cloudinit: Add permissions derived from sysadm.
Allow a similar amount of admin capability to cloud-init as sysadm. Also add a tunable to allow non-security file management for fallback. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
This commit is contained in:
parent
65dfbda501
commit
0c41682fc4
@ -57,6 +57,25 @@ interface(`cloudinit_write_runtime_files',`
|
||||
write_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write cloud-init runtime files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`cloudinit_rw_runtime_files',`
|
||||
gen_require(`
|
||||
type cloud_init_runtime_t;
|
||||
')
|
||||
|
||||
files_search_runtime($1)
|
||||
rw_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create cloud-init runtime files.
|
||||
@ -125,3 +144,60 @@ interface(`cloudinit_getattr_state_files',`
|
||||
allow $1 cloud_init_state_t:lnk_file read_lnk_file_perms;
|
||||
allow $1 cloud_init_state_t:file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Write inherited cloud-init temporary files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`cloudinit_write_inherited_tmp_files',`
|
||||
gen_require(`
|
||||
type cloud_init_t, cloud_init_tmp_t;
|
||||
')
|
||||
|
||||
allow $1 cloud_init_t:fd use;
|
||||
allow $1 cloud_init_tmp_t:file write_inherited_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write cloud-init temporary files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`cloudinit_rw_tmp_files',`
|
||||
gen_require(`
|
||||
type cloud_init_tmp_t;
|
||||
')
|
||||
|
||||
files_search_tmp($1)
|
||||
rw_files_pattern($1, cloud_init_tmp_t, cloud_init_tmp_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create cloud-init temporary files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`cloudinit_create_tmp_files',`
|
||||
gen_require(`
|
||||
type cloud_init_tmp_t;
|
||||
')
|
||||
|
||||
files_search_tmp($1)
|
||||
create_files_pattern($1, cloud_init_tmp_t, cloud_init_tmp_t)
|
||||
')
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -52,11 +52,13 @@ ifdef(`distro_redhat',`
|
||||
/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
||||
|
||||
/var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
|
||||
/var/cache/t?dnf(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
|
||||
/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
|
||||
|
||||
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
|
||||
/var/lib/dnf(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
|
||||
/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
|
||||
/var/lib/t?dnf(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
|
||||
/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
|
||||
/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
|
||||
|
||||
|
@ -46,9 +46,19 @@ init_unit_file(rpm_unit_t)
|
||||
type rpm_var_lib_t;
|
||||
files_type(rpm_var_lib_t)
|
||||
|
||||
optional_policy(`
|
||||
# delete locks
|
||||
systemd_tmpfilesd_managed(rpm_var_lib_t)
|
||||
')
|
||||
|
||||
type rpm_var_cache_t;
|
||||
files_type(rpm_var_cache_t)
|
||||
|
||||
optional_policy(`
|
||||
# delete locks
|
||||
systemd_tmpfilesd_managed(rpm_var_cache_t)
|
||||
')
|
||||
|
||||
type rpm_script_t;
|
||||
type rpm_script_exec_t;
|
||||
domain_obj_id_change_exemption(rpm_script_t)
|
||||
@ -90,6 +100,7 @@ allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
allow rpm_t rpm_log_t:file { append_file_perms create_file_perms setattr_file_perms };
|
||||
logging_log_filetrans(rpm_t, rpm_log_t, file)
|
||||
|
||||
allow rpm_t rpm_tmp_t:dir watch;
|
||||
manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
|
||||
manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
|
||||
files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
|
||||
@ -101,6 +112,7 @@ manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
|
||||
manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
|
||||
fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
||||
|
||||
allow rpm_t rpm_var_cache_t:dir watch;
|
||||
manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
|
||||
manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
|
||||
files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
|
||||
@ -211,6 +223,8 @@ seutil_read_file_contexts(rpm_t)
|
||||
|
||||
userdom_use_user_terminals(rpm_t)
|
||||
userdom_use_unpriv_users_fds(rpm_t)
|
||||
userdom_watch_user_runtime_dirs(rpm_t)
|
||||
userdom_user_runtime_root_filetrans_user_runtime(rpm_t, dir)
|
||||
|
||||
ifdef(`init_systemd', `
|
||||
systemd_use_logind_fds(rpm_t)
|
||||
@ -335,7 +349,7 @@ term_getattr_unallocated_ttys(rpm_script_t)
|
||||
term_list_ptys(rpm_script_t)
|
||||
term_use_all_terms(rpm_script_t)
|
||||
|
||||
auth_dontaudit_getattr_shadow(rpm_script_t)
|
||||
auth_dontaudit_read_shadow(rpm_script_t)
|
||||
auth_use_nsswitch(rpm_script_t)
|
||||
|
||||
init_domtrans_script(rpm_script_t)
|
||||
@ -358,6 +372,7 @@ seutil_run_setfiles(rpm_script_t, rpm_roles)
|
||||
seutil_run_semanage(rpm_script_t, rpm_roles)
|
||||
|
||||
userdom_use_all_users_fds(rpm_script_t)
|
||||
userdom_user_runtime_root_filetrans_user_runtime(rpm_script_t, dir)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
optional_policy(`
|
||||
@ -400,11 +415,12 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_domtrans(rpm_script_t)
|
||||
udev_run_udevadm(rpm_script_t, rpm_roles)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
unconfined_domtrans(rpm_script_t)
|
||||
unconfined_write_inherited_pipes(rpm_script_t)
|
||||
|
||||
optional_policy(`
|
||||
java_domtrans_unconfined(rpm_script_t)
|
||||
|
@ -262,6 +262,10 @@ optional_policy(`
|
||||
apt_use_fds(groupadd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
cloudinit_write_inherited_tmp_files(groupadd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(groupadd_t)
|
||||
')
|
||||
@ -291,7 +295,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
unconfined_use_fds(groupadd_t)
|
||||
unconfined_write_inherited_pipes(groupadd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -475,7 +479,7 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow useradd_t self:capability { chown dac_override fowner fsetid kill setuid sys_resource };
|
||||
dontaudit useradd_t self:capability { net_admin sys_tty_config };
|
||||
dontaudit useradd_t self:capability { net_admin sys_ptrace sys_tty_config };
|
||||
dontaudit useradd_t self:cap_userns sys_ptrace;
|
||||
allow useradd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
|
||||
allow useradd_t self:fd use;
|
||||
@ -571,6 +575,10 @@ optional_policy(`
|
||||
apt_use_fds(useradd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
cloudinit_write_inherited_tmp_files(useradd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(useradd_t)
|
||||
')
|
||||
@ -602,5 +610,5 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
unconfined_use_fds(useradd_t)
|
||||
unconfined_write_inherited_pipes(useradd_t)
|
||||
')
|
||||
|
@ -813,6 +813,31 @@ interface(`ssh_domtrans_keygen',`
|
||||
domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Execute the ssh key generator in the ssh keygen domain,
|
||||
## and allow the specified role the ssh keygen domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ssh_run_keygen',`
|
||||
gen_require(`
|
||||
type ssh_keygen_t;
|
||||
')
|
||||
|
||||
ssh_domtrans_keygen($1)
|
||||
role $2 types ssh_keygen_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read ssh server keys
|
||||
|
@ -200,6 +200,11 @@ optional_policy(`
|
||||
amanda_append_log_files(fsadm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
cloudinit_rw_tmp_files(fsadm_t)
|
||||
cloudinit_create_tmp_files(fsadm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
container_read_device_blk_files(fsadm_t)
|
||||
')
|
||||
|
@ -3793,6 +3793,26 @@ interface(`init_manage_all_unit_files',`
|
||||
manage_lnk_files_pattern($1, systemdunit, systemdunit)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel from and to systemd unit types.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_relabel_all_unit_files',`
|
||||
gen_require(`
|
||||
attribute systemdunit;
|
||||
')
|
||||
|
||||
list_dirs_pattern($1, systemdunit, systemdunit)
|
||||
read_lnk_files_pattern($1, systemdunit, systemdunit)
|
||||
relabel_files_pattern($1, systemdunit, systemdunit)
|
||||
')
|
||||
|
||||
#########################################
|
||||
## <summary>
|
||||
## Associate the specified domain to be a domain whose
|
||||
|
@ -220,6 +220,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
unconfined_write_inherited_pipes(load_policy_t)
|
||||
# leaked file descriptors
|
||||
unconfined_dontaudit_read_pipes(load_policy_t)
|
||||
')
|
||||
@ -533,6 +534,10 @@ term_use_all_terms(semanage_t)
|
||||
# Running genhomedircon requires this for finding all users
|
||||
auth_use_nsswitch(semanage_t)
|
||||
|
||||
# Python module compilations
|
||||
libs_dontaudit_manage_lib_dirs(semanage_t)
|
||||
libs_dontaudit_manage_lib_files(semanage_t)
|
||||
|
||||
logging_send_syslog_msg(semanage_t)
|
||||
|
||||
miscfiles_read_localization(semanage_t)
|
||||
|
@ -1338,7 +1338,7 @@ interface(`systemd_write_logind_runtime_pipes',`
|
||||
|
||||
init_search_run($1)
|
||||
files_search_runtime($1)
|
||||
allow $1 systemd_logind_runtime_t:fifo_file { getattr write };
|
||||
allow $1 systemd_logind_runtime_t:fifo_file write_fifo_file_perms;
|
||||
')
|
||||
|
||||
######################################
|
||||
|
@ -526,7 +526,7 @@ init_rename_runtime_files(systemd_generator_t)
|
||||
init_search_runtime(systemd_generator_t)
|
||||
init_setattr_runtime_files(systemd_generator_t)
|
||||
init_write_runtime_files(systemd_generator_t)
|
||||
init_list_unit_dirs(systemd_generator_t)
|
||||
init_list_all_units(systemd_generator_t)
|
||||
init_read_generic_units_files(systemd_generator_t)
|
||||
init_read_generic_units_symlinks(systemd_generator_t)
|
||||
init_read_script_files(systemd_generator_t)
|
||||
@ -559,7 +559,7 @@ ifdef(`distro_gentoo',`
|
||||
|
||||
optional_policy(`
|
||||
cloudinit_create_runtime_dirs(systemd_generator_t)
|
||||
cloudinit_write_runtime_files(systemd_generator_t)
|
||||
cloudinit_rw_runtime_files(systemd_generator_t)
|
||||
cloudinit_create_runtime_files(systemd_generator_t)
|
||||
cloudinit_filetrans_runtime(systemd_generator_t, dir, "cloud-init")
|
||||
|
||||
|
@ -425,6 +425,8 @@ kernel_dontaudit_getattr_proc(udevadm_t)
|
||||
kernel_read_kernel_sysctls(udevadm_t)
|
||||
kernel_read_system_state(udevadm_t)
|
||||
|
||||
selinux_use_status_page(udevadm_t)
|
||||
|
||||
seutil_read_file_contexts(udevadm_t)
|
||||
|
||||
storage_getattr_fixed_disk_dev(udevadm_t)
|
||||
|
@ -386,6 +386,25 @@ interface(`unconfined_read_pipes',`
|
||||
allow $1 unconfined_t:fifo_file read_fifo_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read unconfined domain unnamed pipes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`unconfined_write_inherited_pipes',`
|
||||
gen_require(`
|
||||
type unconfined_t;
|
||||
')
|
||||
|
||||
allow $1 unconfined_t:fd use;
|
||||
allow $1 unconfined_t:fifo_file write_inherited_fifo_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read unconfined domain unnamed pipes.
|
||||
|
@ -3641,6 +3641,25 @@ interface(`userdom_manage_user_runtime_dirs',`
|
||||
userdom_search_user_runtime_root($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Watch user runtime dirs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_watch_user_runtime_dirs',`
|
||||
gen_require(`
|
||||
type user_runtime_t;
|
||||
')
|
||||
|
||||
allow $1 user_runtime_t:dir watch;
|
||||
userdom_search_user_runtime_root($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mount a filesystem on user runtime dir
|
||||
|
@ -198,6 +198,7 @@ define(`getattr_fifo_file_perms',`{ getattr }')
|
||||
define(`setattr_fifo_file_perms',`{ setattr }')
|
||||
define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
|
||||
define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
|
||||
define(`write_inherited_fifo_file_perms',`{ getattr write append lock ioctl }')
|
||||
define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
|
||||
define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
|
||||
define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }')
|
||||
|
Loading…
Reference in New Issue
Block a user