The repository contains a set of SELinux policies that can be applied to Linux systems for the purpose of granting various priviledges to Gremlin.

SELinux is a security architecture for Linux commonly used in container orchestration systems where security is paramount. It uses policy definitions to enforce access controls for specific applications, processes and files.

When Gremlin is installed into an SELinux system as a container (e.g Docker constainer, Kubernetes daemonset), the container runtime that manages Gremlin will run the Gremlin processes under the SELinux process label type container_t. Gremlin performs some actions that are not allowed by this process label:

• Install and manipulate files on the host: /var/lib/gremlin, /var/log/gremlin
• Load kernel modules for manipulating network transactions during network attacks, such as net_sch
• Communicate with the container runtime socket (e.g. /var/run/docker.sock) to launch containers that carry out attacks
• Read files in /proc

When you install Gremlin as root directly onto your host machines, you likely do not need to install any of these policies, as Gremlin should run under SELinux process label type unconfined_t.

To alleviate the privilege restrictions imposed on container_t, you can allow these privileges to container_t, providing Gremlin with everything it needs, but this would also give the same privileges to all other containers on your system, which is not ideal.

This project crates a new process label type gremlin.process and adds all the necessary privileges Gremlin needs, so that you can grant them to Gremlin only, and nothing else.

Gremlin builds on the SELinux inheritance patterns set out in containers/udica, providing Gremlin privileges on top of standard container privileges. See the policy here.

The SELinux Policies generated by this project have been tested on OpenShift 3.11 and are designed to work with all OpenShift 3.x versions or any other target system running SELinux and Docker. Support for OpenShift 4.x or any other system running SELinux and Cri-O are not currently supported but are under development.

You can install the SELinux module by downloading from the releases page (or via curl)

curl -fsSL https://github.com/gremlin/selinux-policies/releases/download/v0.0.3/selinux-policies-v0.0.3.tar.gz -o selinux-policies-v0.0.3.tar.gz
tar xzf selinux-policies-v0.0.3.tar.gz
sudo semodule -i selinux-policies-v0.0.3/gremlin-openshift3.cil

You you can follow the remaining subsections to install directly from source.

yum install git

make gremlin-openshift3.cil

make install-openshift3

Or with semodule directly

semodule -i gremlin-openshift3.cil

This policy creates a new SELinux process type gremlin.process, you must run your Gremlin containers under this type. Use the section that corresponds to your runtime target.

Pass --security-opt to an existing docker run command

docker run -it \
	--security-opt=label=type:gremlin.process \
	-e GREMLIN_IDENTIFIER -e GREMLIN_TEAM_ID -e GREMLIN_TEAM_SECRET \
	-v /var/lib/gremlin:z -v /var/log/gremlin:z -v /var/run/docker.sock \
	gremlin/gremlin daemon

To make the Gremlin daemonset run within the gremlin.process context, place the following securityContext into the existing Gremlin daemonset YAML.

...
securityContext:
  seLinuxOptions:
    type: gremlin.process

Like the configuration for kubernetes, the Gremlin daemonset must run with the gremlin.process SELinux context. For openshift, this should be controlled through a SecurityContextConstraints policy instead of directly through a Kubernetes securityContext.

apiVersion: security.openshift.io/v1
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups: []
kind: SecurityContextConstraints
metadata:
  annotations:
    kubernetes.io/description: 'gremlin provides all the features of the
      restricted SCC but allows host mounts, any UID by a pod, and forces 
      the process to run as the gremlin.process SELinux type. This is intended 
      to be used solely by Gremlin. WARNING: this SCC allows host file
      system access as any UID, including UID 0. Grant with caution.'
  name: gremlin
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
runAsUser:
  type: RunAsAny
seLinuxContext:
  seLinuxOptions:
    type: gremlin.process
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
volumes:
- configMap
- emptyDir
- hostPath
- persistentVolumeClaim
- secret

make uninstall

Or with semodule directly

semodule -r gremlin