Run tendrl in SELinux enabled #244
Conversation
tendrl-bug-id: Tendrl#241 Signed-off-by: Timothy Asir J <[email protected]>
|
@r0h4n , @nthomas-redhat , @shtripat , Please review |
| @@ -0,0 +1,197 @@ | |||
| = Enable SELinux for tendrl | |||
|
|
|||
| SELinux should be enabled in tendrl for the system which controled by selinux. | |||
There was a problem hiding this comment.
Also what is guideline for gluster nodes? do we suggest selinux enforcing?
There was a problem hiding this comment.
Sure, we suggest selinux enforcing for gluster nodes also.
I hope gluster have its own selinux policy.
There was a problem hiding this comment.
Gluster has its own selinux policy
specs/enable-selinux.adoc
Outdated
|
|
||
| Tendrl could be installed in a system where SELinux could be already enforced. | ||
| Currenlty Tendrl requires selinux to be in disable state. If tendrl disables | ||
| the selinux which may brack the existing policy(security concerns) of the system |
specs/enable-selinux.adoc
Outdated
| which runs selinux enabled. | ||
|
|
||
| A SELinux-enabled system that runs in permissive mode is not protected by SELinux. | ||
| which will leads to privilege escalation issue. This allows the system |
specs/enable-selinux.adoc
Outdated
|
|
||
| A SELinux-enabled system that runs in permissive mode is not protected by SELinux. | ||
| which will leads to privilege escalation issue. This allows the system | ||
| to be attacked if it does not managed by Selinux completely. A normal user |
There was a problem hiding this comment.
s/does not managed/is not managed/
specs/enable-selinux.adoc
Outdated
|
|
||
| Currently tendrl services like gluster-integration, node-agent, api, | ||
| monitoring-integration services are running as unconfined services. | ||
| ex1: system_u:system_r:unconfined_service_t:s0 18240 ? 02:51:40 tendrl-node-age |
specs/enable-selinux.adoc
Outdated
| ==== Tendrl API impact: | ||
|
|
||
| SELinux policy files will be added in to this tendrl-api module. | ||
| This set of policies will be used at tendrl server. |
There was a problem hiding this comment.
When you say tendrl-server, how integration services like {ceph/gluster}-integration would be taken care?
There was a problem hiding this comment.
I hope ceph and gluster have its own selinux policy we can use for the nodes.
it would be a heavy work if we need to write policy for that also.
However, if required we can add policy for that service also.
specs/enable-selinux.adoc
Outdated
|
|
||
| ==== Tendrl commons impact: | ||
|
|
||
| SELinux policy files will be added in to this tendrl-commons module. |
There was a problem hiding this comment.
s/added to this tendrl-commons/added to tendrl-commons/
specs/enable-selinux.adoc
Outdated
| ==== Tendrl commons impact: | ||
|
|
||
| SELinux policy files will be added in to this tendrl-commons module. | ||
| This will be used for every nodes participating in the tendrl. |
There was a problem hiding this comment.
Does this include the storage nodes (gluster nodes) as well ?
There was a problem hiding this comment.
Yes, Initially we will be having a common policy for tendrl nodes and server.
specs/enable-selinux.adoc
Outdated
|
|
||
| === Work Items: | ||
|
|
||
|
|
There was a problem hiding this comment.
Sure, i will create new issues and add.
There was a problem hiding this comment.
specs/enable-selinux.adoc
Outdated
|
|
||
| == Documentation impact: | ||
|
|
||
| The apis mentioned above need to be documented. |
|
Looks like i have sent an old rough copy. I will better close this one and send a new patch for review or i will update the doc in this. |
tendrl-bug-id: Tendrl#241 Signed-off-by: Timothy Asir J <[email protected]>
|
@shtripat Please review |
tendrl-bug-id: Tendrl#241 Signed-off-by: Timothy Asir J <[email protected]>
tendrl-bug-id: #241
Signed-off-by: Timothy Asir J [email protected]