SlideShare a Scribd company logo

OpenShift & SELinux with Dan Walsh @rhatdan

Download as ODP, PDF
OpenShift Origin
OpenShift Origin

Containing the Gear: Deep Dive on SELinux, Multi-tenancy, Containers & Security with Dan Walsh Presenter: Dan Walsh In this talk, Dan will do a deep dive into the Origin PaaS use of SELinux and containerization. He will discuss how SELinux being utilized to ensure that Origin is the the most secure PAAS available today. He will address some of his ideas for the future of Origin and SELinux. From 2013-04-14 OpenShift Origin Community Day in Portland, Oregon

Technology
1 of 21
OpenShift & SELinux Dan Walsh Twitter: #rhatdan Blog: danwalsh.livejournal.com Email: dwalsh@redhat.com
SELinux is a LABELING System ● Everything has a label – Process,file,dir, chr_file, blk_file, port, node. ● SELinux Policy defines that access between process labels and all other labels. ● The Kernel controls the access.
Security Goals http://en.wikipedia.org/wiki/Maginot_line
SELinux is Type Enforcement ● system_u:system_r:openshift_t:s0:c1,c2 ● SELinux is Type Enforcement seinfo -t | grep openshift openshift_mail_tmp_t, httpd_openshift_content_t, openshift_cgroup_read_tmp_t, openshift_initrc_tmp_t, openshift_var_lib_t, openshift_var_run_t, openshift_app_t, openshift_min_t, openshift_net_t, openshift_tmp_t, openshift_min_app_t, openshift_net_app_t, openshift_cgroup_read_t, httpd_openshift_script_exec_t, openshift_cron_tmp_t, openshift_initrc_t, httpd_openshift_script_t, openshift_cron_exec_t, openshift_initrc_exec_t, openshift_rw_file_t, openshift_log_t, openshift_cron_t, openshift_mail_t, openshift_port_t, httpd_openshift_ra_content_t, httpd_openshift_rw_content_t, httpd_openshift_htaccess_t, openshift_cgroup_read_exec_t, openshift_t, openshift_tmpfs_t
SELinux is Type Enforcement ● Process Labels can be on Files ● File Labels can not on Processes ● openshift_t -> Process ● openshift_var_lib_t -> File
SELinux is MCS ● system_u:system_r:openshift_t:s0:c1,c2 ● Multi Category System ● MCS Separation is for like types, but totally separated ● openshift_t:s0:c1,c2 -> openshift_var_lib_t:s0:c1,c2 ● openshift_t:s0:c3,c4 -> openshift_var_lib_t:s0:c3,c4
Libvirt – Dynamic Labeling in action openshift_t:MCS1 openshift_t:MCS2 Kernel SELinux Host Hardware memory, storage, etc. openshift_t:MCS1 openshift_t:MCS2
MCS Labeling based on UID def gen_level(uid): SETSIZE=1023 TIER=SETSIZE ORD=uid; while ORD > TIER: ORD = ORD - TIER; TIER= TIER - 1; TIER = SETSIZE - TIER; ORD = ORD + TIER; return "s0:c%d,c%d" % (TIER, ORD)
How do the labels get on gears ● Host receives packet for a gear – OpenShift server ● launches application with correct SELinux label. ● Sends packet to application ● If connection comes in via git or ssh – Ssh uses pam_openshift ● Launch sh with correct context ● Launch git with correct context
DEMO
Monitoring Logs
Problems with OpenShift Security ● Gear Application == Administrator of Gear – Same UID – Same SELinux Label openshift_t ● Solution: – openshift_t ● Administrator of gear – openshift_app_t ● Type of the application – openshift_var_lib_t ● openshift_t can read/write/execute ● openshift_app_t can read/execute – openshift_rw_file_t ● openshift_t & openshift_app_t can read/write/execute
Problem with OpenShift Security ● All gears run as openhift_t – All have same network access. ● openshift_t/openshift_app_t ● openshift_net_t/openshift_net -app_t ● openshift_min_t/openshift_min_app_t
What about trust between nodes. ● IPTables not enough ● Node1:Gear1 can not attack Node1:gear2 ● Node1:Gear1 can attack Node2:gear2 ● Labeled Networking between Nodes – Based on MLS CIPSO Labels ● Labeled Networking SELinux rules – Node1:Gear1 can use Node2:gear1 – Node1:Gear1 attacking Node2:gear2 blocked ● Requires UID being the same between nodes.
Problems with SELinux Confinement ● Node Separation – 127.0.0.1 blocked to all. – We do not want multiple Domains binding to 127.0.0.1:8080 ● First one wins ● Apps trying to do SELinux stuff ● SELinux blocks access to processes but it knows they are there.
Secure Linux Containers
Containers != Security ● Running root in a container, machine pwned ● Local Privilege Escalation, machine pwned ● Much of the system is not containerized. – Audit – /sys ● selinuxfs, cgroupfs, sysfs – Need to block mount – Need to block mknod
Linux Namespaces ● Mount : mounting/unmounting filesystems – Currently used by Openshift for /tmp, /var/tmp and /dev/shm ● UTS : hostname, domainname ● IPC : SysV message queues, semaphore/shared memory segments ● Network: IPv4/IPv6 stacks, routing, firewall, proc/net /sys/class/net directory trees, sock – Critical to fix localhost problem ● Pid: Private /proc, multiple pid 1's ● UID: Just showing up in the Kernel now..
Libvirt-lxc ● Boot “init” binary ● SELinux Types + MCS ● Firewall ebtables/ip[6]tables ● Host FS passthrough bind mounts ● CGroups resource control ● Available in RHEL6.4 – But your on your own...
virt-sandbox ● Package to help managing Linux Containers
DEMO

Recommended

SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
Mauricio Velazco
 
KVM_security
KVM_securityKVM_security
KVM_security
Frank Caviggia
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
Michael Boelen
 
Zombies in Kubernetes
Zombies in KubernetesZombies in Kubernetes
Zombies in Kubernetes
Thomas Fricke
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Michael Man
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
Phil Estes
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Zach Hill
 

Recommended

SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
Mauricio Velazco
 
KVM_security
KVM_securityKVM_security
KVM_security
Frank Caviggia
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
Michael Boelen
 
Zombies in Kubernetes
Zombies in KubernetesZombies in Kubernetes
Zombies in Kubernetes
Thomas Fricke
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Michael Man
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
Phil Estes
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Zach Hill
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
inovex GmbH
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker Security
Docker, Inc.
 
Docker Security - Continuous Container Security
Docker Security - Continuous Container SecurityDocker Security - Continuous Container Security
Docker Security - Continuous Container Security
Dieter Reuter
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secrets
Cameron More
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnology
CanSecWest
 
Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...
Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...
Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...
Codemotion
 
Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Ryan Koop's Docker Chicago Meetup Demo March 12 2014Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Cohesive Networks
 
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerBuilding a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Docker, Inc.
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
Aqua Security
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
Jerry Jalava
 
Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov
Kuberton
 
Leveraging the Power of containerd Events - Evan Hazlett
Leveraging the Power of containerd Events - Evan HazlettLeveraging the Power of containerd Events - Evan Hazlett
Leveraging the Power of containerd Events - Evan Hazlett
Docker, Inc.
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
Docker, Inc.
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security Brick
Michael Man
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
Michael Ducy
 
It takes a Village to do the Impossible - Jeff Lindsay
It takes a Village to do the Impossible - Jeff LindsayIt takes a Village to do the Impossible - Jeff Lindsay
It takes a Village to do the Impossible - Jeff Lindsay
Docker, Inc.
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Michael Man
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practices
Sharon Vendrov
 
Deployment with Ruby on Rails
Deployment with Ruby on RailsDeployment with Ruby on Rails
Deployment with Ruby on Rails
Jonathan Weiss
 
Container Security Vulnerability Scanning with Trivy
Container Security Vulnerability Scanning with TrivyContainer Security Vulnerability Scanning with Trivy
Container Security Vulnerability Scanning with Trivy
Faheem Memon
 
From Zero to Cloud: Revolutionize your Application Life Cycle with OpenShift ...
From Zero to Cloud: Revolutionize your Application Life Cycle with OpenShift ...From Zero to Cloud: Revolutionize your Application Life Cycle with OpenShift ...
From Zero to Cloud: Revolutionize your Application Life Cycle with OpenShift ...
OpenShift Origin
 
OpenShift Origin Community Day (Boston) Welcome & Resources by Diane Mueller
OpenShift Origin Community Day (Boston) Welcome & Resources by Diane MuellerOpenShift Origin Community Day (Boston) Welcome & Resources by Diane Mueller
OpenShift Origin Community Day (Boston) Welcome & Resources by Diane Mueller
OpenShift Origin
 

More Related Content

What's hot

Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
inovex GmbH
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
Docker, Inc.
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
Michael Ducy
 

What's hot (20)

Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker Security
 
Docker Security - Continuous Container Security
Docker Security - Continuous Container SecurityDocker Security - Continuous Container Security
Docker Security - Continuous Container Security
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secrets
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnology
 
Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...
Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...
Justin Cormack - The 10 Container Security Tricks That Will Help You Sleep At...
 
Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Ryan Koop's Docker Chicago Meetup Demo March 12 2014Ryan Koop's Docker Chicago Meetup Demo March 12 2014
Ryan Koop's Docker Chicago Meetup Demo March 12 2014
 
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, DockerBuilding a Secure App with Docker - Ying Li and David Lawrence, Docker
Building a Secure App with Docker - Ying Li and David Lawrence, Docker
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
 
Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov
 
Leveraging the Power of containerd Events - Evan Hazlett
Leveraging the Power of containerd Events - Evan HazlettLeveraging the Power of containerd Events - Evan Hazlett
Leveraging the Power of containerd Events - Evan Hazlett
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security Brick
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
 
It takes a Village to do the Impossible - Jeff Lindsay
It takes a Village to do the Impossible - Jeff LindsayIt takes a Village to do the Impossible - Jeff Lindsay
It takes a Village to do the Impossible - Jeff Lindsay
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practices
 
Deployment with Ruby on Rails
Deployment with Ruby on RailsDeployment with Ruby on Rails
Deployment with Ruby on Rails
 
Container Security Vulnerability Scanning with Trivy
Container Security Vulnerability Scanning with TrivyContainer Security Vulnerability Scanning with Trivy
Container Security Vulnerability Scanning with Trivy
 

Viewers also liked

surat pekeliling -bil2-2011 penambahbaikan pmr
surat pekeliling -bil2-2011 penambahbaikan pmrsurat pekeliling -bil2-2011 penambahbaikan pmr
surat pekeliling -bil2-2011 penambahbaikan pmr
CIKGU AHMAD
 
Dsp d seni visual tahun 2 tambahbaik feb 2013
Dsp d seni visual tahun 2 tambahbaik feb 2013Dsp d seni visual tahun 2 tambahbaik feb 2013
Dsp d seni visual tahun 2 tambahbaik feb 2013
CIKGU AHMAD
 
Dsp p moral tahun 1 penambahbaikaN jan 2013
Dsp p moral tahun 1 penambahbaikaN jan 2013Dsp p moral tahun 1 penambahbaikaN jan 2013
Dsp p moral tahun 1 penambahbaikaN jan 2013
CIKGU AHMAD
 
surat pekeliling -bil1-2011 penambahbaikan upsr
surat pekeliling -bil1-2011 penambahbaikan upsrsurat pekeliling -bil1-2011 penambahbaikan upsr
surat pekeliling -bil1-2011 penambahbaikan upsr
CIKGU AHMAD
 
3 standard prestasi bahasa cina sk tahun 2 05012012
3 standard prestasi bahasa cina sk tahun 2 050120123 standard prestasi bahasa cina sk tahun 2 05012012
3 standard prestasi bahasa cina sk tahun 2 05012012
CIKGU AHMAD
 
6 dsp matematik tahun 2
6 dsp matematik tahun 26 dsp matematik tahun 2
6 dsp matematik tahun 2
CIKGU AHMAD
 
Dsp b iban tahun 1 tambahbaik feb 2013
Dsp b iban tahun 1 tambahbaik feb 2013Dsp b iban tahun 1 tambahbaik feb 2013
Dsp b iban tahun 1 tambahbaik feb 2013
CIKGU AHMAD
 
17 dsp bahasa inggeris sjk tahun 2
17 dsp bahasa inggeris sjk tahun 217 dsp bahasa inggeris sjk tahun 2
17 dsp bahasa inggeris sjk tahun 2
CIKGU AHMAD
 
Essence Of Containerizati on 230508
Essence Of Containerizati on 230508 Essence Of Containerizati on 230508
Essence Of Containerizati on 230508
jansowri
 

Viewers also liked (20)

From Zero to Cloud: Revolutionize your Application Life Cycle with OpenShift ...
From Zero to Cloud: Revolutionize your Application Life Cycle with OpenShift ...From Zero to Cloud: Revolutionize your Application Life Cycle with OpenShift ...
From Zero to Cloud: Revolutionize your Application Life Cycle with OpenShift ...
 
OpenShift Origin Community Day (Boston) Welcome & Resources by Diane Mueller
OpenShift Origin Community Day (Boston) Welcome & Resources by Diane MuellerOpenShift Origin Community Day (Boston) Welcome & Resources by Diane Mueller
OpenShift Origin Community Day (Boston) Welcome & Resources by Diane Mueller
 
Fairy tails 1
Fairy tails 1Fairy tails 1
Fairy tails 1
 
surat pekeliling -bil2-2011 penambahbaikan pmr
surat pekeliling -bil2-2011 penambahbaikan pmrsurat pekeliling -bil2-2011 penambahbaikan pmr
surat pekeliling -bil2-2011 penambahbaikan pmr
 
Dsp d seni visual tahun 2 tambahbaik feb 2013
Dsp d seni visual tahun 2 tambahbaik feb 2013Dsp d seni visual tahun 2 tambahbaik feb 2013
Dsp d seni visual tahun 2 tambahbaik feb 2013
 
Dsp p moral tahun 1 penambahbaikaN jan 2013
Dsp p moral tahun 1 penambahbaikaN jan 2013Dsp p moral tahun 1 penambahbaikaN jan 2013
Dsp p moral tahun 1 penambahbaikaN jan 2013
 
surat pekeliling -bil1-2011 penambahbaikan upsr
surat pekeliling -bil1-2011 penambahbaikan upsrsurat pekeliling -bil1-2011 penambahbaikan upsr
surat pekeliling -bil1-2011 penambahbaikan upsr
 
Survey into video games behaviors v3
Survey into video games behaviors v3Survey into video games behaviors v3
Survey into video games behaviors v3
 
3 standard prestasi bahasa cina sk tahun 2 05012012
3 standard prestasi bahasa cina sk tahun 2 050120123 standard prestasi bahasa cina sk tahun 2 05012012
3 standard prestasi bahasa cina sk tahun 2 05012012
 
6 dsp matematik tahun 2
6 dsp matematik tahun 26 dsp matematik tahun 2
6 dsp matematik tahun 2
 
OpenShift Origin Internals
OpenShift Origin Internals OpenShift Origin Internals
OpenShift Origin Internals
 
Dsp b iban tahun 1 tambahbaik feb 2013
Dsp b iban tahun 1 tambahbaik feb 2013Dsp b iban tahun 1 tambahbaik feb 2013
Dsp b iban tahun 1 tambahbaik feb 2013
 
17 dsp bahasa inggeris sjk tahun 2
17 dsp bahasa inggeris sjk tahun 217 dsp bahasa inggeris sjk tahun 2
17 dsp bahasa inggeris sjk tahun 2
 
How to Launch a Public PaaS with OpenSource: The GetUpCloud & OpenShift Orgin...
How to Launch a Public PaaS with OpenSource: The GetUpCloud & OpenShift Orgin...How to Launch a Public PaaS with OpenSource: The GetUpCloud & OpenShift Orgin...
How to Launch a Public PaaS with OpenSource: The GetUpCloud & OpenShift Orgin...
 
ShapeBlue South Africa Launch-Iaas business use cases
ShapeBlue South Africa Launch-Iaas business use cases ShapeBlue South Africa Launch-Iaas business use cases
ShapeBlue South Africa Launch-Iaas business use cases
 
Putting Drupal in the Cloud with Red Hat's OpenShift PaaS #DrupalCon/Prague
Putting Drupal in the Cloud with Red Hat's OpenShift PaaS #DrupalCon/Prague Putting Drupal in the Cloud with Red Hat's OpenShift PaaS #DrupalCon/Prague
Putting Drupal in the Cloud with Red Hat's OpenShift PaaS #DrupalCon/Prague
 
Social IRC bots in the Cloud with OpenShift - Mongo London presentation by Ma...
Social IRC bots in the Cloud with OpenShift - Mongo London presentation by Ma...Social IRC bots in the Cloud with OpenShift - Mongo London presentation by Ma...
Social IRC bots in the Cloud with OpenShift - Mongo London presentation by Ma...
 
Containerization using docker
Containerization using dockerContainerization using docker
Containerization using docker
 
Essence Of Containerizati on 230508
Essence Of Containerizati on 230508 Essence Of Containerizati on 230508
Essence Of Containerizati on 230508
 
DevOps @ OpenShift Online
DevOps @ OpenShift OnlineDevOps @ OpenShift Online
DevOps @ OpenShift Online
 

Similar to OpenShift & SELinux with Dan Walsh @rhatdan

0507 057 01 98 * Adana Klima Servisleri
0507 057 01 98 * Adana Klima Servisleri0507 057 01 98 * Adana Klima Servisleri
0507 057 01 98 * Adana Klima Servisleri
Adana Klima Servisi Bakım Montaj Taşıma Temizlik Tamir Arıza Teknik Servisleri
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Docker, Inc.
 
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo..."Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
Yandex
 

Similar to OpenShift & SELinux with Dan Walsh @rhatdan (20)

0507 057 01 98 * Adana Klima Servisleri
0507 057 01 98 * Adana Klima Servisleri0507 057 01 98 * Adana Klima Servisleri
0507 057 01 98 * Adana Klima Servisleri
 
Shall we play a game
Shall we play a gameShall we play a game
Shall we play a game
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
 
We shall play a game....
We shall play a game....We shall play a game....
We shall play a game....
 
Fosdem_Using_SELinux_with_container_runtimes.pdf
Fosdem_Using_SELinux_with_container_runtimes.pdfFosdem_Using_SELinux_with_container_runtimes.pdf
Fosdem_Using_SELinux_with_container_runtimes.pdf
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
 
Automotive Grade Linux and systemd
Automotive Grade Linux and systemdAutomotive Grade Linux and systemd
Automotive Grade Linux and systemd
 
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios CoreNagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
 
Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势
 
An Introduction To Linux
An Introduction To LinuxAn Introduction To Linux
An Introduction To Linux
 
OpenVZ Linux containers
OpenVZ Linux containersOpenVZ Linux containers
OpenVZ Linux containers
 
SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)SELinux Johannesburg Linux User Group (JoziJUg)
SELinux Johannesburg Linux User Group (JoziJUg)
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
 
LISA15: systemd, the Next-Generation Linux System Manager
LISA15: systemd, the Next-Generation Linux System Manager LISA15: systemd, the Next-Generation Linux System Manager
LISA15: systemd, the Next-Generation Linux System Manager
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Win
 
SystemV vs systemd
SystemV vs systemdSystemV vs systemd
SystemV vs systemd
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
 
Linux Internals - Part II
Linux Internals - Part IILinux Internals - Part II
Linux Internals - Part II
 
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo..."Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
 

More from OpenShift Origin

Deploying & Scaling OpenShift on OpenStack using Heat - OpenStack Seattle Mee...
Deploying & Scaling OpenShift on OpenStack using Heat - OpenStack Seattle Mee...Deploying & Scaling OpenShift on OpenStack using Heat - OpenStack Seattle Mee...
Deploying & Scaling OpenShift on OpenStack using Heat - OpenStack Seattle Mee...
OpenShift Origin
 
LinuxCon 2013 Steven Dake on Using Heat for autoscaling OpenShift on Openstack
LinuxCon 2013 Steven Dake on Using Heat for autoscaling OpenShift on OpenstackLinuxCon 2013 Steven Dake on Using Heat for autoscaling OpenShift on Openstack
LinuxCon 2013 Steven Dake on Using Heat for autoscaling OpenShift on Openstack
OpenShift Origin
 
OpenShift Origin Community Day (Boston) Extending OpenShift Origin: Build You...
OpenShift Origin Community Day (Boston) Extending OpenShift Origin: Build You...OpenShift Origin Community Day (Boston) Extending OpenShift Origin: Build You...
OpenShift Origin Community Day (Boston) Extending OpenShift Origin: Build You...
OpenShift Origin
 
Putting The PaaS in OpenStack with Diane Mueller @RedHat
Putting The PaaS in OpenStack with Diane Mueller @RedHat Putting The PaaS in OpenStack with Diane Mueller @RedHat
Putting The PaaS in OpenStack with Diane Mueller @RedHat
OpenShift Origin
 
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
OpenShift Origin
 

More from OpenShift Origin (19)

DevOps, PaaS and the Modern Enterprise CloudExpo Europe presentation by Diane...
DevOps, PaaS and the Modern Enterprise CloudExpo Europe presentation by Diane...DevOps, PaaS and the Modern Enterprise CloudExpo Europe presentation by Diane...
DevOps, PaaS and the Modern Enterprise CloudExpo Europe presentation by Diane...
 
OpenShift Anywhere given at Infrastructure.Next Talk at #Scale12X
OpenShift Anywhere given at Infrastructure.Next Talk at #Scale12XOpenShift Anywhere given at Infrastructure.Next Talk at #Scale12X
OpenShift Anywhere given at Infrastructure.Next Talk at #Scale12X
 
5 ways to install @OpenShift in 5 minutes (Lightening Talk given at #DevConfC...
5 ways to install @OpenShift in 5 minutes (Lightening Talk given at #DevConfC...5 ways to install @OpenShift in 5 minutes (Lightening Talk given at #DevConfC...
5 ways to install @OpenShift in 5 minutes (Lightening Talk given at #DevConfC...
 
OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller
OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller
OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller
 
Deploying & Scaling OpenShift on OpenStack using Heat - OpenStack Seattle Mee...
Deploying & Scaling OpenShift on OpenStack using Heat - OpenStack Seattle Mee...Deploying & Scaling OpenShift on OpenStack using Heat - OpenStack Seattle Mee...
Deploying & Scaling OpenShift on OpenStack using Heat - OpenStack Seattle Mee...
 
Human Face of Cloud Computing Cyber Summit 2013 Diane Mueller Red Hat OpenShi...
Human Face of Cloud Computing Cyber Summit 2013 Diane Mueller Red Hat OpenShi...Human Face of Cloud Computing Cyber Summit 2013 Diane Mueller Red Hat OpenShi...
Human Face of Cloud Computing Cyber Summit 2013 Diane Mueller Red Hat OpenShi...
 
LatinoWare 2013 An OpenSource Blueprint for Cloud presented by Diane Mueller,...
LatinoWare 2013 An OpenSource Blueprint for Cloud presented by Diane Mueller,...LatinoWare 2013 An OpenSource Blueprint for Cloud presented by Diane Mueller,...
LatinoWare 2013 An OpenSource Blueprint for Cloud presented by Diane Mueller,...
 
OpenShift PaaS Overviewi by Marek Jelen 03-2013 CodeMotion Roma
OpenShift PaaS Overviewi by Marek Jelen 03-2013 CodeMotion RomaOpenShift PaaS Overviewi by Marek Jelen 03-2013 CodeMotion Roma
OpenShift PaaS Overviewi by Marek Jelen 03-2013 CodeMotion Roma
 
OpenShift Overview Presentation by Marek Jelen for Zurich Geeks Event
OpenShift Overview Presentation by Marek Jelen for Zurich Geeks EventOpenShift Overview Presentation by Marek Jelen for Zurich Geeks Event
OpenShift Overview Presentation by Marek Jelen for Zurich Geeks Event
 
Bringing Some Spatial Love to your Application with OpenShift - Mongo Berlin ...
Bringing Some Spatial Love to your Application with OpenShift - Mongo Berlin ...Bringing Some Spatial Love to your Application with OpenShift - Mongo Berlin ...
Bringing Some Spatial Love to your Application with OpenShift - Mongo Berlin ...
 
LinuxCon 2013 Steven Dake on Using Heat for autoscaling OpenShift on Openstack
LinuxCon 2013 Steven Dake on Using Heat for autoscaling OpenShift on OpenstackLinuxCon 2013 Steven Dake on Using Heat for autoscaling OpenShift on Openstack
LinuxCon 2013 Steven Dake on Using Heat for autoscaling OpenShift on Openstack
 
Building Domain-specific PaaS with OpenShift Origin: The TRESOR Healthcare P...
Building Domain-specific PaaS with OpenShift Origin: The TRESOR Healthcare P... Building Domain-specific PaaS with OpenShift Origin: The TRESOR Healthcare P...
Building Domain-specific PaaS with OpenShift Origin: The TRESOR Healthcare P...
 
Build Your Own PaaS, Just like Red Hat's OpenShift from LinuxCon 2013 New Orl...
Build Your Own PaaS, Just like Red Hat's OpenShift from LinuxCon 2013 New Orl...Build Your Own PaaS, Just like Red Hat's OpenShift from LinuxCon 2013 New Orl...
Build Your Own PaaS, Just like Red Hat's OpenShift from LinuxCon 2013 New Orl...
 
OpenShift Origin Community Day (Boston) Extending OpenShift Origin: Build You...
OpenShift Origin Community Day (Boston) Extending OpenShift Origin: Build You...OpenShift Origin Community Day (Boston) Extending OpenShift Origin: Build You...
OpenShift Origin Community Day (Boston) Extending OpenShift Origin: Build You...
 
Putting Private Clouds to Work with PaaS Interop 2013 Vegas Diane Mueller
Putting Private Clouds to Work with PaaS Interop 2013 Vegas Diane MuellerPutting Private Clouds to Work with PaaS Interop 2013 Vegas Diane Mueller
Putting Private Clouds to Work with PaaS Interop 2013 Vegas Diane Mueller
 
Putting The PaaS in OpenStack with Diane Mueller @RedHat
Putting The PaaS in OpenStack with Diane Mueller @RedHat Putting The PaaS in OpenStack with Diane Mueller @RedHat
Putting The PaaS in OpenStack with Diane Mueller @RedHat
 
Welcome to the @OpenShift Origin Community by Diane Mueller @pythondj @redhat
Welcome to the @OpenShift Origin Community by Diane Mueller @pythondj @redhatWelcome to the @OpenShift Origin Community by Diane Mueller @pythondj @redhat
Welcome to the @OpenShift Origin Community by Diane Mueller @pythondj @redhat
 
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
 
Introduction to OpenShift Origin- Private, Public and Community
Introduction to OpenShift Origin- Private, Public and CommunityIntroduction to OpenShift Origin- Private, Public and Community
Introduction to OpenShift Origin- Private, Public and Community
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 

Recently uploaded (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

OpenShift & SELinux with Dan Walsh @rhatdan

  • 1. OpenShift & SELinux Dan Walsh Twitter: #rhatdan Blog: danwalsh.livejournal.com Email: dwalsh@redhat.com
  • 2. SELinux is a LABELING System ● Everything has a label – Process,file,dir, chr_file, blk_file, port, node. ● SELinux Policy defines that access between process labels and all other labels. ● The Kernel controls the access.
  • 3. Security Goals http://en.wikipedia.org/wiki/Maginot_line
  • 4. SELinux is Type Enforcement ● system_u:system_r:openshift_t:s0:c1,c2 ● SELinux is Type Enforcement seinfo -t | grep openshift openshift_mail_tmp_t, httpd_openshift_content_t, openshift_cgroup_read_tmp_t, openshift_initrc_tmp_t, openshift_var_lib_t, openshift_var_run_t, openshift_app_t, openshift_min_t, openshift_net_t, openshift_tmp_t, openshift_min_app_t, openshift_net_app_t, openshift_cgroup_read_t, httpd_openshift_script_exec_t, openshift_cron_tmp_t, openshift_initrc_t, httpd_openshift_script_t, openshift_cron_exec_t, openshift_initrc_exec_t, openshift_rw_file_t, openshift_log_t, openshift_cron_t, openshift_mail_t, openshift_port_t, httpd_openshift_ra_content_t, httpd_openshift_rw_content_t, httpd_openshift_htaccess_t, openshift_cgroup_read_exec_t, openshift_t, openshift_tmpfs_t
  • 5. SELinux is Type Enforcement ● Process Labels can be on Files ● File Labels can not on Processes ● openshift_t -> Process ● openshift_var_lib_t -> File
  • 6. SELinux is MCS ● system_u:system_r:openshift_t:s0:c1,c2 ● Multi Category System ● MCS Separation is for like types, but totally separated ● openshift_t:s0:c1,c2 -> openshift_var_lib_t:s0:c1,c2 ● openshift_t:s0:c3,c4 -> openshift_var_lib_t:s0:c3,c4
  • 7. Libvirt – Dynamic Labeling in action openshift_t:MCS1 openshift_t:MCS2 Kernel SELinux Host Hardware memory, storage, etc. openshift_t:MCS1 openshift_t:MCS2
  • 8. MCS Labeling based on UID def gen_level(uid): SETSIZE=1023 TIER=SETSIZE ORD=uid; while ORD > TIER: ORD = ORD - TIER; TIER= TIER - 1; TIER = SETSIZE - TIER; ORD = ORD + TIER; return "s0:c%d,c%d" % (TIER, ORD)
  • 9. How do the labels get on gears ● Host receives packet for a gear – OpenShift server ● launches application with correct SELinux label. ● Sends packet to application ● If connection comes in via git or ssh – Ssh uses pam_openshift ● Launch sh with correct context ● Launch git with correct context
  • 10. DEMO
  • 12. Problems with OpenShift Security ● Gear Application == Administrator of Gear – Same UID – Same SELinux Label openshift_t ● Solution: – openshift_t ● Administrator of gear – openshift_app_t ● Type of the application – openshift_var_lib_t ● openshift_t can read/write/execute ● openshift_app_t can read/execute – openshift_rw_file_t ● openshift_t & openshift_app_t can read/write/execute
  • 13. Problem with OpenShift Security ● All gears run as openhift_t – All have same network access. ● openshift_t/openshift_app_t ● openshift_net_t/openshift_net -app_t ● openshift_min_t/openshift_min_app_t
  • 14. What about trust between nodes. ● IPTables not enough ● Node1:Gear1 can not attack Node1:gear2 ● Node1:Gear1 can attack Node2:gear2 ● Labeled Networking between Nodes – Based on MLS CIPSO Labels ● Labeled Networking SELinux rules – Node1:Gear1 can use Node2:gear1 – Node1:Gear1 attacking Node2:gear2 blocked ● Requires UID being the same between nodes.
  • 15. Problems with SELinux Confinement ● Node Separation – 127.0.0.1 blocked to all. – We do not want multiple Domains binding to 127.0.0.1:8080 ● First one wins ● Apps trying to do SELinux stuff ● SELinux blocks access to processes but it knows they are there.
  • 17. Containers != Security ● Running root in a container, machine pwned ● Local Privilege Escalation, machine pwned ● Much of the system is not containerized. – Audit – /sys ● selinuxfs, cgroupfs, sysfs – Need to block mount – Need to block mknod
  • 18. Linux Namespaces ● Mount : mounting/unmounting filesystems – Currently used by Openshift for /tmp, /var/tmp and /dev/shm ● UTS : hostname, domainname ● IPC : SysV message queues, semaphore/shared memory segments ● Network: IPv4/IPv6 stacks, routing, firewall, proc/net /sys/class/net directory trees, sock – Critical to fix localhost problem ● Pid: Private /proc, multiple pid 1's ● UID: Just showing up in the Kernel now..
  • 19. Libvirt-lxc ● Boot “init” binary ● SELinux Types + MCS ● Firewall ebtables/ip[6]tables ● Host FS passthrough bind mounts ● CGroups resource control ● Available in RHEL6.4 – But your on your own...
  • 20. virt-sandbox ● Package to help managing Linux Containers
  • 21. DEMO

Editor's Notes

  1. When writing SELinux policy, the first thing to understand, what is your security goal. For most people the security goal is to get to as close as minimal access to allow the confined application to get its job done and prevent its ability to effect other applications. For a lot of applications, you can configure the application to run in different Ways. Ftp for example can be configured to allow anonymous access to files, or access to users home directories, or access to the entire system. When you have an application like this, you can use booleans to allow administrators to reconfigure the policy, for their environment. When you are writing policy it is always good to ask experts about the policy you have written to see if you are allowing more access then necessary or if they know a better way to write the policy.
  2. This slide shows one Virtual machine running as svirt_t:MCS1 and the other virtual machine running as svirt_t:MCS2. Which their image files labeled as svirt_image_t:MCS1 and svirt_image_t:MCS2. The same attack we saw before is being blocked by SELinux in the host kernel, and this protects Host as well as all virtual machines from attacking each other.