Add cloud-init.

This is used by cloud providers to set up VMs during deployment. https://github.com/canonical/cloud-init Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2022-03-09 20:50:22 +00:00 · 2022-03-09 20:50:22 +00:00 · 3456bbe644
parent 7983645286
commit 3456bbe644
11 changed files with 356 additions and 2 deletions
--- a/policy/modules/admin/cloudinit.fc
+++ b/policy/modules/admin/cloudinit.fc
@ -0,0 +1,10 @@
+/run/cloud-init(/.*)?       gen_context(system_u:object_r:cloud_init_runtime_t,s0)
+
+/usr/bin/cloud-id       --  gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/bin/cloud-init     --  gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/bin/cloud-init-per --  gen_context(system_u:object_r:cloud_init_exec_t,s0)
+
+/var/lib/cloud(/.*)?        gen_context(system_u:object_r:cloud_init_state_t,s0)
+
+/var/log/cloud-init-output\.log -- gen_context(system_u:object_r:cloud_init_log_t,s0)
+/var/log/cloud-init\.log --  gen_context(system_u:object_r:cloud_init_log_t,s0)
--- a/policy/modules/admin/cloudinit.if
+++ b/policy/modules/admin/cloudinit.if
@ -0,0 +1,108 @@
+## <summary>Init scripts for cloud VMs</summary>
+
+########################################
+## <summary>
+##	Create cloud-init runtime directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cloudinit_create_runtime_dirs',`
+	gen_require(`
+		type cloud_init_runtime_t;
+	')
+
+	files_search_runtime($1)
+	allow $1 cloud_init_runtime_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+##	Write cloud-init runtime files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cloudinit_write_runtime_files',`
+	gen_require(`
+		type cloud_init_runtime_t;
+	')
+
+	files_search_runtime($1)
+	write_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t)
+')
+
+########################################
+## <summary>
+##	Create cloud-init runtime files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cloudinit_create_runtime_files',`
+	gen_require(`
+		type cloud_init_runtime_t;
+	')
+
+	files_search_runtime($1)
+	create_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t)
+')
+
+#######################################
+## <summary>
+##	Create files in /run with the type used for
+##	cloud-init runtime files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`cloudinit_filetrans_runtime',`
+	gen_require(`
+		type cloud_init_runtime_t;
+	')
+
+	files_runtime_filetrans($1, cloud_init_runtime_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Get the attribute of cloud-init state files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cloudinit_getattr_state_files',`
+	gen_require(`
+		type cloud_init_state_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 cloud_init_state_t:dir list_dir_perms;
+	allow $1 cloud_init_state_t:lnk_file read_lnk_file_perms;
+	allow $1 cloud_init_state_t:file getattr;
+')
--- a/policy/modules/admin/cloudinit.te
+++ b/policy/modules/admin/cloudinit.te
@ -0,0 +1,108 @@
+policy_module(cloudinit)
+
+########################################
+#
+# Declarations
+#
+
+type cloud_init_t;
+type cloud_init_exec_t;
+init_system_domain(cloud_init_t, cloud_init_exec_t)
+
+type cloud_init_log_t;
+logging_log_file(cloud_init_log_t)
+
+type cloud_init_runtime_t;
+files_runtime_file(cloud_init_runtime_t)
+files_mountpoint(cloud_init_runtime_t)
+
+type cloud_init_state_t;
+files_type(cloud_init_state_t)
+
+########################################
+#
+# Local policy
+#
+
+allow cloud_init_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid };
+dontaudit cloud_init_t self:capability { net_admin sys_tty_config };
+allow cloud_init_t self:fifo_file rw_fifo_file_perms;
+allow cloud_init_t self:unix_dgram_socket create_socket_perms;
+
+allow cloud_init_t cloud_init_log_t:file { create_file_perms append_file_perms setattr };
+logging_log_filetrans(cloud_init_t, cloud_init_log_t, file)
+
+manage_files_pattern(cloud_init_t, cloud_init_runtime_t, cloud_init_runtime_t)
+manage_lnk_files_pattern(cloud_init_t, cloud_init_runtime_t, cloud_init_runtime_t)
+manage_dirs_pattern(cloud_init_t, cloud_init_runtime_t, cloud_init_runtime_t)
+files_runtime_filetrans(cloud_init_t, cloud_init_runtime_t, { dir file lnk_file })
+
+manage_files_pattern(cloud_init_t, cloud_init_state_t, cloud_init_state_t)
+manage_lnk_files_pattern(cloud_init_t, cloud_init_state_t, cloud_init_state_t)
+manage_dirs_pattern(cloud_init_t, cloud_init_state_t, cloud_init_state_t)
+files_var_lib_filetrans(cloud_init_t, cloud_init_state_t, { dir file lnk_file })
+
+auth_domtrans_chk_passwd(cloud_init_t)
+
+corecmd_exec_bin(cloud_init_t)
+corecmd_exec_shell(cloud_init_t)
+
+corenet_dontaudit_tcp_bind_generic_node(cloud_init_t)
+
+dbus_system_bus_client(cloud_init_t)
+
+dev_getattr_all_blk_files(cloud_init_t)
+# /sys/devices/pci0000:00/0000:00:03.0/net/eth0/address
+dev_read_sysfs(cloud_init_t)
+
+files_manage_config_dirs(cloud_init_t)
+files_relabel_config_dirs(cloud_init_t)
+files_manage_config_files(cloud_init_t)
+files_relabel_config_files(cloud_init_t)
+
+fs_getattr_all_fs(cloud_init_t)
+fs_search_tmpfs(cloud_init_t)
+fs_search_cgroup_dirs(cloud_init_t)
+fs_read_iso9660_files(cloud_init_t)
+
+fstools_domtrans(cloud_init_t)
+
+hostname_domtrans(cloud_init_t)
+
+init_get_system_status(cloud_init_t)
+init_read_state(cloud_init_t)
+init_stream_connect(cloud_init_t)
+
+kernel_read_system_state(cloud_init_t)
+kernel_read_crypto_sysctls(cloud_init_t)
+kernel_read_kernel_sysctls(cloud_init_t)
+
+libs_dontaudit_manage_lib_dirs(cloud_init_t)
+libs_dontaudit_manage_lib_files(cloud_init_t)
+
+logging_send_syslog_msg(cloud_init_t)
+
+miscfiles_read_localization(cloud_init_t)
+
+mount_domtrans(cloud_init_t)
+
+seutil_read_default_contexts(cloud_init_t)
+
+ssh_domtrans_keygen(cloud_init_t)
+ssh_manage_home_files(cloud_init_t)
+ssh_create_home_dirs(cloud_init_t)
+ssh_setattr_home_dirs(cloud_init_t)
+# Read public keys
+ssh_read_server_keys(cloud_init_t)
+
+sysnet_domtrans_ifconfig(cloud_init_t)
+
+term_write_console(cloud_init_t)
+
+usermanage_domtrans_useradd(cloud_init_t)
+usermanage_domtrans_groupadd(cloud_init_t)
+usermanage_domtrans_passwd(cloud_init_t)
+
+optional_policy(`
+	systemd_dbus_chat_hostnamed(cloud_init_t)
+')
--- a/policy/modules/admin/usermanage.fc
+++ b/policy/modules/admin/usermanage.fc
@ -24,6 +24,7 @@ ifdef(`distro_debian',`

 /usr/lib/cracklib_dict.* --	gen_context(system_u:object_r:crack_db_t,s0)

+/usr/sbin/chpasswd	--	gen_context(system_u:object_r:passwd_exec_t,s0)
 /usr/sbin/crack_[a-z]*	--	gen_context(system_u:object_r:crack_exec_t,s0)
 /usr/sbin/cracklib-[a-z]* --	gen_context(system_u:object_r:crack_exec_t,s0)
 /usr/sbin/gpasswd	--	gen_context(system_u:object_r:groupadd_exec_t,s0)
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@ -173,6 +173,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/bluetooth/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/bridge-utils/.*\.sh	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/cloud-init(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/dhcpcd/dhcpcd-hooks(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/dhcpcd/dhcpcd-run-hooks --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/dovecot/.+			gen_context(system_u:object_r:bin_t,s0)
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@ -910,6 +910,24 @@ interface(`corenet_tcp_bind_generic_node',`
 	allow $1 node_t:tcp_socket node_bind;
 ')

+########################################
+## <summary>
+##	Do not audit denials on binding TCP sockets to generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_bind_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	dontaudit $1 node_t:tcp_socket node_bind;
+')
+
 ########################################
 ## <summary>
 ##	Bind UDP sockets to generic nodes.
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@ -1,7 +1,7 @@
 HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)

 /etc/ssh/primes			--	gen_context(system_u:object_r:sshd_key_t,s0)
-/etc/ssh/ssh_host.*_key		--	gen_context(system_u:object_r:sshd_key_t,s0)
+/etc/ssh/ssh_host.*_key(\.pub)?	--	gen_context(system_u:object_r:sshd_key_t,s0)

 /usr/bin/ssh			--	gen_context(system_u:object_r:ssh_exec_t,s0)
 /usr/bin/ssh-agent		--	gen_context(system_u:object_r:ssh_agent_exec_t,s0)
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@ -730,6 +730,43 @@ interface(`ssh_agent_exec',`
 	can_exec($1, ssh_agent_exec_t)
 ')

+########################################
+## <summary>
+##	Set the attributes of ssh home directory (~/.ssh)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_setattr_home_dirs',`
+	gen_require(`
+		type ssh_home_t;
+	')
+
+	allow $1 ssh_home_t:dir setattr_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create ssh home directory (~/.ssh)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_create_home_dirs',`
+	gen_require(`
+		type ssh_home_t;
+	')
+
+	allow $1 ssh_home_t:dir create_dir_perms;
+	userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".ssh")
+')
+
 ########################################
 ## <summary>
 ##	Read ssh home directory content
@ -775,6 +812,24 @@ interface(`ssh_domtrans_keygen',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_read_server_keys',`
+	gen_require(`
+		type sshd_key_t;
+	')
+
+	allow $1 sshd_key_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit denials on reading ssh server keys
+## </summary>
+## <param name="domain">
+##	<summary>
 ##	Domain to not audit.
 ##	</summary>
 ## </param>
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@ -233,6 +233,31 @@ interface(`libs_dontaudit_write_lib_dirs',`
 	dontaudit $1 lib_t:dir write;
 ')

+########################################
+## <summary>
+##	Do not audit attempts to manage to library directories.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to manage to library directories.
+##	Typically this is used to quiet attempts to recompile
+##	python byte code.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`libs_dontaudit_manage_lib_dirs',`
+	gen_require(`
+		type lib_t;
+	')
+
+	dontaudit $1 lib_t:dir manage_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete library directories.
@ -332,6 +357,25 @@ interface(`libs_manage_lib_files',`
 	manage_files_pattern($1, lib_t, lib_t)
 ')

+########################################
+## <summary>
+##	Do not audit attempts to create, read, write,
+##  and delete generic files in library directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`libs_dontaudit_manage_lib_files',`
+	gen_require(`
+		type lib_t;
+	')
+
+	dontaudit $1 lib_t:file manage_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Relabel files to the type used in library directories.
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@ -51,7 +51,7 @@ optional_policy(`
 ')

 type net_conf_t;
-files_type(net_conf_t)
+files_config_file(net_conf_t)

 ifdef(`distro_debian',`
 	init_daemon_runtime_file(net_conf_t, dir, "network")
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@ -526,6 +526,15 @@ ifdef(`distro_gentoo',`
 	corecmd_shell_entry_type(systemd_generator_t)
 ')

+optional_policy(`
+	cloudinit_create_runtime_dirs(systemd_generator_t)
+	cloudinit_write_runtime_files(systemd_generator_t)
+	cloudinit_create_runtime_files(systemd_generator_t)
+	cloudinit_filetrans_runtime(systemd_generator_t, dir, "cloud-init")
+
+	cloudinit_getattr_state_files(systemd_generator_t)
+')
+
 optional_policy(`
 	fstools_exec(systemd_generator_t)
 ')