The version of this policy is far from perfect but it is in my view a solid start. I have installed this policy and was able to start cobblerd in it' s proper security domain. I have not actually tried to use Cobbler. Also there is no policy yet for executable files other then /usr/bin/cobblerd.
Instructions:
mkdir ~/cobbler; cd ~/cobbler
echo """
policy_module(cobbler, 0.0.1)
# Personal declarations
type cobbler_config_t;
files_config_file(cobbler_config_t)
type cobblerd_initrc_exec_t;
init_script_file(cobblerd_initrc_exec_t)
type cobbler_exec_t;
application_executable_file(cobbler_exec_t)
type cobbler_ext_nodes_exec_t;
application_executable_file(cobbler_ext_nodes_exec_t)
type cobblerd_exec_t;
application_executable_file(cobblerd_exec_t)
type cobbler_var_lib_t;
files_type(cobbler_var_lib_t)
type cobbler_log_t;
logging_log_file(cobbler_log_t)
type cobblerd_t;
init_daemon_domain(cobblerd_t, cobblerd_exec_t)
type cobbler_port_t;
corenet_port(cobbler_port_t)
# Personal policy
allow cobblerd_t self:capability { sys_nice chown dac_override fowner };
allow cobblerd_t self:fifo_file { read write getattr };
allow cobblerd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
allow cobblerd_t self:process { setsched getsched };
allow cobblerd_t self:tcp_socket { getattr setopt bind create accept listen };
allow cobblerd_t self:udp_socket { read bind create };
allow cobblerd_t cobbler_config_t:dir search;
allow cobblerd_t cobbler_config_t:file { read getattr };
allow cobblerd_t cobbler_exec_t:file getattr;
manage_files_pattern(cobblerd_t, cobbler_log_t, cobbler_log_t)
logging_log_filetrans(cobblerd_t, cobbler_log_t, { file })
# files_search_var_lib(cobblerd_t)
manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { file })
corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)
corecmd_read_bin_symlinks(cobblerd_t)
corenet_all_recvfrom_unlabeled(cobblerd_t)
corenet_all_recvfrom_netlabel(cobblerd_t)
corenet_tcp_sendrecv_generic_if(cobblerd_t)
corenet_tcp_sendrecv_all_nodes(cobblerd_t)
corenet_tcp_sendrecv_all_ports(cobblerd_t)
# allow cobblerd_t cobbler_port_t:tcp_socket { name_bind; }
corenet_tcp_bind_generic_port(cobblerd_t)
corenet_tcp_bind_all_nodes(cobblerd_t)
corenet_udp_sendrecv_generic_if(cobblerd_t)
corenet_udp_sendrecv_all_nodes(cobblerd_t)
corenet_udp_sendrecv_all_ports(cobblerd_t)
# allow cobblerd_t cobbler_port_t:udp_socket { name_bind; }
corenet_udp_bind_generic_port(cobblerd_t)
corenet_udp_bind_all_nodes(cobblerd_t)
dev_read_urand(cobblerd_t)
files_list_tmp(cobblerd_t)
files_read_etc_files(cobblerd_t)
files_read_usr_symlinks(cobblerd_t)
files_search_usr(cobblerd_t)
kernel_read_system_state(cobblerd_t)
libs_use_ld_so(cobblerd_t)
libs_use_shared_libs(cobblerd_t)
miscfiles_read_localization(cobblerd_t)
# is this optional?
rpm_domtrans(cobblerd_t)
sysnet_read_config(cobblerd_t)
apache_content_template(cobbler)
optional_policy(`
dbus_system_bus_client_template(cobblerd, cobblerd_t)
dbus_connect_system_bus(cobblerd_t)
dbus_system_domain(cobblerd_t, cobblerd_exec_t)
')
#EOF
""" > cobbler.te;
echo """
# File contexts
/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_config_t, s0)
/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
/usr/bin/cobbler -- gen_context(system_u:object_r:cobbler_exec_t, s0)
/usr/bin/cobbler-ext-nodes -- gen_context(system_u:object_r:cobbler_ext_nodes_exec_t, s0)
/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0)
/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_log_t, s0)
/var/www/cobbler/svc/services.py -- gen_context(system_u:object_r:httpd_cobbler_script_exec_t, s0)
/var/www/cobbler/web/index.py -- gen_context(system_u:object_r:httpd_cobbler_script_exec_t, s0)
""" > cobbler.fc;
make -f /usr/share/selinux/devel/Makefile
semodule -i cobbler.pp
restorecon -R -v /etc/cobbler
restorecon -R -v /etc/init.d/cobblerd
restorecon -R -v /usr/bin/cobblerd
restorecon -R -v /usr/bin/cobbler
restorecon -R -v /usr/bin/cobbler-ext-nodes
restorecon -R -v /var/lib/cobbler
restorecon -R -v /var/log/cobbler
restorecon -R -v /var/www/cobbler
semanage permissive -a cobbler_t
service cobblerd start
(start testing)
ausearch -m avc -ts today
to remove undo:
service cobblerd stop
semanage permissive -d cobbler_t
semodule -r cobbler
restorecon -R -v /etc/cobbler
restorecon -R -v /etc/init.d/cobblerd
restorecon -R -v /usr/bin/cobblerd
restorecon -R -v /usr/bin/cobbler
restorecon -R -v /usr/bin/cobbler-ext-nodes
restorecon -R -v /var/lib/cobbler
restorecon -R -v /var/log/cobbler
restorecon -R -v /var/www/cobbler
Questions and comments are welcome.
Thanks in advance for your feedback.
Dominick Grift
_______________________________________________ et-mgmt-tools mailing list et-mgmt-tools@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/et-mgmt-tools
