Details

    • 9223372036854775807

    Description

      With SELinux MLS on client side, it is important to make sure that SELinux is properly enforced on all Lustre clients. To that extent, we gather SELinux policy info on client side and send it to servers where it is checked against reference info specified in nodemap.

      We have several patches to implement this. First we add a new field for nodemap entries, named 'sepol'. The purpose of this field is to store the reference SELinux status information for a set of Lustre clients.

      Then we create new functions to retrieve SELinux status information. The SELinux policy info syntax is the following:
      <mode>:<name>:<version>:<sha1>
      where:

      • <mode> is a digit telling if SELinux is in Permissive mode (0)
        or Enforcing mode (1)
      • <name> is the name of the SELinux policy, retrieved from /etc/selinux/config file
      • <version> is the version of the SELinux policy
      • <sha1> is the computed SHA1 of the binary representation of the
        policy, as exported in /etc/selinux/<name>/policy/policy.<version> 

      Due to the lack of necessary kernel API to get this information, we use a usermode helper called l_getsepol. It could impact performance, so we only call it when we detect SELinux policy has changed. Having to call a usermode helper is not really a security flaw in itself. Of course, if a user can be root on client node, the usermode helper could be hacked to return a value that does not represent the actual SELinux status. But Lustre kernel code can also be modified and recompiled to do the same. So a full security solution is to complement SElinux status checking with authentication (Kerberos or Shared Key) to avoid having a Lustre client where user is root and can do anything.

      Userland command l_getsepol can be called by a security administrator to get SELinux status information to store into 'sepol' field of nodemap.

      We also modify Lustre code that handles connection and metadata operations like create, open, unlink, rename, getxattr, and setxatt, both on client and server sides. On client side, it uses newly added functions to retrieve SELinux policy info and add it to the requests. On server side, it retrieves info from requests' body and compare it with reference info from nodemap entry. If they do not match, we return Permission Denied.

      Thanks,
      Sebastien.

      Attachments

        Issue Links

          Activity

            [LU-8955] Send SELinux policy info to server

            Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/34643/
            Subject: LU-8955 tests: exercise SELinux policy info
            Project: fs/lustre-release
            Branch: b2_12
            Current Patch Set:
            Commit: bda312cfe63939e0b664c6b8074b72667086bbc4

            gerrit Gerrit Updater added a comment - Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/34643/ Subject: LU-8955 tests: exercise SELinux policy info Project: fs/lustre-release Branch: b2_12 Current Patch Set: Commit: bda312cfe63939e0b664c6b8074b72667086bbc4

            Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/34642/
            Subject: LU-8955 ptlrpc: manage SELinux policy info for metadata ops
            Project: fs/lustre-release
            Branch: b2_12
            Current Patch Set:
            Commit: 88bb40aa14d9b72fcae168307fd76cc4dd40dc18

            gerrit Gerrit Updater added a comment - Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/34642/ Subject: LU-8955 ptlrpc: manage SELinux policy info for metadata ops Project: fs/lustre-release Branch: b2_12 Current Patch Set: Commit: 88bb40aa14d9b72fcae168307fd76cc4dd40dc18

            Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/34641/
            Subject: LU-8955 ptlrpc: manage SELinux policy info at connect time
            Project: fs/lustre-release
            Branch: b2_12
            Current Patch Set:
            Commit: 70aea00ecb39d097677d7852f3676abf088adb0d

            gerrit Gerrit Updater added a comment - Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/34641/ Subject: LU-8955 ptlrpc: manage SELinux policy info at connect time Project: fs/lustre-release Branch: b2_12 Current Patch Set: Commit: 70aea00ecb39d097677d7852f3676abf088adb0d

            Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/34640/
            Subject: LU-8955 sec: create new function sptlrpc_get_sepol()
            Project: fs/lustre-release
            Branch: b2_12
            Current Patch Set:
            Commit: 781e1df5c936c42ce4f9df205c3ad19c78580b8b

            gerrit Gerrit Updater added a comment - Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/34640/ Subject: LU-8955 sec: create new function sptlrpc_get_sepol() Project: fs/lustre-release Branch: b2_12 Current Patch Set: Commit: 781e1df5c936c42ce4f9df205c3ad19c78580b8b

            Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/34639/
            Subject: LU-8955 nodemap: add SELinux policy info to nodemap
            Project: fs/lustre-release
            Branch: b2_12
            Current Patch Set:
            Commit: f1c8a02d75a83f0f2056437af3c5ab42ef2b1673

            gerrit Gerrit Updater added a comment - Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/34639/ Subject: LU-8955 nodemap: add SELinux policy info to nodemap Project: fs/lustre-release Branch: b2_12 Current Patch Set: Commit: f1c8a02d75a83f0f2056437af3c5ab42ef2b1673

            Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/34638/
            Subject: LU-8955 cfg: reserve flags for SELinux status checking
            Project: fs/lustre-release
            Branch: b2_12
            Current Patch Set:
            Commit: 60e12ac3a7b0e3c1f00d4ce17b39d617a092417a

            gerrit Gerrit Updater added a comment - Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/34638/ Subject: LU-8955 cfg: reserve flags for SELinux status checking Project: fs/lustre-release Branch: b2_12 Current Patch Set: Commit: 60e12ac3a7b0e3c1f00d4ce17b39d617a092417a

            Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/34643
            Subject: LU-8955 tests: exercise SELinux policy info
            Project: fs/lustre-release
            Branch: b2_12
            Current Patch Set: 1
            Commit: e776217ce07d69475ed22038f65041120ab3a5c5

            gerrit Gerrit Updater added a comment - Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/34643 Subject: LU-8955 tests: exercise SELinux policy info Project: fs/lustre-release Branch: b2_12 Current Patch Set: 1 Commit: e776217ce07d69475ed22038f65041120ab3a5c5

            Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/34642
            Subject: LU-8955 ptlrpc: manage SELinux policy info for metadata ops
            Project: fs/lustre-release
            Branch: b2_12
            Current Patch Set: 1
            Commit: c519d65c60b2350c01b4c3cf7c1289b48809a20a

            gerrit Gerrit Updater added a comment - Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/34642 Subject: LU-8955 ptlrpc: manage SELinux policy info for metadata ops Project: fs/lustre-release Branch: b2_12 Current Patch Set: 1 Commit: c519d65c60b2350c01b4c3cf7c1289b48809a20a

            Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/34641
            Subject: LU-8955 ptlrpc: manage SELinux policy info at connect time
            Project: fs/lustre-release
            Branch: b2_12
            Current Patch Set: 1
            Commit: bb70394d36ac36f081de570a6b1f8b827dd89b57

            gerrit Gerrit Updater added a comment - Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/34641 Subject: LU-8955 ptlrpc: manage SELinux policy info at connect time Project: fs/lustre-release Branch: b2_12 Current Patch Set: 1 Commit: bb70394d36ac36f081de570a6b1f8b827dd89b57

            Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/34640
            Subject: LU-8955 sec: create new function sptlrpc_get_sepol()
            Project: fs/lustre-release
            Branch: b2_12
            Current Patch Set: 1
            Commit: d0b1e1f0c630a0d68f7075e6595cb5f80b81bb6d

            gerrit Gerrit Updater added a comment - Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/34640 Subject: LU-8955 sec: create new function sptlrpc_get_sepol() Project: fs/lustre-release Branch: b2_12 Current Patch Set: 1 Commit: d0b1e1f0c630a0d68f7075e6595cb5f80b81bb6d

            People

              sebastien Sebastien Buisson
              sbuisson Sebastien Buisson (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: