[Pulp-list] Pulp & SELinux
cperry at redhat.com
Mon Aug 1 19:07:51 UTC 2011
On 08/01/2011 07:51 AM, John Matthews wrote:
> We've added SELinux rules for Pulp on Fedora and RHEL-6 (RHEL-5 is not supported). The rules are deployed as part of the rpm.
> The SELinux rules for the pulp module exist at: selinux/pulp.te
> We have a wiki page here that describes a process for updating the rules: https://fedorahosted.org/pulp/wiki/SELinux
> If you see any issues please let me know.
> Pulp-list mailing list
> Pulp-list at redhat.com
Please take this as constructive feedback. I'd be happy to give pointers
to guides/documents to help improve this - currently though I'm not
happy with this, I have no warm fuzzies.
Good point - you can run pulp with SELinux enabled, so better than with
Bad point - we have achieved this be choosing to weaken the default
security policies shipped in RHEL 6.
Ugly points - reviewing:
- we give Apache the ability to execute anything within /tmp.
- we give Apache the ability to delete its own log files.
- we give Apache the ability to modify its own and anyone else's certs
- we give Apache the ability to connect to any TCP socket/port rather
than restrict to specific needed one.
So, I'm concerned - but glad we have taken these first steps. This
initial policy should be one to build upon. With a firm understanding of
what pulp is and what is does and where on the OS pulp needs to do
things - you should and we need to start locking pulp down by code
modifications and specific SELinux rules written for pulps needs. Likely
command line tool(s) which are confined that pulp calls vs pulp as an
apache process trying to read/write over the OS is needed. The knocking
holes though walls put up by the SELinux policies which are in pulps way
will just lead to someone looking for ways to exploit pulp down the road.
More information about the Pulp-list