Details
-
Improvement
-
Resolution: Fixed
-
Minor
-
None
-
9223372036854775807
Description
With SELinux MLS on client side, it is important to make sure that SELinux is properly enforced on all Lustre clients. To that extent, we gather SELinux policy info on client side and send it to servers where it is checked against reference info specified in nodemap.
We have several patches to implement this. First we add a new field for nodemap entries, named 'sepol'. The purpose of this field is to store the reference SELinux status information for a set of Lustre clients.
Then we create new functions to retrieve SELinux status information. The SELinux policy info syntax is the following:
<mode>:<name>:<version>:<sha1>
where:
- <mode> is a digit telling if SELinux is in Permissive mode (0)
or Enforcing mode (1) - <name> is the name of the SELinux policy, retrieved from /etc/selinux/config file
- <version> is the version of the SELinux policy
- <sha1> is the computed SHA1 of the binary representation of the
policy, as exported in /etc/selinux/<name>/policy/policy.<version>
Due to the lack of necessary kernel API to get this information, we use a usermode helper called l_getsepol. It could impact performance, so we only call it when we detect SELinux policy has changed. Having to call a usermode helper is not really a security flaw in itself. Of course, if a user can be root on client node, the usermode helper could be hacked to return a value that does not represent the actual SELinux status. But Lustre kernel code can also be modified and recompiled to do the same. So a full security solution is to complement SElinux status checking with authentication (Kerberos or Shared Key) to avoid having a Lustre client where user is root and can do anything.
Userland command l_getsepol can be called by a security administrator to get SELinux status information to store into 'sepol' field of nodemap.
We also modify Lustre code that handles connection and metadata operations like create, open, unlink, rename, getxattr, and setxatt, both on client and server sides. On client side, it uses newly added functions to retrieve SELinux policy info and add it to the requests. On server side, it retrieves info from requests' body and compare it with reference info from nodemap entry. If they do not match, we return Permission Denied.
Thanks,
Sebastien.
Attachments
Issue Links
- is related to
-
LU-13095 Cancel locks in ELC list when errors occurs
-
- Open
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
Activity
Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/34642/
Subject: LU-8955 ptlrpc: manage SELinux policy info for metadata ops
Project: fs/lustre-release
Branch: b2_12
Current Patch Set:
Commit: 88bb40aa14d9b72fcae168307fd76cc4dd40dc18
Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/34641/
Subject: LU-8955 ptlrpc: manage SELinux policy info at connect time
Project: fs/lustre-release
Branch: b2_12
Current Patch Set:
Commit: 70aea00ecb39d097677d7852f3676abf088adb0d
Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/34640/
Subject: LU-8955 sec: create new function sptlrpc_get_sepol()
Project: fs/lustre-release
Branch: b2_12
Current Patch Set:
Commit: 781e1df5c936c42ce4f9df205c3ad19c78580b8b
Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/34639/
Subject: LU-8955 nodemap: add SELinux policy info to nodemap
Project: fs/lustre-release
Branch: b2_12
Current Patch Set:
Commit: f1c8a02d75a83f0f2056437af3c5ab42ef2b1673
Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/34638/
Subject: LU-8955 cfg: reserve flags for SELinux status checking
Project: fs/lustre-release
Branch: b2_12
Current Patch Set:
Commit: 60e12ac3a7b0e3c1f00d4ce17b39d617a092417a
Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/34643
Subject: LU-8955 tests: exercise SELinux policy info
Project: fs/lustre-release
Branch: b2_12
Current Patch Set: 1
Commit: e776217ce07d69475ed22038f65041120ab3a5c5
Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/34642
Subject: LU-8955 ptlrpc: manage SELinux policy info for metadata ops
Project: fs/lustre-release
Branch: b2_12
Current Patch Set: 1
Commit: c519d65c60b2350c01b4c3cf7c1289b48809a20a
Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/34641
Subject: LU-8955 ptlrpc: manage SELinux policy info at connect time
Project: fs/lustre-release
Branch: b2_12
Current Patch Set: 1
Commit: bb70394d36ac36f081de570a6b1f8b827dd89b57
Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/34640
Subject: LU-8955 sec: create new function sptlrpc_get_sepol()
Project: fs/lustre-release
Branch: b2_12
Current Patch Set: 1
Commit: d0b1e1f0c630a0d68f7075e6595cb5f80b81bb6d
Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/34643/
Subject:
LU-8955tests: exercise SELinux policy infoProject: fs/lustre-release
Branch: b2_12
Current Patch Set:
Commit: bda312cfe63939e0b664c6b8074b72667086bbc4