-
Notifications
You must be signed in to change notification settings - Fork 1
Home
Seatomic is a lightweight security enhanced policy for Fedora Atomic Hosts that require the base operating system layer with maximal flexible and efficient security, unlike the current Fedora Targeted policy, the seatomic policy brings less complicated, smaller security policy taking up less system resources, is easier to read and understand.
Design documented. Ongoing conversion about policy design, architecture.
Security Enhanced Linux was primarily intended for Linux servers to bring additional security based on fine-grained policy for most server applications. This policy defined rules for controlling communications paths between these server applications and provided a process isolation to mitigate attacks via privilege escalation. During that time applications have been developed multiple ways to communicate as well as multiple places to be installed. The policy was extended to reflect all these communications paths and became much more complex.
The current default security enhanced policy used on Fedora systems is called Targeted policy. This policy is enabled by default. It contains 100137 allow rules to cover all intended communications channels and provide 805 SELinux process domains. This complexity involved a checking of policy - less integrity, the policy is a larger on the disk and takes up more system system resources.
Targeted policy is a key component for a process isolation and offers various ways to get advanced isolations of processes. In the current one of the most common use is multi-tenancy. This way of a process isolation is used in sVirt, OpenShift, SELinux Sandbox, Containers where we have multiple instances of the same application with the same SELinux process domains but on different levels - Multi-Category Security. It significantly reduces the number of communications channels between applications on such system. We end up with a basic system providing multi-tenant environments and with multiple services embossed like one service from a policy point of view. With this concept we are backing away from fine-grained policy for most applications. Things like e.g. MySQL, Postfix always come as the same service to be confined by the same SELinux process domain on different levels.
Security policy requirements of these systems are totally different against traditional server or workstation platforms. A process isolation view is greatly simplified and a new security policy is smaller and simple. If we compare it with Targeted policy where we have over hundred thousand rules and almost one thousand SELinux process domains, we are able to reach 80-90% reduction of policy rules and 90-95% reduction of SELinux process domains. As a consequence a size of policy is also significantly smaller. Such policy takes up less system resources, is easier to read and understand.
Fedora Atomic Host is such example of this platform. It is a lightweight operating system containing base core system components to provide a minimal and an effective environment to run applications in Docker containers. All communication channels are minimized on these core components and intended applications runs in containers.
The security policy for Atomic platform requires
-
minimal policy with very well defined security concepts reflecting these limited communication channels
-
flexible policy to provide variable options how to enhanced process isolation given to containers
These requiremente are not accomplished by any existing security policy based on SELinux and certainly not by the default Fedora Targeted policy.
Just a note: