SELinux Enhancements for Puppet
Puppet is a very
powerful, highly extensible configuration management system for unix
based operating systems. It can manage files, services, packages, and
many other configuration aspects, but one major (in my opinion, at
least) component that it's completely missing is the ability to
natively manage Security
Enhanced Linux (SELinux) properties.
Update! The first pass at the fundamentals of SELinux support has
been integrated into Puppet! As of 0.24.6, these features are natively
supported:
- File Contexts
- Each file on an SELinux system has an additional attribute, known
as its context. Similar to the traditional owner, the context of a
file determines which operations different programs (which also have
their own contexts) are allowed to perform. This patch allows Puppet
to manage file contexts by use of the "stat" and "chcon"
commands.
- SELinux Booleans
- Rather than forcing you to compile and install new policies for
every desired behavior chance, many policies support conditional
behavior based on boolean flags. This gives you finer grained
control than simply loading and unloading policies without having to
write your own. This patch manages booleans via the "getsebool" and
"setsebool" commands.
- Policies
- One of the more complex aspects of SELinux configuration,
policies define much of how an SELinux system acts. Policies are
generated from one or more text files into binary modules, which
are then loaded onto a running system. This patch does not attempt
to manage the process of generating policy files. Instead, it
assumes that you are either using system distributed policy files
or have already generated your own binary policy files, and uses
the "semodule" command to ensure specified modules are loaded. It
can also optionally detect when newer versions of a policy file are
pushed out, and load them over the older version.
Future Stuff
SELinux is a big area, and this is just a first pass. Here's some of
what's left to do.
- Enforcement Setting
- An SELinux system can be configured either in enforcing mode, where all
rules are enforced, or in permissive mode, where actions that would cause
violations are permitted but logged. Properly changing between these modes
often requres a reboot, which would limit the effectiveness of managing this
feature from within Puppet.
-
- SELinux Enabled Fact
- Are we running on a system with SELinux support at all? This should also
be used in determining whether any SELinux native types should be made
available or not. A proposed version of these facts can be seen at
http://reductivelabs.com/redmine/issues/show/1327
- MLS
- Multi-Level Security. This breaks the system up into the kinds of
multiple, forcibly segregated security levels that the military and other
paranoid types like. So far I know it's out there, but haven't researched
it enough to get a good idea what other features it might require beyond
vanilla SELinux in targeted mode.
- semanage Utility
- The semanage utility can manage a number of different SELinux mappings,
including default file contexts (as used by restorecon), what roles accounts
can log in as, and what sockets processes can listen on. This will be a
combination of new types, such as sockets, and extending existing types,
such as users.
- Policy Generation
- With Puppets templating feature, it's possible to generate the input files
that get compiled into binary policy modules to represent settings in the
manifest. While quite complex, this could allow for excellent flexability in
per-host policy generation.
The good people at SANS have been kind
enough to contribute a policy compilation
module that allows you to store a collection of .te files on your server,
distribute them to the relevant clients, and automatically have them compiled
into .pp files. Please note that while this module is shared by The SANS
Institute, SANS does not specifically endorse or recommend Puppet.
- Native Ruby Bindings
- The current verion simply shells out to external utilities. While this
gets the job done, it's incredibly inefficient. Luckily, SELinux guru Dan
Walsh has added
native SELinux ruby bindings to the latest version of SELinux userspace.
While the current shell based provider will most likely have to stick around
for awhile to handle current distributions, adding new providers that use
these native bindings should be far simpler, faster, and more flexible.
- Other Distributions
- So far all of the testing I'm able to do is on Fedora. While this means
that it should work equally well on at least Red Hat, it would be very good
to get verification that it works on other SELinux enabled distributions,
such as Debian and Ubuntu.
Feel free to email me with any comments, additional patches, etc.
SELinux covers a lot of ground, so suggestions or patches on what
other areas would benefit from Puppet management would especially be
appreciated.
Other Puppet Projects
Any other bits and pieces which are related to Puppet, but not
SELinux, will get stuffed in here.
Frank Sweetser
fs at wpi dot edu