Created attachment 1662194 [details] CONFIGURATION RECOMMENDATIONS OF A GNU/LINUX SYSTEM (ANSSI GUIDELINE) Description of problem: As describe in CONFIGURATION RECOMMENDATIONS OF A GNU/LINUX SYSTEM (ANSSI GUIDELINE), there is a security issue to have: allow_execstack: on Allow unconfined executables to map a memory region as both executable and writable, this is dangerous allow execmem: on Allow unconfined executables to make their stack executable. They have to be off, in RHOSP13 env we have: [root@controller-0 ~]# semanage boolean -l | grep execmem xserver_execmem (off , off) Allow xserver to execmem glance_use_execmem (on , on) Allow glance to use execmem os_neutron_use_execmem (on , on) Allow os to neutron use execmem gluster_use_execmem (off , off) Allow gluster to use execmem httpd_execmem (on , on) Allow httpd to execmem cluster_use_execmem (off , off) Allow cluster to use execmem os_swift_use_execmem (on , on) Allow os to swift use execmem virt_use_execmem (on , on) Allow virt to use execmem boinc_execmem (on , on) Allow boinc to execmem os_nova_use_execmem (on , on) Allow os to nova use execmem os_keystone_use_execmem (on , on) Allow os to keystone use execmem deny_execmem (off , off) Allow deny to execmem <--------------------- cups_execmem (off , off) Allow cups to execmem tomcat_use_execmem (off , off) Allow tomcat to use execmem [root@controller-0 ~]# semanage boolean -l | grep execstack mplayer_execstack (off , off) Allow mplayer to execstack selinuxuser_execstack (on , on) Allow selinuxuser to execstack <-------------------- where: $ getsebool allow_execstack selinuxuser_execstack --> on and: allow execmem is the inverse[1] of deny_execmem Version-Release number of selected component (if applicable): Red Hat OpenStack 13 (RHOSP13) How reproducible: Any RHOSP13 environment Steps to Reproduce: 1. semanage boolean -l | grep deny_execmem 2. semanage boolean -l | grep execstack Actual results: [root@controller-0 ~]# semanage boolean -l | grep deny_execmem deny_execmem (off , off) Allow deny to execmem [root@controller-0 ~]# semanage boolean -l | grep selinuxuser_execstack selinuxuser_execstack (on , on) Allow selinuxuser to execstack Expected results: [root@controller-0 ~]# semanage boolean -l | grep deny_execmem deny_execmem (on , on) Allow deny to execmem [root@controller-0 ~]# semanage boolean -l | grep selinuxuser_execstack selinuxuser_execstack (off , off) Allow selinuxuser to execstack Additional info: [1] https://lists.fedoraproject.org/pipermail/scm-commits/2011-November/681342.html
Most of these booleans were set in previous bugs in order to enable OpenStack functionality: https://bugzilla.redhat.com/show_bug.cgi?id=1119400 (Glance image create with Ceph) https://bugzilla.redhat.com/show_bug.cgi?id=1130212 (Glance image upload with Ceph) -> glance_use_execmem (on , on) Allow glance to use execmem https://bugzilla.redhat.com/show_bug.cgi?id=1119845 (Nova volume-attach) -> virt_use_execmem (on , on) Allow virt to use execmem https://bugzilla.redhat.com/show_bug.cgi?id=1249685: -> os_nova_use_execmem (on , on) Allow os to nova use execmem -> os_keystone_use_execmem (on , on) Allow os to keystone use execmem -> httpd_execmem (on , on) Allow httpd to execmem -> os_neutron_use_execmem (on , on) Allow os to neutron use execmem -> os_swift_use_execmem (on , on) Allow os to swift use execmem It looks like these last ones were enabled due to a bug in python-cffi that was since resolved, so we should investigate if they can be disabled now. I'm not sure right now if deny_execmem would break functionality that's explicitly relied on for the bugs above. About "boinc_execmem (on , on) Allow boinc to execmem" that seems unrelated to OpenStack so can probably be disabled (not in openstack-selinux though). As for this one selinuxuser_execstack (on , on) Allow selinuxuser to execstack We don't seem to be setting it explicitly in openstack-selinux, but if this is the default then that is what we tested with and it may not be safe to disable right now.
(In reply to Julie Pichon from comment #2) > I'm not sure right now if deny_execmem would break functionality that's > explicitly relied on for the bugs above. A quick test suggests that it doesn't conflict with other rules where execmem is explicitly allowed. Note that this is NOT a suggestion for the customer to set it in their environment; only that we may consider the boolean for addition in a future, tested release of the openstack-selinux package.
So, OSP13 has been out for a while now and was never tested with these two booleans set differently. These are not OpenStack booleans but booleans from the base SELinux policy, which could affect other components and applications beyond OpenStack itself in ways we don't know. We can't really recommend changing them at this point, but will investigate setting them differently for future versions. Note that OpenStack also has most components containerised, which limits the impact of SELinux policies.
Hi Lukas, I would like to ask for your thoughts on the two following booleans mentioned in the bug description: deny_execmem (off , off) Allow deny to execmem selinuxuser_execstack (on , on) Allow selinuxuser to execstack According to recent security guidelines (cf. ANSSI document in the attachments), the recommendation is for these to always be set to on (deny_execmem) and off (selinuxuser_execstack) respectively. Would it make sense for the default selinux-policy to change to match the guidelines, do you think? Thank you.