Glossary | blastwall

This glossary defines the terms used across the Blastwall docs. The definitions are intentionally short and practical, so demo and explanation pages can move without stopping to expand every platform, identity, SELinux, kernel, or lab term.

Platform And Identity

AAP: Ansible Automation Platform. In Blastwall, AAP is the fleet execution surface: it syncs code and inventory, runs preflight checks, launches workflows, and leaves operator-readable evidence.
Automation Controller: The AAP control plane formerly associated with AWX/Tower. Blastwall uses Controller workflow templates, job templates, credentials, inventory sources, and job stdout as the visible demo surface.
awx: The AWX command-line client used to interact with Automation Controller. The AAP demo uses awx so the operator path is visible instead of hidden inside setup playbooks.
Execution Environment: An Ansible execution environment container image that carries the Ansible runtime and dependencies needed by a job. Blastwall's execution environment includes the IdM and Kerberos pieces needed for inventory and preflight.
IdM: Red Hat Identity Management. IdM is the central authority for automation identities, host groups, HBAC, sudo rules, SELinux user maps, and host markers. See IdM Control Model.
FreeIPA: The upstream identity project behind Red Hat IdM. The docs use FreeIPA when discussing the general identity technology and IdM when discussing the RHEL enterprise shape.
eigenstate.ipa: An Ansible collection that reads IdM state and exposes it as inventory-visible facts. Blastwall uses it as the state translator between IdM records and AAP preflight decisions.
HBAC: Host-Based Access Control. In IdM, an HBAC rule decides whether a user or group may log in to a host or host group through a service such as SSH.
SSSD: The managed-host service that reads IdM identity and policy state during login and participates in applying the correct local mapping.
pam_selinux: The PAM module that applies SELinux login context during authentication. In Blastwall, it is part of the path that turns an IdM SELinux user map into a local session context.
sudo: The delegated privilege mechanism used after login. Blastwall allows sudo to reach UID 0 while SELinux keeps the session inside the confined automation domain.
preflight: A fail-closed suitability check that runs before target execution. Blastwall preflight checks identity mapping, HBAC, sudo, host markers, and inventory state before selecting a host.

SELinux And Blastwall Model

SELinux: Security-Enhanced Linux. Blastwall uses SELinux as the host-local enforcement boundary for the automation session after it reaches a managed RHEL host. See SELinux Control Model.
SELinux context: The label attached to a process or object. A process context such as blastwall_u:blastwall_r:blastwall_t:s0 contains a user, role, type, and level. See context shape.
SELinux user: The SELinux identity component of a context. Blastwall maps automation logins into blastwall_u rather than an unconfined user.
SELinux role: The SELinux role component of a context. Blastwall uses blastwall_r as the role for the confined automation path.
SELinux type/domain: The SELinux enforcement type for a process or object. For a process, the type is often called a domain; Blastwall's confined automation domain is blastwall_t.
blastwall_u: The Blastwall SELinux user. The _u suffix follows SELinux convention for the user component of a context.
blastwall_r: The Blastwall SELinux role. The _r suffix follows SELinux convention for the role component of a context.
blastwall_t: The Blastwall SELinux type/domain. The _t suffix follows SELinux convention for the type component; for a running process, that type is usually called the domain.
host marker: An IdM-visible claim written after local verification succeeds. AAP can read host markers during inventory sync, but markers are not proof by themselves.
coverage marker: A host marker for a specific policy coverage claim, such as blastwall_policy_bpf=denied. It helps AAP select hosts that match the job's required deny scopes.
current eligible host: A host that preflight can target because its identity access, login mapping, and required policy coverage are current for the job.
stale host: A host that is visible but does not satisfy the current policy or coverage requirements for the job.
deny scope: A named exploit surface or policy-management surface that Blastwall denies for the confined automation domain.

Kernel And Exploit Surfaces

BPF LSM: A Linux security hook mechanism that attaches small BPF programs to access-control decisions. It can be very precise because it can inspect hook arguments, such as the algorithm name in an AF_ALG bind.
eBPF: Extended Berkeley Packet Filter, a programmable kernel facility used for tracing, networking, observability, and some enforcement. BPF LSM is one specific eBPF security use case.
BPF: The kernel facility and syscall family used to create BPF maps and load BPF programs. Blastwall's BPF probe checks that confined automation cannot create maps or load programs.
AF_ALG: The Linux kernel socket family for using kernel cryptographic algorithms from user space. Copy Fail reaches the vulnerable path through this interface.
Copy Fail: The public exploit write-up and proof that motivates Blastwall's first concrete deny-scope example.
authencesn: The specific authenticated encryption template shape associated with the Copy Fail exploit path. Blastwall blocks the broader AF_ALG surface for mapped automation instead of matching this argument.
seccomp: A Linux syscall filtering mechanism. It is useful when a process has a predictable syscall surface and should not be allowed to call outside it.
io_uring: A high-performance Linux asynchronous I/O interface. It has been an important kernel exploit surface, so Blastwall treats access to it as low-value for privileged automation and blocks it.
userns: User namespaces. They let a process create a namespace with different user and capability mappings, and they are often useful as an exploit-chain enabler.
packet_socket: The SELinux object class associated with raw packet socket use. Blastwall denies this surface for confined automation.
AF_PACKET: The Linux socket family for packet-level network access. Blastwall's packet socket probe checks that this path is denied for the confined automation domain.
syscall: A system call: a request from user space into the kernel. Several Blastwall probes verify that sensitive syscalls or socket operations fail before reaching useful exploit behavior.
CIL: SELinux Common Intermediate Language, a policy language used after policy source is compiled. Blastwall uses CIL for deny rules and optional policy blocks.
audit log: The host log stream that records security-relevant events, including SELinux denials. Blastwall reads target audit logs to show host-local enforcement evidence.
AVC: The SELinux audit record showing that policy blocked an attempted access.

Lab And Operations

Calabi: The nested-KVM lab environment used to record and validate Blastwall. It provides a real IdM server, bastion host, mirror registry, Kerberos flow, and managed endpoint.
bastion: The controlled jump and execution host for lab playbooks. Blastwall's Calabi runs stage and execute from bastion-01, not directly from the workstation.
mirror registry: The lab container registry used to host the Blastwall execution environment image for AAP.
GSSAPI: A standard interface used here for Kerberos-backed SSH authentication. It lets the automation identity connect without plain SSH passwords.
Kerberos: A ticket-based authentication protocol used by IdM. Blastwall uses Kerberos tickets or keytabs for the automation identity path.
keytab: A file containing Kerberos principal keys. Production-style AAP runs should prefer a least-privilege service principal with a keytab over password fallback.
RPM: The package format used by RHEL. Blastwall treats SELinux policy as a versioned RPM artifact so normal content lifecycle tools can stage, promote, audit, and roll it back.
Satellite: Red Hat Satellite, a content and lifecycle management platform for RHEL estates. The docs mention it as a natural place to stage and promote policy RPMs.

Comparable Tools

block-copyfail: Anthony Green's BPF LSM proof of concept that blocks the Copy Fail authencesn AF_ALG bind path with kernel-argument precision.
cfDr: An Ansible detection and remediation approach for Copy Fail exposure.
nono: A local sandboxing approach aimed at constraining AI agents or development tools inside allowed workspaces.
Landlock: A Linux security feature for unprivileged filesystem sandboxing. nono uses Landlock as part of its containment model.
Falco: A runtime detection and alerting tool for suspicious host, container, Kubernetes, and cloud behavior.
Tetragon: An eBPF-based runtime observability and enforcement tool focused on process, file, network, and Kubernetes activity.
gVisor: A container isolation project that adds a user-space application kernel between workloads and the host kernel.

Naming Note

The current AAP recording uses blastwall-demo as the Controller launcher and svc-ansible-runner as the IdM-backed runtime identity. The selected managed host is mirror-registry.workshop.lan; stale-blastwall-01.workshop.lan is a fixture for preflight rejection. automation-endpoint is the generic Ansible inventory group used by lab playbooks.

Reference Links

Category	Proof	Configuration	Exact Names
AAP	AAP evidence map	AAP source	AAP objects
IdM	Ansible proof guide	IdM source	IdM records
SELinux	Deny scopes	Policy source	SELinux contexts
Kernel surfaces	Probe evidence	Probe source	Probe scripts
Lab	Expected output	Lab flow	Lab names