BLOG

KubeArmor adds support for SELinux

Cloud Security

KubeArmor now supports SELinux based enforcement for host policies, This allows enforcement on virtual machines or bare metal instances with Red Hat Enterprise Linux and CentOS.


KubeArmor now supports SELinux based enforcement for host policies, This allows enforcement on virtual machines or bare metal instances with Red Hat Enterprise Linux and CentOS.

Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) security mechanism implemented in the kernel. SELinux was first introduced in Early Redhat / CentOS 4 and significantly enhanced in later CentOS releases. These enhancements mean that content varies as to how to approach SELinux over time to solve problems.

Why support SELinux and why can't I directly add SELinux policies to the workloads myself?

Linux Security Modules (LSM), particularly SELinux is known to be notoriously hard and error prone to implement well. Specifically in the context of SELinux, processes needs to be relabelled with the right permissions and the steps involved can easily lead to errors and accidental denial of service.

With Accuknox's open source tooling, specifically KubeArmor and Auto policy discovery -

  • Make enforcing SELinux policies easy, with policies that can declared as code.
  • Reduce the time to implement SELinux policies by auto-discovering  the policies for your Virtual Machine and Baremetal workloads using Auto Policy Discovery
  • Make it easy for you to implement Least Privilege using policy templates

How does SELinux work?

SELinux defines access controls for the applications, processes, and files on a system. It uses security policies, which are a set of rules that tell SELinux what can or can’t be accessed, to enforce the access allowed by a policy.

When an application or process, known as a subject, makes a request to access an object, like a file, SELinux checks with an access vector cache (AVC), where permissions are cached for subjects and objects.

If SELinux is unable to make a decision about access based on the cached permissions, it sends the request to the security server. The security server checks for the security context of the app or process and the file. Security context is applied from the SELinux policy database. Permission is then granted or denied.

SELinux labeling and type enforcement

Type enforcement and labeling are the most important concepts for SELinux.

SELinux works as a labeling system, which means that all of the files, processes, and ports in a system have an SELinux label associated with them. Labels are a logical way of grouping things together. The kernel manages the labels during boot.

Labels are in the format user:role:type:level (level is optional). User, role, and level are used in more advanced implementations of SELinux, like with MLS. Label type is the most important for targeted policy.

SELinux uses type enforcement to enforce a policy that is defined on the system. Type enforcement is the part of an SELinux policy that defines whether a process running with a certain type can access a file labeled with a certain type

KubeArmor policies will now work on automatically work on SELinux enabled OSes as listed above with limitations including network blocking support which is not available right now.

Enforcement on Virtual Machine / Baremetal systems only

SELinux specifically now can enforce host policies on Virtual machines and baremetals and specific processes but not K8s pods. This means if you have packaged CentOS to run as a part of a pod, you cannot enforce policies on the pod with CentOs with KubeArmor.

Policy Specification

The KubeArmor policy specification has no changes specific to SELinux and policies remain the same. There are some restrictions (such as no support for network enforcement in KubeArmor) but those are gracefully handled by KubeArmor.

Auto Discovery of Policies for SELinux

To make things easy, auto discovery of policies is available to generate host based policies at a per process / workload level that allows you to cherry pick which process you want to enforce policies on and enforce it using SELinux / Kubearmor. A demo will be posted soon.

Getting started with SELinux Enforcement

Follow the guide at this link to install pre-requisites and KubeArmor. The final step is to enable SELinux enforcement mode

Now, you need to enable SELinux features in all nodes.

$ cd KubeArmor/contribution/self-managed-k8s-selinux ~/KubeArmor/contribution/self-managed-k8s-selinux$ ./enable_selinux.sh

SELinux works in conjunction with KVM service to implement host based policies against your VM and baremetal workloads. For more information, please visit https://help.accuknox.com