Repository files navigation

This a daemon that has the purpose of installing and removing policies as they arelaid in a specific directory. This directory is/etc/selinux.d by default.

The intent is to follow a infrastructure-as-code approach for installing SELinuxpolicies. With this, installing policies is a matter of persisting policy filesin a specific directory, which the daemon will immediately pick up and try toinstall them.

Golang 1.15 and GNU make are required. In Fedora 33, the installation is a matter of doing:

$ sudo dnf install golang make libsemanage-devel policycoreutils

With this, you can build the daemon's binary withmake build, or simplymake. the binary will be persisted to thebin/ directory.

Once you have built the binary, simply do:

$ sudo ./bin/selinuxdctl daemon

or

$ make run

Note thatsudo is needed as it'll attempt to install SELinux policies, whichrequires root. Also note that therun target will attempt to create/etc/selinux.d.

This will:

• Listen for file changes in the/etc/selinux.d directory

  • When a file is added or modified, it'll attempt to install the policy

  • When a file is removed, it'll uninstall the policy

With the daemon running, do:

$ sudo cp tests/data/testport.cil /etc/selinux.d/

Notice that the policy will be installed in the system shortly:

$ sudo semodule -l | grep testport

Now, remove the policy:

$ sudo rm /etc/selinux.d/testport.cil

Notice that the policy will no longer be there:

$ sudo semodule -l | grep testport

This enables an easy way to install policies by establishing intent, as opposed tohaving to tell a system how to do things. This way, all we need to do is tell a systemthat we want a file in a specific path in the file system, and the rest will be taken care of.

SELinux policies often are used to secure workloads on nodes and should betreated as part of the workload deployment. By getting this daemon to dynamicallyinstall and track these policies, we're able to more closely link the policiesto the workloads that require them. Policies, in this context, are notconfiguration files for the node, but instead and statements on how to secure arunning workload.

TheMachine Config Operatoris anoperator thatensures that the nodes belonging to an OpenShift cluster are in a certain state.

If this daemon would be running on a node in the cluster, all we would need to doto install a policy is:

apiVersion: machineconfiguration.openshift.io/v1kind: MachineConfigmetadata:  labels:    machineconfiguration.openshift.io/role: worker  name: 50-example-sepolicyspec:  config:    ignition:      version: 2.2.0    storage:      files:      - contents:          source: data:,%3B%20Declare%20a%20test_port_t%20type%0A%28type%20test_port_t%29%0A%3B%20Assign%20the%20type%20to%20the%20object_r%20role%0A%28roletype%20object_r%20test_port_t%29%0A%0A%3B%20Assign%20the%20right%20set%20of%20attributes%20to%20the%20port%0A%28typeattributeset%20defined_port_type%20test_port_t%29%0A%28typeattributeset%20port_type%20test_port_t%29%0A%0A%3B%20Declare%20tcp%3A1440%20as%20test_port_t%0A%28portcon%20tcp%201440%20%28system_u%20object_r%20test_port_t%20%28%28s0%29%20%28s0%29%29%29%29        filesystem: root        mode: 0600        path: /etc/selinux.d/testport.cil

ThisMachineConfig object tells the operator to put the policy in the specified path, withthe specified permissions. Note that the policy is URL encoded dueto what theignition format requires.

Without this daemon, each policy installation would require us to persist the fileon the node, then run a one-off systemd unit to install the policy. As policiesget added to the system, the number of systemd units increases, which is neither scalablenor user-friendly.

This daemon is currently being usedin the security-profiles-operator in order to dothe heavy lifting of installing SELinux policies. The operator itself manages the policiesas Kubernetes objects, and the daemon makes sure that they are actually installed inthe nodes of the cluster.