[opensuse-kubic] MicroOS goes SELinux - if we get help!
Hi, There is the long standing open topic, if AppArmor is the right choice for a container host OS or if there is not something better. There are really nice ideas to build a security framework on top of ePBF, but there is nothing really useable and secure today. So it's time to teach MicroOS SELinux ;) for a PoC and evaluation. We have a working policy in security:SELinux/selinux-policy, and this works fine for me on Tumbleweed, but we have quite some challanges to get this running on MicroOS: - read-only root filesystem - subvolumes (labels on mount points) - transactional-update who has to label the system And we don't have SELinux experts (but we have open positions!) So anybody here willing to spent some time and help with this topic? Thanks, Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Felix Imendoerffer (HRB 36809, AG Nürnberg) -- To unsubscribe, e-mail: opensuse-kubic+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kubic+owner@opensuse.org
On Fri, Jul 10, 2020 at 5:42 AM Thorsten Kukuk
Hi,
There is the long standing open topic, if AppArmor is the right choice for a container host OS or if there is not something better.
There are really nice ideas to build a security framework on top of ePBF, but there is nothing really useable and secure today.
So it's time to teach MicroOS SELinux ;) for a PoC and evaluation.
We have a working policy in security:SELinux/selinux-policy, and this works fine for me on Tumbleweed, but we have quite some challanges to get this running on MicroOS:
- read-only root filesystem - subvolumes (labels on mount points) - transactional-update who has to label the system
And we don't have SELinux experts (but we have open positions!)
So anybody here willing to spent some time and help with this topic?
So I'm definitely interested in helping with bringing SELinux to openSUSE as a whole. Actually, it's been in my plans for about a year or so now, especially after you expressed interest at SUSECON last year. I'm planning on starting the SELinux policy bringup after the /usr/libexec change lands, because then I can reuse the Fedora policy (which I know works and is a solid base to start from) with a *lot* less patching. Of course, help will definitely be appreciated, but that's where things stand with me right now. -- 真実はいつも一つ!/ Always, there's only one truth! -- To unsubscribe, e-mail: opensuse-kubic+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kubic+owner@opensuse.org
Hi, Took longer than wanted due to missing time for this, but here is a first instruction how to install and enable SELinux on MicroOS (pure MicroOS, no container host or other system roles yet): MicroOS: 1. Boot with "security=selinux selinux=1" 2. Add "security=selinux selinux=1 enforcing=0" to GRUB_CMDLINE_LINUX_DEFAULT in /etc/defalt/grub 3. zypper ar -f https://download.opensuse.org/repositories/security:/SELinux/openSUSE_Factor... selinux 2. transactional-update shell grub.cfg pkg install selinux-policy-targeted selinux-tools restorecond - Edit /etc/selinux/config: SELINUX=permissive SELINUXTYPE=minimum - > load_policy - > restorecon -R -e /.snapshots -e /var / - systemctl enable restorecond - exit 3. reboot 4. restorecon -R -e /.snapshots -e /var/lib/overlay / In theory, you could now reboot with "enforcing=1", but there seems to be a dependency bug somewhere. dbus will not start. No idea why, on Tumbleweed with the same policy it works fine. So I assume a race condition, tumbleweed starts much more and needs longer to boot. Many more open things, maybe somebody knows an answer? 1. How to label .snapshot, /home, /srv, /var, /usr/local in transactional-update shell? 2. cleanup dependencies and packaging, what is really required? 3. /var/lib/selinux and transactional-update 4. Relabel of /tmp during boot (because of tmpfs) 5. Relabel of /run during boot (/run/agetty.reload) 6. Relabel of /sys/kernel/uevent_helper during boot 7. restorecond? RedHat does not install it. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Felix Imendoerffer (HRB 36809, AG Nürnberg) -- To unsubscribe, e-mail: opensuse-kubic+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kubic+owner@opensuse.org
On Wed, Jul 29, Thorsten Kukuk wrote:
In theory, you could now reboot with "enforcing=1", but there seems to be a dependency bug somewhere. dbus will not start.
dbus will not start because of a kernel bug in overlayfs. You need kernel 5.8rc6. wicked will not start because /tmp is labeld as tmpfs_t, restorecon /var rcnetwork restart will fix that. Adjusted systemd and microos-tools are on the way but need more testing first. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Felix Imendoerffer (HRB 36809, AG Nürnberg) -- To unsubscribe, e-mail: opensuse-kubic+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kubic+owner@opensuse.org
participants (2)
-
Neal Gompa
-
Thorsten Kukuk