cloudstack icon indicating copy to clipboard operation
cloudstack copied to clipboard

Published 20 hours ago verified publisher icon apache

CloudStack should support Selinux

Open kiwiflyer opened this issue 2 years ago • 5 comments

ISSUE TYPE

Improvement Request

COMPONENT NAME

Management Server and Agent

CLOUDSTACK VERSION

All versions

OS / ENVIRONMENT

All

SUMMARY

Server security is key to meeting compliance requirements. Most linux distros have supported Selinux for well over a decade.

I'm putting this in for tracking purposes, as Selinux policy would need to be created to support ACS.

kiwiflyer avatar Feb 22 '23 17:02 kiwiflyer

The docs still say that Selinux is not supported. Does anyone have any info as to whether these issues have been addressed? During some basic lab testing with enforcing enabled, I'm not seeing any denies in the audit logs. I tested this on an existing Alma 8 system, not on an install.

kiwiflyer avatar Feb 22 '23 19:02 kiwiflyer

no idea, we'll have to try the install as well, before changing the docs on this subject, i think. Volunteers for a clean 4.18 install?

DaanHoogland avatar Feb 23 '23 09:02 DaanHoogland

@kiwiflyer we kind of do, but much of the selinux work requires operators/admin to define the rules. Here's an example of te file for cloud-agent pkg (cloudstack-agent that runs on kvm hosts) https://github.com/apache/cloudstack/blob/main/packaging/centos8/cloudstack-agent.te (of course this is highly limited as you can see but serves as an example)

rohityadavcloud avatar May 08 '23 08:05 rohityadavcloud

Any testing done by whoever on this - do we have any new info cc @kiwiflyer ?

andrijapanicsb avatar Dec 22 '23 10:12 andrijapanicsb

Let's bring this in, for 4.20? This would be a nice addition.

andrijapanicsb avatar Dec 22 '23 11:12 andrijapanicsb