From d82115ac485023030d59ac8280dda48b4accdd7a Mon Sep 17 00:00:00 2001 From: Nicolas Iooss Date: Sun, 22 Dec 2019 18:12:02 +0100 Subject: [PATCH 1/3] Vagrantfile: fix configuration "debian" needs to be used instead of "config" in the VM description. Signed-off-by: Nicolas Iooss --- Vagrantfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index d7d569446..00313ee64 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -128,8 +128,8 @@ Vagrant.configure("2") do |config| end # redefine the /vagrant as a synced folder (not an NFS share), in order to work cleanly on it - config.vm.synced_folder ".", "/vagrant", disabled: true - config.vm.synced_folder ".", "/vagrant", type: "rsync", + debian.vm.synced_folder ".", "/vagrant", disabled: true + debian.vm.synced_folder ".", "/vagrant", type: "rsync", rsync__exclude: ".vagrant/" debian.vm.provision "shell", run: "once", inline: <<-SHELL From d1f92dae04aa9ec2d7376d14d9640a9e5b83e81c Mon Sep 17 00:00:00 2001 From: Nicolas Iooss Date: Sun, 22 Dec 2019 18:12:34 +0100 Subject: [PATCH 2/3] Vagrantfile: remove sudo The provisioning scripts are already run as root. Signed-off-by: Nicolas Iooss --- Vagrantfile | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 00313ee64..2b7d9948a 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -15,43 +15,43 @@ $install_refpolicy = <<-SHELL sudo -su vagrant make -C /vagrant conf sudo -su vagrant make -C /vagrant all sudo -su vagrant make -C /vagrant validate - sudo -s make -C /vagrant install - sudo -s make -C /vagrant install-headers - sudo -s semodule -s refpolicy -i /usr/share/selinux/refpolicy/*.pp + make -C /vagrant install + make -C /vagrant install-headers + semodule -s refpolicy -i /usr/share/selinux/refpolicy/*.pp if ! (LANG=C sestatus -v | grep '^Loaded policy name:\s*refpolicy$' > /dev/null) then # Use the reference policy sed -i -e 's/^\\(SELINUXTYPE=\\).*/SELINUXTYPE=refpolicy/' /etc/selinux/config fi - sudo -s semodule --reload + semodule --reload # allow every domain to use /dev/urandom - sudo -s semanage boolean --modify --on global_ssp + semanage boolean --modify --on global_ssp # allow systemd-tmpfiles to manage every file - sudo -s semanage boolean --modify --on systemd_tmpfiles_manage_all + semanage boolean --modify --on systemd_tmpfiles_manage_all # make vagrant user use unconfined_u context - if ! (sudo -s semanage login -l | grep '^vagrant' > /dev/null) + if ! (semanage login -l | grep '^vagrant' > /dev/null) then echo "Configuring SELinux context for vagrant user" - sudo -s semanage login -a -s unconfined_u vagrant + semanage login -a -s unconfined_u vagrant fi # label /vagrant as vagrant's home files - if sudo -s semanage fcontext --list | grep '^/vagrant(/\.\*)?' + if semanage fcontext --list | grep '^/vagrant(/\.\*)?' then - sudo -s semanage fcontext -m -s unconfined_u -t user_home_t '/vagrant(/.*)?' + semanage fcontext -m -s unconfined_u -t user_home_t '/vagrant(/.*)?' else - sudo -s semanage fcontext -a -s unconfined_u -t user_home_t '/vagrant(/.*)?' + semanage fcontext -a -s unconfined_u -t user_home_t '/vagrant(/.*)?' fi # Update interface_info - sudo -s sepolgen-ifgen -o /var/lib/sepolgen/interface_info -i /usr/share/selinux/refpolicy + sepolgen-ifgen -o /var/lib/sepolgen/interface_info -i /usr/share/selinux/refpolicy echo "Relabelling the system..." - sudo -s restorecon -RF / + restorecon -RF / echo "If this is a fresh install, you need to reboot in order to enable enforcing mode" SHELL From 7317bd64c0b7c6d9dfa07bd4d884df58ab14a785 Mon Sep 17 00:00:00 2001 From: Nicolas Iooss Date: Sun, 22 Dec 2019 18:17:36 +0100 Subject: [PATCH 3/3] Vagrantfile: add a specific SELinux policy module When using Vagrant to run virtual machines with SELinux enabled, several specific accesses need to be allowed. It does not make much sense to add the needed rules to the refpolicy, as they are very specific to the use of Vagrant to provision a virtual machine to test a policy. Therefore, create a dedicated module to allow the required accesses. Signed-off-by: Nicolas Iooss --- Vagrantfile | 3 +++ support/vagrant-vm.cil | 21 +++++++++++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 support/vagrant-vm.cil diff --git a/Vagrantfile b/Vagrantfile index 2b7d9948a..2dd0f8ce2 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -19,6 +19,9 @@ $install_refpolicy = <<-SHELL make -C /vagrant install-headers semodule -s refpolicy -i /usr/share/selinux/refpolicy/*.pp + # Load the module specific to Vagrant VM + semodule -s refpolicy -i /vagrant/support/vagrant-vm.cil + if ! (LANG=C sestatus -v | grep '^Loaded policy name:\s*refpolicy$' > /dev/null) then # Use the reference policy diff --git a/support/vagrant-vm.cil b/support/vagrant-vm.cil new file mode 100644 index 000000000..b969ffda1 --- /dev/null +++ b/support/vagrant-vm.cil @@ -0,0 +1,21 @@ +; SELinux policy module for running virtual machines with Vagrant + +; Vagrant performs "ssh sudo ..." without allocating a pseudo-terminal. +; This leads sudo to directly using sshd pipes, as well as other processes +; spawned from the provision scripts. Define an attribute for those processes. +(typeattribute vagrant_provisioning_cmd_type) +(typeattributeset vagrant_provisioning_cmd_type ( + load_policy_t + semanage_t + setfiles_t + sudodomain +)) +(allow vagrant_provisioning_cmd_type sshd_t (fifo_file (append getattr ioctl read write))) + +; "vagrant rsync" makes Vagrant invoke "sudo rsync" without a shell which would +; make sudo transition out of sysadm_sudo_t. +; Therefore add a transition from sysadm_sudo_t to sysadm_t through rsync_exec_t +(optional sysadm_sudo_rsync_transition + (allow sysadm_t rsync_exec_t (file (entrypoint))) + (typetransition sysadm_sudo_t rsync_exec_t process sysadm_t) +)