Walsh Consulting Engineer Blog: danwalsh.livejournal.com

Container Security Daniel J Walsh Consulting Engineer Blog: danwalsh.livejournal.com

Similar presentations

Ads by Google