Re: Help perfect Cobbler SELinux policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



domg472 g472 wrote:
Below you will find instructions on how to install a bare SELinux policy for Cobbler. Feedback in the form of AVC denials would be appreciated so that we can perfect this bare policy.

The version of this policy is far from perfect but it is in my view a solid start. I have installed this policy and was able to start cobblerd in it' s proper security domain. I have not actually tried to use Cobbler. Also there is no policy yet for executable files other then /usr/bin/cobblerd.

Instructions:


mkdir ~/cobbler; cd ~/cobbler
echo """

policy_module(cobbler, 0.0.1)

# Personal declarations

type cobbler_config_t;
files_config_file(cobbler_config_t)

type cobblerd_initrc_exec_t;
init_script_file(cobblerd_initrc_exec_t)

type cobbler_exec_t;
application_executable_file(cobbler_exec_t)

type cobbler_ext_nodes_exec_t;
application_executable_file(cobbler_ext_nodes_exec_t)

type cobblerd_exec_t;
application_executable_file(cobblerd_exec_t)

type cobbler_var_lib_t;
files_type(cobbler_var_lib_t)

type cobbler_log_t;
logging_log_file(cobbler_log_t)

type cobblerd_t;
init_daemon_domain(cobblerd_t, cobblerd_exec_t)

type cobbler_port_t;
corenet_port(cobbler_port_t)

# Personal policy

allow cobblerd_t self:capability { sys_nice chown dac_override fowner };
allow cobblerd_t self:fifo_file { read write getattr };
allow cobblerd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
allow cobblerd_t self:process { setsched getsched };
allow cobblerd_t self:tcp_socket { getattr setopt bind create accept listen };
allow cobblerd_t self:udp_socket { read bind create };

allow cobblerd_t cobbler_config_t:dir search;
allow cobblerd_t cobbler_config_t:file { read getattr };

allow cobblerd_t cobbler_exec_t:file getattr;

manage_files_pattern(cobblerd_t, cobbler_log_t, cobbler_log_t)
logging_log_filetrans(cobblerd_t, cobbler_log_t, { file })

# files_search_var_lib(cobblerd_t)
manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { file })

corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)

corecmd_read_bin_symlinks(cobblerd_t)

corenet_all_recvfrom_unlabeled(cobblerd_t)
corenet_all_recvfrom_netlabel(cobblerd_t)

corenet_tcp_sendrecv_generic_if(cobblerd_t)
corenet_tcp_sendrecv_all_nodes(cobblerd_t)
corenet_tcp_sendrecv_all_ports(cobblerd_t)

# allow cobblerd_t cobbler_port_t:tcp_socket { name_bind; }
corenet_tcp_bind_generic_port(cobblerd_t)
corenet_tcp_bind_all_nodes(cobblerd_t)

corenet_udp_sendrecv_generic_if(cobblerd_t)
corenet_udp_sendrecv_all_nodes(cobblerd_t)
corenet_udp_sendrecv_all_ports(cobblerd_t)

# allow cobblerd_t cobbler_port_t:udp_socket { name_bind; }
corenet_udp_bind_generic_port(cobblerd_t)
corenet_udp_bind_all_nodes(cobblerd_t)

dev_read_urand(cobblerd_t)

files_list_tmp(cobblerd_t)

files_read_etc_files(cobblerd_t)

files_read_usr_symlinks(cobblerd_t)
files_search_usr(cobblerd_t)

kernel_read_system_state(cobblerd_t)

libs_use_ld_so(cobblerd_t)
libs_use_shared_libs(cobblerd_t)

miscfiles_read_localization(cobblerd_t)

# is this optional?
rpm_domtrans(cobblerd_t)

sysnet_read_config(cobblerd_t)

apache_content_template(cobbler)

optional_policy(`
        dbus_system_bus_client_template(cobblerd, cobblerd_t)
        dbus_connect_system_bus(cobblerd_t)
        dbus_system_domain(cobblerd_t, cobblerd_exec_t)
')

#EOF
""" > cobbler.te;

echo """

# File contexts

/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_config_t, s0)

/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)

/usr/bin/cobbler -- gen_context(system_u:object_r:cobbler_exec_t, s0) /usr/bin/cobbler-ext-nodes -- gen_context(system_u:object_r:cobbler_ext_nodes_exec_t, s0) /usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0)

/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)

/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_log_t, s0)

/var/www/cobbler/svc/services.py -- gen_context(system_u:object_r:httpd_cobbler_script_exec_t, s0) /var/www/cobbler/web/index.py -- gen_context(system_u:object_r:httpd_cobbler_script_exec_t, s0)

""" > cobbler.fc;

make -f /usr/share/selinux/devel/Makefile
semodule -i cobbler.pp

restorecon -R -v /etc/cobbler
restorecon -R -v /etc/init.d/cobblerd
restorecon -R -v /usr/bin/cobblerd
restorecon -R -v /usr/bin/cobbler
restorecon -R -v /usr/bin/cobbler-ext-nodes
restorecon -R -v /var/lib/cobbler
restorecon -R -v /var/log/cobbler
restorecon -R -v /var/www/cobbler

semanage permissive -a cobbler_t

service cobblerd start

(start testing)

ausearch -m avc -ts today

to remove undo:

service cobblerd stop
semanage permissive -d cobbler_t
semodule -r cobbler
restorecon -R -v /etc/cobbler
restorecon -R -v /etc/init.d/cobblerd
restorecon -R -v /usr/bin/cobblerd
restorecon -R -v /usr/bin/cobbler
restorecon -R -v /usr/bin/cobbler-ext-nodes
restorecon -R -v /var/lib/cobbler
restorecon -R -v /var/log/cobbler
restorecon -R -v /var/www/cobbler

Questions and comments are welcome.
Thanks in advance for your feedback.

Dominick Grift



------------------------------------------------------------------------

_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/et-mgmt-tools

Thanks Dominick!

I've uploaded this to the Wiki so people can copy/paste it.

https://fedorahosted.org/cobbler/wiki/SeLinuxPolicy

The last release had a lot of work making sure we ran everything cleanly in SELinux again, and I think getting cobblerd to have a policy would be a logical extension of that.

Would someone like to take a shot at refining this policy some or at least running Cobbler with that for a while (in permissive mode) to identify what else needs to be allowed?

I think possibly /usr/bin/cobbler-ext-nodes (used for Puppet integration) and /usr/bin/cobbler (command line for humans) can be left unconfined. Just thinking about things offhand cobbler needs to be able to read and write to Apache and tftp-server content, read and write to /var/lib/cobbler and /var/log/cobbler, and read to /etc/cobbler.

A good way to get most of this going is to install from a git checkout ("make install" for new users, or "make devinstall" for old ones who don't want to whack their config) and then "make test" would go a long way I'd think of covering most of it.

--Michael

_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/et-mgmt-tools

[Index of Archives]     [Fedora Users]     [Fedora Legacy List]     [Fedora Maintainers]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux