[#LU-8955] Send SELinux policy info to server

[LU-8955] Send SELinux policy info to server Created: 19/Dec/16 Updated: 17/Feb/23 Resolved: 08/Apr/19
Status:	Resolved
Project:	Lustre
Component/s:	None
Affects Version/s:	None
Fix Version/s:	Lustre 2.13.0, Lustre 2.12.1

Type:

Improvement

Priority:

Minor

Reporter:

Sebastien Buisson (Inactive)

Assignee:

Sebastien Buisson

Resolution:

Fixed

Votes:

Labels:

patch, sec

Issue Links:

Related
is related to	LU-13095	Cancel locks in ELC list when errors ...	Open
is related to	~~LU-6784~~	Defects in SELinux support	Resolved
is related to	~~LU-13525~~	struct sepol_downcall_data is badly f...	Resolved
is related to	~~LU-11960~~	Add missing libssl-dev DEB package	Resolved
is related to	~~LU-11914~~	Build error for l_getsepol.c due to m...	Resolved
is related to	~~LU-16566~~	rq_sepol makes ptlrpc_request exceed ...	Resolved

Rank (Obsolete):

9223372036854775807

Description

With SELinux MLS on client side, it is important to make sure that SELinux is properly enforced on all Lustre clients. To that extent, we gather SELinux policy info on client side and send it to servers where it is checked against reference info specified in nodemap.

We have several patches to implement this. First we add a new field for nodemap entries, named 'sepol'. The purpose of this field is to store the reference SELinux status information for a set of Lustre clients.

Then we create new functions to retrieve SELinux status information. The SELinux policy info syntax is the following:
<mode>:<name>:<version>:<sha1>
where:

<mode> is a digit telling if SELinux is in Permissive mode (0)
or Enforcing mode (1)
<name> is the name of the SELinux policy, retrieved from /etc/selinux/config file
<version> is the version of the SELinux policy
<sha1> is the computed SHA1 of the binary representation of the
policy, as exported in /etc/selinux/<name>/policy/policy.<version>

Due to the lack of necessary kernel API to get this information, we use a usermode helper called l_getsepol. It could impact performance, so we only call it when we detect SELinux policy has changed. Having to call a usermode helper is not really a security flaw in itself. Of course, if a user can be root on client node, the usermode helper could be hacked to return a value that does not represent the actual SELinux status. But Lustre kernel code can also be modified and recompiled to do the same. So a full security solution is to complement SElinux status checking with authentication (Kerberos or Shared Key) to avoid having a Lustre client where user is root and can do anything.

Userland command l_getsepol can be called by a security administrator to get SELinux status information to store into 'sepol' field of nodemap.

We also modify Lustre code that handles connection and metadata operations like create, open, unlink, rename, getxattr, and setxatt, both on client and server sides. On client side, it uses newly added functions to retrieve SELinux policy info and add it to the requests. On server side, it retrieves info from requests' body and compare it with reference info from nodemap entry. If they do not match, we return Permission Denied.

Thanks,
Sebastien.

Comments

Comment by Gerrit Updater [ 19/Dec/16 ]

Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/24420
Subject: ~~LU-8955~~ nodemap: add SELinux policy info to nodemap
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: cd3e262bcac5d076dcba542014374326a20ce992

Comment by Gerrit Updater [ 19/Dec/16 ]

Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/24421
Subject: ~~LU-8955~~ sec: create new function sptlrpc_get_sepol()
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 4dc6046043108c203d3fdfca65c678e4be178c4c

Comment by Gerrit Updater [ 19/Dec/16 ]

Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/24422
Subject: ~~LU-8955~~ ptlrpc: manage SELinux policy info at connect time
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 7126749a74558b7d806a89a573c4695c14aae577

Comment by Gerrit Updater [ 19/Dec/16 ]

Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/24423
Subject: ~~LU-8955~~ tgt: check SELinux policy info from client at connect
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 7d560687068a98c545be3e4e6176570064eb76b0

Comment by Gerrit Updater [ 19/Dec/16 ]

Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/24424
Subject: ~~LU-8955~~ mdc: add SELinux policy info to metadata ops
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 3ffcbf0a6ac832896ad7a579c3349ddeafc45d97

Comment by Gerrit Updater [ 19/Dec/16 ]

Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/24425
Subject: ~~LU-8955~~ mdt: check SELinux policy from client for metadata op
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: af43afa7d5232def1d7b6ee918629fb3e0d2e7cc

Comment by Sebastien Buisson (Inactive) [ 19/Dec/16 ]

I can see the compilation is failing because of the following error:

l_getsepol.c:49:25: fatal error: openssl/sha.h: No such file or directory
#include <openssl/sha.h>

Is it possible to have openssl-devel package installed on build hosts?

Comment by Gerrit Updater [ 21/Nov/18 ]

Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/33699
Subject: ~~LU-8955~~ tests: exercise SELinux policy info
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 949361f586d1b85a4e401509ed5be789c2543495

Comment by Gerrit Updater [ 06/Dec/18 ]

Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/33797
Subject: ~~LU-8955~~ cfg: reserve config flag LCFG_NODEMAP_SET_SEPOL
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: d514a35036d8c140eeca8a1d24a10ab551453388

Comment by Gerrit Updater [ 16/Jan/19 ]

Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/33797/
Subject: ~~LU-8955~~ cfg: reserve flags for SELinux status checking
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: e71a77ba8d47279ed6a2704d5677e601e9cb80bb

Comment by Gerrit Updater [ 30/Jan/19 ]

Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/24420/
Subject: ~~LU-8955~~ nodemap: add SELinux policy info to nodemap
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 1f6cb3534e74f0c9462008c8088b5734b64ed41c

Comment by Gerrit Updater [ 30/Jan/19 ]

Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/24421/
Subject: ~~LU-8955~~ sec: create new function sptlrpc_get_sepol()
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: c61168239eff571aefc2a695ef12ae355230e611

Comment by Gerrit Updater [ 01/Apr/19 ]

Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/24422/
Subject: ~~LU-8955~~ ptlrpc: manage SELinux policy info at connect time
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: dd200e5530fd841999399f6dcafb5ded46ba3cf1

Comment by Gerrit Updater [ 01/Apr/19 ]

Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/24424/
Subject: ~~LU-8955~~ ptlrpc: manage SELinux policy info for metadata ops
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 0a773f04b28860c3748f9f1460818b8461c96ad1

Comment by Gerrit Updater [ 08/Apr/19 ]

Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/33699/
Subject: ~~LU-8955~~ tests: exercise SELinux policy info
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 1796539799e2798caa80799e957faa03ef6af1a5

Comment by Minh Diep [ 08/Apr/19 ]

Landed in 2.13