Bug 1086374

Summary: [RFE]sVirt Cluster Policy enforcement
Product: [oVirt] ovirt-engine Reporter: Arthur Berezin <aberezin>
Component: RFEsAssignee: Scott Herold <sherold>
Status: CLOSED WONTFIX QA Contact: Shai Revivo <srevivo>
Severity: low Docs Contact:
Priority: unspecified    
Version: 3.5.0CC: bugs, gklein, iheim, lpeer, mgoldboi, nbarcet, oourfali, rbalakri, srevivo
Target Milestone: ---Keywords: FutureFeature
Target Release: ---Flags: ylavi: ovirt-future?
rule-engine: planning_ack?
rule-engine: devel_ack?
rule-engine: testing_ack?
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-29 09:59:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 894084    
Bug Blocks:    
Attachments:
Description Flags
sVirt Cluster Policy Mockup none

Description Arthur Berezin 2014-04-10 17:34:12 UTC 
Add a cluster policy to allow enforcing sVirt/SELinux on all hosts within a cluster. 

[Mockup Image attached] 

On "add/edit cluster" Window add a tab "Security Policy" which will include configuration options for - sVirt Cluster Policy with options: Enforcing, Permissive, None. 

Clusters' behaviour on each mode:
sVirt Enforcing:
All hosts within the cluster must run with SELinux enabled. 

- When enabling sVirt Enforcing mode, engine to check if all hosts within the cluster have SELinux turned on, if not - enabling sVirt Enforcing policy will fail with appropriate error message. 

- When adding a new host to sVirt Enforcing cluster, if the host does not have SELinux enabled - the host will fail to join the cluster with appropriate error message. 

- When a host changes SELinux Enforcing to SELinux permissive, host will be considered as compromised, an alert should be generated and the host should change status to non-responsive, Admin should be able to configure sVirt policy to migrate running VMs from compromised hosts before changing status to non-operational.


sVirt Permissive: 
Engine continues to monitor hosts' SELinux status, and add alerts instead of talking actions. 

- When enabling sVirt Permissive mode, engine to check which host within the cluster do not have SELinux enabled and generate alert for each host without SELinux enabled. 

- When adding a new host, if host does not have SELinux enabled, an alert will be generated saying the host does not have SELinux enabled and succeed to join the cluster. 

- When a host changes status from Enforcing to Permissive, an alert will be generated. 


None: 
- Hosts' SELinux status will be ignored by engine. 


Hosts' general sub-tab should display SELinux status 


sVirt: 
http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:system/jcr:versionStorage/cddeee980a070d54511c17e2d78baed5/3/jcr:frozenNode/rh:pdfFile.pdf
Comment 1 Arthur Berezin 2014-04-10 17:35:24 UTC 
Created attachment 885058 [details]
sVirt Cluster Policy Mockup
Comment 2 Itamar Heim 2014-04-12 19:57:09 UTC 
*** Bug 1086372 has been marked as a duplicate of this bug. ***
Comment 5 Moran Goldboim 2016-11-29 09:59:01 UTC 
CFME should provide the option for compliance checks.
should be part of RHV and CFME integration.