Bug 2188335

Summary: [RFE] yggdrasil processes should run be confined by SELinux
Product: Red Hat Satellite Reporter: Bram Mertens <bmertens>
Component: Remote ExecutionAssignee: satellite6-bugs <satellite6-bugs>
Status: NEW --- QA Contact: Satellite QE Team <sat-qe-bz-list>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.12.0CC: ahumbe, aruzicka, dsinglet
Target Milestone: UnspecifiedKeywords: FutureFeature, Triaged
Target Release: Unused   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2109740    
Bug Blocks:    

Description Bram Mertens 2023-04-20 13:47:40 UTC 
1. Proposed title of this feature request

2. Who is the customer behind the request?

Account: Euroclear Bank SA/NV - 522618
TAM customer: yes
CSM customer: no
Strategic: no

3. What is the nature and description of the request?
Remote execution processes (yggdrasil, previously goferd) currently run as SELinux unconfined.
The request is to confine these processes as much as possible on both RHEL 8 and newer.

4. Why does the customer need this? (List the business requirements here)
Euroclear's audit and compliance requirements mandate that all daemons running as root should be SELinux confined.
As a major financial institution Euroclear needs to adhere to very strict compliance rules.
Any system outage can have an impact on major Stock Exchanges across Europe and even the world.

5. How would the customer like to achieve this? (List the functional requirements here)
Have the remote execution processes run as SELinux confined processes.

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
Verify that processes are running with the expected SELinux context.

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?
No RFE however in an email exchange Link Dupont one of the project contributors mentioned that work to confine the processes is underway and is expected to land in RHEL 9.0. However Euroclear still has a large investment in RHEL8 and wants to have this improvement available in RHEL8 as well.


8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL8, RHEL9)?
Euroclear is actively working on upgrading their systems to RHEL9 but they still have a large number of RHEL8 systems. Therefore it is important for them to have this in RHEL8 and up.

9. Is the sales team involved in this request and do they have any additional input?
not at this point.

10. List any affected packages or components.
yggdrasil

11. Would the customer be able to assist in testing this functionality if implemented?
Yes
Comment 1 Adam Ruzicka 2023-05-17 11:09:35 UTC 
How would this work? Yggdrasil forks off a worker and the worker is required to be able to execute practically anything. It feels a little bit that having the process confined would either do almost nothing at all to allow the worker to do anything, or it would be so restrictive that it would block its functionality.
Comment 2 Bram Mertens 2023-05-30 11:59:57 UTC 
Hi Adam,

I understand that the nature of this service means that it will need permissions to execute whatever the user decides to use this for. And that as a result we will need to provide at east the ability to grant a wide range of permissions.

However at present yggdrassil runs as `system_u:system_r:unconfined_service_t` meaning that customer are unable to lock down services they decide not to use.

If we assign this daemon it's own SELinux type we would at least provide the ability to create (custom) policies.

To avoid backwards incompatible changes we could create a policy that allows this type to interact with any other type.

Maybe as an additional step we could create more fine-grained policies that can be used to allow/block specific use cases like patching, user administration etc.?
Comment 3 Bram Mertens 2023-06-13 11:54:59 UTC 
Hi Adam,

I spoke to the customer again. There main concern is achieving CIS compliance.
The compliance check that is failing is that goferd/yggdrasil are running unconfined.
Any policy at all, even one that allows (almost) everything would satisfy the CIS compliance check.

They are aware that that in itself does not improve the security of the systems in a meaningful way but it would help them achieve CIS compliance.

Hope this helps

Bram
Comment 4 Bram Mertens 2023-07-26 13:19:01 UTC 
Hi Adam,

After further discussion with the customer the conclusion is that they won't use remote execution in Satellite.
They also have Ansible Automation platform which allows them to connect as non-root user and use powerbroker instead of sudo for privilege escalation.

As they won't use remote execution they will not run katello-agent or yggdrasil anymore.

I will close the support case. If there is not other demand for this feature this RFE can be closed.

Regards

Bram