[openstack-dev] [Security] the need about implementing a MAC security hook framework for OpenStack
Clark, Robert Graham
robert.clark at hp.com
Wed Jun 17 08:43:13 UTC 2015
This is an interesting idea. Most operators running production OpenStack deployments will be using OS-level Mandatory Access Controls already (likely AppArmour or SELinux).
I can see where there might be some application on a per-service basis, introducing more security for Swift, Nova etc, I’m not sure what you could do that would be OpenStack-wide.
Interested to hear where you think work on this might go.
From: Yang Luo [mailto:hsluoya at gmail.com]
Sent: 17 June 2015 07:47
To: openstack-dev at lists.openstack.org
Subject: [openstack-dev] [Security] the need about implementing a MAC security hook framework for OpenStack
I'd like to know the need about implementing a MAC (Mandatory Access Control) security hook framework for OpenStack, just like the Linux Security Module to Linux. It can be used to help construct a security module that mediates the communications between OpenStack nodes and controls distribution of resources (i.e., images, network, shared disks). This security hook framework should be cluster-wide, dynamic policy updating supported, non-intrusive implemented and with low performance overhead. The famous module in LSM, SELinux can also be imported into this security hook framework. In my point, as OpenStack has become a leading cloud operating system, it needs some kind of security architecture as standard OS.
I am a Ph.D student who has been following OpenStack security closely for nearly 1 year. This is just my initial idea and I know this project won't be small, so before I actually work on it, I'd like to hear your suggestions or objections about it. Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev