Let’s move on to Security Enhanced Linux (SELinux). We will cover SELinux basics, Docker SELinux security policy and the "SELinux Coloring Book."
In this section, we’ll cover the basics of SELinux and containers. SELinux
policy prevents a lot of break out situations, where the other security
mechanisms fail. With SELinux on Docker, we write policy that says that the
container process running as svirt_lxc_net_t
can only read/write files with
the svirt_sandbox_file_t
label.
mkdir ~/selinux
cd ~/selinux
mkdir data
echo "SELINUX" > data/file1.txt
cat data/file1.txt
sestatus | grep mode
sudo podman run -v $(pwd)/data:/data fedora cat /data/file1.txt
This action will result in a Permission denied error. You can see the reason by inspecting the folder’s security context:
ls --scontext data
The label for the data doesn’t match the label for containers. The fix is to
apply the container label to the data by using the chcon
tool, effectively
notifying the system that you expect these files to be consumed by containers:
sudo semanage fcontext --list | grep kubernetes
The containers should be running at container_file_t
chcon
toolchcon -Rt container_file_t data
sudo podman run -v $(pwd)/data:/data fedora cat /data/file1.txt
sudo podman run -v $(pwd)/data:/data fedora sh -c 'echo "Thank You For Attending" >> /data/file1.txt'
sudo podman run -v $(pwd)/data:/data fedora cat /data/file1.txt
The Container SELinux security policy is similar to, and is based on, the libvirt security policy.
libvirt Policy
The libvirt security policy is a series of SELinux policies that defines two methods of isolating virtual machines. Generally, virtual machines are prevented from accessing specific parts of the network. Specifically, individual virtual machines are denied access to each other’s resources.
Red Hat extends the libvirt-SELinux model to containers. The Container SELinux role and Container SELinux types are based on libvirt.
https://github.com/containers/container-selinux - this explains the Container SELinux policy. It is not in layman’s terms, but it is complete.
container_file_t
system_u:system_r:container_file_t:s0:c186,c641
^ ^ ^ ^ ^--- unique category
| | | |---- secret-level 0
| | |--- a shared type
| |---SELinux role
|------ SELinux user
The category system isolates containers from one another.
If a file is labeled container_file_t
, then by default all containers can
read it. But if the containers write to a directory that has container_file_t
ownership, they write using their own category (which in
this case is c186
, c641
). If you start the same container twice, it will
get a new category the second time (a different category than it had the first
time).
Types can be applied to processes and to files.
Imagine a system where we define types on objects like cats and dogs. A cat and dog are process types:
Cat
Dog
We have a class of objects that they want to interact with which we call food. And I want to add types to the food;
cat_food
dog_food
As a policy writer, we would define that a dog has permission to eat dog_chow food and a cat has permission to eat cat_chow food. In SELinux we would write this rule in policy.
allow cat cat_chow:food eat;
allow dog dog_chow:food eat;
With these rules the kernel would allow the cat process to eat food labeled cat_chow and the dog to eat food labeled dog_chow.
And processes and objects are happy.
But in a SELinux system everything is denied by default. This means that if the dog process tried to eat the cat_chow, the kernel would prevent it.
Security-enhanced Linux for mere mortals - 2015 Red Hat Summit
Domain | ||
Workshop | ||
Student ID |