Blastwall Documentation

blastwall

A recorded Ansible-only proof that IdM state, host suitability, SELinux mapping, and runtime denial line up on a real lab host.

This recording is the operator-visible version of the Blastwall PoC. It runs from bastion-01, uses eigenstate.ipa to read IdM state before enforcement, deploys the policy to mirror-registry, and proves that the mapped automation session lands in blastwall_u before the AF_ALG probe is blocked.

Purpose

I wanted the demo to show the whole control path without requiring AAP. The important point is not that a single playbook can fail a probe. The important point is that the same information AAP would consume is visible before the mutation step, and the final denial is enforced by the target host SELinux policy.

The observable flow is:

  • bastion-01 runs the Calabi PoC playbooks locally.
  • eigenstate.ipa validates the IdM SELinux user map, HBAC rule, sudo rule, and candidate host view.
  • mirror-registry receives the Blastwall policy RPM.
  • The automation identity logs in with the expected SELinux context.
  • The AF_ALG/authencesn probe is blocked for that mapped automation session.

Recording Artifact

  • setting: cloud-user shell on bastion-01.workshop.lan
  • target host: mirror-registry.workshop.lan
  • recorded command: ./scripts/blastwall-poc-demo/run-demo.sh
  • terminal shape: 272 columns by 54 rows, preserving the operator prompt

Embedded Demo

What The Demo Proves

  1. The IdM side is not assumed. It is queried before the endpoint enforcement play runs.
  2. The inventory candidate view includes mirror-registry.workshop.lan through the Blastwall policy objects.
  3. The target host can install or refresh the Blastwall SELinux policy RPM through an ordinary Ansible workflow.
  4. The mapped automation session reports blastwall_u:blastwall_r:blastwall_t:s0.
  5. The AF_ALG/authencesn probe reports BLOCKED with errno 13.

Sequence In The Recording

1. Start from the bastion-local PoC tree

cd /opt/openshift/aws-metal-openshift-demo/blastwall/poc-calabi
pwd

The recording starts from the staged repository on bastion-01. That keeps the execution boundary honest: the workstation is not directly driving guest configuration.

2. Run the read-side IdM gate

ansible-playbook 15-validate-idm-with-eigenstate.yml

This is where eigenstate.ipa earns its place in the workflow. The play reads the SELinux map, HBAC rule, sudo rule, and inventory candidate view before the enforcement play touches mirror-registry.

hbac_rule: blastwall-automation-ssh
selinux_map: blastwall-root-local-map
sudo_rule: blastwall-root-local-sudo
target: mirror-registry.workshop.lan

3. Deploy policy and test the mapped session

ansible-playbook 30-deploy-and-test.yml

The target host installs the Blastwall RPM, refreshes local policy state, and then runs the probe through the mapped automation identity.

4. Check the proof line

grep -E 'login_context|sudo_context|probe|BLOCKED|blastwall_u' /tmp/blastwall-poc-proof.log

The proof line is intentionally small. The login context and sudo context are confined, and the probe is denied by host policy.

login_context: blastwall_u:blastwall_r:blastwall_t:s0
probe: BLOCKED: AF_ALG socket creation denied with errno 13
sudo_context: blastwall_u:blastwall_r:blastwall_t:s0

What This Demo Does Not Claim

  • It does not replace a kernel fix.
  • It does not claim SELinux can inspect the same kernel hook arguments as BPF LSM.
  • It does not require AAP to prove the local behavior.
  • It does not say host markers are proof by themselves. They are useful only after a local verification workflow writes them.