Uploaded image for project: 'OpenShift CFE'
  1. OpenShift CFE
  2. CFE-384

[R&D] As a developer I want to investigate the use of the openshift security-profile-operator to deploy custom SELinux scripts into each node so that I can mitigate the need for executing a container as privileged

XMLWordPrintable

    • Icon: Spike Spike
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • node
    • CFE Sprint 217

      Overview

      This spike is to understand the fundamentals of the https://github.com/openshift/security-profiles-operator

      and how to implement specific SELinux profiles to mitigate the use of running the node-observability-agent container as "privileged"

      Tasks

      • Read through and understand the operator
      • Deploy the operator
      • Implement the base_container.cil and deploy it via the operator to all nodes
      • Implement the agent.cil via the operator to all nodes
      • Remove the operator once all nodes have been successfully updated

      Outcome

      If this is feasible create the necessary stories to realize the work.

      If not create a document to show manually how the cluster-admin can accomplish the above.

       

      Scripts to implement - agent.cil

      (block agent
    (blockinherit net_container)

      /usr/share/udica/templates/net_container.cil

      (block agent
    (blockinherit net_container)

    (type process)
    (type socket)

    (roletype system_r process)

    (typeattributeset domain (process ))
    (typeattributeset container_domain (process ))
    (typeattributeset svirt_sandbox_domain (process ))
    (typeattributeset file_type (socket ))
    
    (allow process container_runtime_tmpfs_t(lnk_file (read_lnk_file_perms create open getattr setattr read write rename link unlink ioctl lock append)))
    (allow process socket (sock_file (create open getattr setattr read write rename link unlink ioctl lock append)))
    (allow process container_var_run_t (sock_file (create open getattr setattr read write rename link unlink ioctl lock append)))
    (allow process http_port_t (tcp_socket (name_bind)))
    (allow process node_t (tcp_socket (node_bind)))
    (allow process container_runtime_t (unix_stream_socket (connectto)))
    (allow process process (tcp_socket (listen)))
    (allow process proc_type (file (getattr open read)))
    (allow process cpu_online_t (file (getattr open read)))
    (allow container_runtime_t process (key (create link read search setattr view write)))
)

      This can be executed manually on each node using

      semodule -i agent.cil /usr/share/udica/templates/net_container.cil

              luzuccar@redhat.com Luigi Mario Zuccarelli
              luzuccar@redhat.com Luigi Mario Zuccarelli
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: