All, IPnett have now released selinux policy packages for contrail. The policy packages are available here:
https://github.com/IPnett/contrail-selinux As always with strict access control additions, test before you deploy in production environments. If you plan to use this on systems running svirt/libvirtd/kvm, especially in enforcing mode, you also want: https://github.com/IPnett/lame_svirt-selinux Cassandra and zookeeper policies are in development, Cassandra available here: https://github.com/IPnett/cassandra-selinux We are currently using this policy with el7 and contrail from master. The following components are currently covered by the policy: contrail-api contrail-device-manager contrail-discovery contrail-schema contrail-svc-monitor contrail-control contrail-dns contrail-named contrail-vrouter-agent contrail-query-engine contrail-snmp-collector contrail-alarm-gen contrail-collector contrail-topology contrail-analytics-api ifmap-server Security wise, by far the most privileged application is the vrouter-agent. As it requires the capability sys_module, compromise of vrouter-agent mean compromise of the kernel. Currently haven't looked into why it needs this, and if it is possible to split up the high privilege operations in to a separate program. BR Andreas _______________________________________________ Dev mailing list [email protected] http://lists.opencontrail.org/mailman/listinfo/dev_lists.opencontrail.org
