[openstack-dev] [Security] the need about implementing a MAC security hook framework for OpenStack

Clark, Robert Graham robert.clark at hp.com
Wed Jun 17 08:43:13 UTC 2015

Hi Yang,

This is an interesting idea. Most operators running production OpenStack deployments will be using OS-level Mandatory Access Controls already (likely AppArmour or SELinux).

I can see where there might be some application on a per-service basis, introducing more security for Swift, Nova etc, I’m not sure what you could do that would be OpenStack-wide.

Interested to hear where you think work on this might go.


From: Yang Luo [mailto:hsluoya at gmail.com]
Sent: 17 June 2015 07:47
To: openstack-dev at lists.openstack.org
Subject: [openstack-dev] [Security] the need about implementing a MAC security hook framework for OpenStack

Hi list,

  I'd like to know the need about implementing a MAC (Mandatory Access Control) security hook framework for OpenStack, just like the Linux Security Module to Linux. It can be used to help construct a security module that mediates the communications between OpenStack nodes and controls distribution of resources (i.e., images, network, shared disks). This security hook framework should be cluster-wide, dynamic policy updating supported, non-intrusive implemented and with low performance overhead. The famous module in LSM, SELinux can also be imported into this security hook framework. In my point, as OpenStack has become a leading cloud operating system, it needs some kind of security architecture as standard OS.

I am a Ph.D student who has been following OpenStack security closely for nearly 1 year. This is just my initial idea and I know this project won't be small, so before I actually work on it, I'd like to hear your suggestions or objections about it. Thanks!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150617/1c791f7b/attachment.html>

More information about the OpenStack-dev mailing list