domg472 g472 wrote:
Below you will find instructions on how to install a bare SELinux
policy for Cobbler. Feedback in the form of AVC denials would be
appreciated so that we can perfect this bare policy.
The version of this policy is far from perfect but it is in my view a
solid start. I have installed this policy and was able to start
cobblerd in it' s proper security domain. I have not actually tried to
use Cobbler. Also there is no policy yet for executable files other
then /usr/bin/cobblerd.
Instructions:
mkdir ~/cobbler; cd ~/cobbler
echo """
policy_module(cobbler, 0.0.1)
# Personal declarations
type cobbler_config_t;
files_config_file(cobbler_config_t)
type cobblerd_initrc_exec_t;
init_script_file(cobblerd_initrc_exec_t)
type cobbler_exec_t;
application_executable_file(cobbler_exec_t)
type cobbler_ext_nodes_exec_t;
application_executable_file(cobbler_ext_nodes_exec_t)
type cobblerd_exec_t;
application_executable_file(cobblerd_exec_t)
type cobbler_var_lib_t;
files_type(cobbler_var_lib_t)
type cobbler_log_t;
logging_log_file(cobbler_log_t)
type cobblerd_t;
init_daemon_domain(cobblerd_t, cobblerd_exec_t)
type cobbler_port_t;
corenet_port(cobbler_port_t)
# Personal policy
allow cobblerd_t self:capability { sys_nice chown dac_override fowner };
allow cobblerd_t self:fifo_file { read write getattr };
allow cobblerd_t self:netlink_route_socket { write getattr read bind
create nlmsg_read };
allow cobblerd_t self:process { setsched getsched };
allow cobblerd_t self:tcp_socket { getattr setopt bind create accept
listen };
allow cobblerd_t self:udp_socket { read bind create };
allow cobblerd_t cobbler_config_t:dir search;
allow cobblerd_t cobbler_config_t:file { read getattr };
allow cobblerd_t cobbler_exec_t:file getattr;
manage_files_pattern(cobblerd_t, cobbler_log_t, cobbler_log_t)
logging_log_filetrans(cobblerd_t, cobbler_log_t, { file })
# files_search_var_lib(cobblerd_t)
manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { file })
corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)
corecmd_read_bin_symlinks(cobblerd_t)
corenet_all_recvfrom_unlabeled(cobblerd_t)
corenet_all_recvfrom_netlabel(cobblerd_t)
corenet_tcp_sendrecv_generic_if(cobblerd_t)
corenet_tcp_sendrecv_all_nodes(cobblerd_t)
corenet_tcp_sendrecv_all_ports(cobblerd_t)
# allow cobblerd_t cobbler_port_t:tcp_socket { name_bind; }
corenet_tcp_bind_generic_port(cobblerd_t)
corenet_tcp_bind_all_nodes(cobblerd_t)
corenet_udp_sendrecv_generic_if(cobblerd_t)
corenet_udp_sendrecv_all_nodes(cobblerd_t)
corenet_udp_sendrecv_all_ports(cobblerd_t)
# allow cobblerd_t cobbler_port_t:udp_socket { name_bind; }
corenet_udp_bind_generic_port(cobblerd_t)
corenet_udp_bind_all_nodes(cobblerd_t)
dev_read_urand(cobblerd_t)
files_list_tmp(cobblerd_t)
files_read_etc_files(cobblerd_t)
files_read_usr_symlinks(cobblerd_t)
files_search_usr(cobblerd_t)
kernel_read_system_state(cobblerd_t)
libs_use_ld_so(cobblerd_t)
libs_use_shared_libs(cobblerd_t)
miscfiles_read_localization(cobblerd_t)
# is this optional?
rpm_domtrans(cobblerd_t)
sysnet_read_config(cobblerd_t)
apache_content_template(cobbler)
optional_policy(`
dbus_system_bus_client_template(cobblerd, cobblerd_t)
dbus_connect_system_bus(cobblerd_t)
dbus_system_domain(cobblerd_t, cobblerd_exec_t)
')
#EOF
""" > cobbler.te;
echo """
# File contexts
/etc/cobbler(/.*)?
gen_context(system_u:object_r:cobbler_config_t, s0)
/etc/rc\.d/init\.d/cobblerd --
gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
/usr/bin/cobbler --
gen_context(system_u:object_r:cobbler_exec_t, s0)
/usr/bin/cobbler-ext-nodes --
gen_context(system_u:object_r:cobbler_ext_nodes_exec_t, s0)
/usr/bin/cobblerd --
gen_context(system_u:object_r:cobblerd_exec_t, s0)
/var/lib/cobbler(/.*)?
gen_context(system_u:object_r:cobbler_var_lib_t, s0)
/var/log/cobbler(/.*)?
gen_context(system_u:object_r:cobbler_log_t, s0)
/var/www/cobbler/svc/services.py --
gen_context(system_u:object_r:httpd_cobbler_script_exec_t, s0)
/var/www/cobbler/web/index.py --
gen_context(system_u:object_r:httpd_cobbler_script_exec_t, s0)
""" > cobbler.fc;
make -f /usr/share/selinux/devel/Makefile
semodule -i cobbler.pp
restorecon -R -v /etc/cobbler
restorecon -R -v /etc/init.d/cobblerd
restorecon -R -v /usr/bin/cobblerd
restorecon -R -v /usr/bin/cobbler
restorecon -R -v /usr/bin/cobbler-ext-nodes
restorecon -R -v /var/lib/cobbler
restorecon -R -v /var/log/cobbler
restorecon -R -v /var/www/cobbler
semanage permissive -a cobbler_t
service cobblerd start
(start testing)
ausearch -m avc -ts today
to remove undo:
service cobblerd stop
semanage permissive -d cobbler_t
semodule -r cobbler
restorecon -R -v /etc/cobbler
restorecon -R -v /etc/init.d/cobblerd
restorecon -R -v /usr/bin/cobblerd
restorecon -R -v /usr/bin/cobbler
restorecon -R -v /usr/bin/cobbler-ext-nodes
restorecon -R -v /var/lib/cobbler
restorecon -R -v /var/log/cobbler
restorecon -R -v /var/www/cobbler
Questions and comments are welcome.
Thanks in advance for your feedback.
Dominick Grift
------------------------------------------------------------------------
_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/et-mgmt-tools
Thanks Dominick!
I've uploaded this to the Wiki so people can copy/paste it.
https://fedorahosted.org/cobbler/wiki/SeLinuxPolicy
The last release had a lot of work making sure we ran everything cleanly
in SELinux again, and I think getting cobblerd to have a policy would be
a logical extension of that.
Would someone like to take a shot at refining this policy some or at
least running Cobbler with that for a while (in permissive mode) to
identify what else needs to be allowed?
I think possibly /usr/bin/cobbler-ext-nodes (used for Puppet
integration) and /usr/bin/cobbler (command line for humans) can be left
unconfined. Just thinking about things offhand cobbler needs to be
able to read and write to Apache and tftp-server content, read and write
to /var/lib/cobbler and /var/log/cobbler, and read to /etc/cobbler.
A good way to get most of this going is to install from a git checkout
("make install" for new users, or "make devinstall" for old ones who
don't want to whack their config) and then "make test" would go a long
way I'd think of covering most of it.
--Michael
_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/et-mgmt-tools
