Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-19038

[RFE] yggdrasil processes should run be confined by SELinux

XMLWordPrintable

    • 0
    • False
    • Moderate
    • sat-endeavour
    • None
    • None
    • None
    • To Do

      1. Proposed title of this feature request
      yggdrasil processes should run be confined by SELinux

      2. Who is the customer behind the request?

      3. What is the nature and description of the request?
      Remote execution processes (yggdrasil, previously goferd) currently run as SELinux unconfined.
      The request is to confine these processes as much as possible on both RHEL 8 and newer.

      4. Why does the customer need this? (List the business requirements here)
      Euroclear's audit and compliance requirements mandate that all daemons running as root should be SELinux confined.
      As a major financial institution Euroclear needs to adhere to very strict compliance rules.
      Any system outage can have an impact on major Stock Exchanges across Europe and even the world.

      5. How would the customer like to achieve this? (List the functional requirements here)
      Have the remote execution processes run as SELinux confined processes.

      6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
      Verify that processes are running with the expected SELinux context.

      7. Is there already an existing RFE upstream or in Red Hat Bugzilla?
      No RFE however in an email exchange Link Dupont one of the project contributors mentioned that work to confine the processes is underway and is expected to land in RHEL 9.0. However Euroclear still has a large investment in RHEL8 and wants to have this improvement available in RHEL8 as well.

      8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL8, RHEL9)?
      Euroclear is actively working on upgrading their systems to RHEL9 but they still have a large number of RHEL8 systems. Therefore it is important for them to have this in RHEL8 and up.

      9. Is the sales team involved in this request and do they have any additional input?
      not at this point.

      10. List any affected packages or components.
      yggdrasil

      11. Would the customer be able to assist in testing this functionality if implemented?
      Yes

              Unassigned Unassigned
              jira-bugzilla-migration RH Bugzilla Integration
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: