cloudinit: Add permissions derived from sysadm.

Allow a similar amount of admin capability to cloud-init as sysadm. Also add a tunable to allow non-security file management for fallback. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2023-03-30 14:33:57 +00:00 · 2023-03-30 14:33:57 +00:00 · 0c41682fc4
commit 0c41682fc4
parent 65dfbda501
15 changed files with 1216 additions and 26 deletions
--- a/policy/modules/admin/cloudinit.if
+++ b/policy/modules/admin/cloudinit.if
@ -57,6 +57,25 @@ interface(`cloudinit_write_runtime_files',`
 	write_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t)
 ')

+########################################
+## <summary>
+##	Read and write cloud-init runtime files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cloudinit_rw_runtime_files',`
+	gen_require(`
+		type cloud_init_runtime_t;
+	')
+
+	files_search_runtime($1)
+	rw_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t)
+')
+
 ########################################
 ## <summary>
 ##	Create cloud-init runtime files.
@ -125,3 +144,60 @@ interface(`cloudinit_getattr_state_files',`
 	allow $1 cloud_init_state_t:lnk_file read_lnk_file_perms;
 	allow $1 cloud_init_state_t:file getattr;
 ')
+
+########################################
+## <summary>
+##	Write inherited cloud-init temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cloudinit_write_inherited_tmp_files',`
+	gen_require(`
+		type cloud_init_t, cloud_init_tmp_t;
+	')
+
+	allow $1 cloud_init_t:fd use;
+	allow $1 cloud_init_tmp_t:file write_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write cloud-init temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cloudinit_rw_tmp_files',`
+	gen_require(`
+		type cloud_init_tmp_t;
+	')
+
+	files_search_tmp($1)
+	rw_files_pattern($1, cloud_init_tmp_t, cloud_init_tmp_t)
+')
+
+########################################
+## <summary>
+##	Create cloud-init temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cloudinit_create_tmp_files',`
+	gen_require(`
+		type cloud_init_tmp_t;
+	')
+
+	files_search_tmp($1)
+	create_files_pattern($1, cloud_init_tmp_t, cloud_init_tmp_t)
+')
--- a/policy/modules/admin/cloudinit.te
+++ b/policy/modules/admin/cloudinit.te
--- a/policy/modules/admin/rpm.fc
+++ b/policy/modules/admin/rpm.fc
@ -52,11 +52,13 @@ ifdef(`distro_redhat',`
 /usr/share/yumex/yum_childtask\.py	--	gen_context(system_u:object_r:rpm_exec_t,s0)

 /var/cache/bcfg2(/.*)?	gen_context(system_u:object_r:rpm_var_cache_t,s0)
+/var/cache/t?dnf(/.*)?	gen_context(system_u:object_r:rpm_var_cache_t,s0)
 /var/cache/yum(/.*)?	gen_context(system_u:object_r:rpm_var_cache_t,s0)

 /var/lib/alternatives(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
 /var/lib/dnf(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
 /var/lib/rpm(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/t?dnf(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
 /var/lib/YaST2(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
 /var/lib/yum(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)

--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@ -46,9 +46,19 @@ init_unit_file(rpm_unit_t)
 type rpm_var_lib_t;
 files_type(rpm_var_lib_t)

+optional_policy(`
+	# delete locks
+	systemd_tmpfilesd_managed(rpm_var_lib_t)
+')
+
 type rpm_var_cache_t;
 files_type(rpm_var_cache_t)

+optional_policy(`
+	# delete locks
+	systemd_tmpfilesd_managed(rpm_var_cache_t)
+')
+
 type rpm_script_t;
 type rpm_script_exec_t;
 domain_obj_id_change_exemption(rpm_script_t)
@ -90,6 +100,7 @@ allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow rpm_t rpm_log_t:file { append_file_perms create_file_perms setattr_file_perms };
 logging_log_filetrans(rpm_t, rpm_log_t, file)

+allow rpm_t rpm_tmp_t:dir watch;
 manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
 manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
 files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
@ -101,6 +112,7 @@ manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
 manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
 fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })

+allow rpm_t rpm_var_cache_t:dir watch;
 manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
 manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
 files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
@ -211,6 +223,8 @@ seutil_read_file_contexts(rpm_t)

 userdom_use_user_terminals(rpm_t)
 userdom_use_unpriv_users_fds(rpm_t)
+userdom_watch_user_runtime_dirs(rpm_t)
+userdom_user_runtime_root_filetrans_user_runtime(rpm_t, dir)

 ifdef(`init_systemd', `
 	systemd_use_logind_fds(rpm_t)
@ -335,7 +349,7 @@ term_getattr_unallocated_ttys(rpm_script_t)
 term_list_ptys(rpm_script_t)
 term_use_all_terms(rpm_script_t)

-auth_dontaudit_getattr_shadow(rpm_script_t)
+auth_dontaudit_read_shadow(rpm_script_t)
 auth_use_nsswitch(rpm_script_t)

 init_domtrans_script(rpm_script_t)
@ -358,6 +372,7 @@ seutil_run_setfiles(rpm_script_t, rpm_roles)
 seutil_run_semanage(rpm_script_t, rpm_roles)

 userdom_use_all_users_fds(rpm_script_t)
+userdom_user_runtime_root_filetrans_user_runtime(rpm_script_t, dir)

 ifdef(`distro_redhat',`
 	optional_policy(`
@ -400,11 +415,12 @@ optional_policy(`
 ')

 optional_policy(`
-	udev_domtrans(rpm_script_t)
+	udev_run_udevadm(rpm_script_t, rpm_roles)
 ')

 optional_policy(`
 	unconfined_domtrans(rpm_script_t)
+	unconfined_write_inherited_pipes(rpm_script_t)

 	optional_policy(`
 		java_domtrans_unconfined(rpm_script_t)
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@ -262,6 +262,10 @@ optional_policy(`
 	apt_use_fds(groupadd_t)
 ')

+optional_policy(`
+	cloudinit_write_inherited_tmp_files(groupadd_t)
+')
+
 optional_policy(`
 	dbus_system_bus_client(groupadd_t)
 ')
@ -291,7 +295,7 @@ optional_policy(`
 ')

 optional_policy(`
-	unconfined_use_fds(groupadd_t)
+	unconfined_write_inherited_pipes(groupadd_t)
 ')

 ########################################
@ -475,7 +479,7 @@ optional_policy(`
 #

 allow useradd_t self:capability { chown dac_override fowner fsetid kill setuid sys_resource };
-dontaudit useradd_t self:capability { net_admin sys_tty_config };
+dontaudit useradd_t self:capability { net_admin sys_ptrace sys_tty_config };
 dontaudit useradd_t self:cap_userns sys_ptrace;
 allow useradd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow useradd_t self:fd use;
@ -571,6 +575,10 @@ optional_policy(`
 	apt_use_fds(useradd_t)
 ')

+optional_policy(`
+	cloudinit_write_inherited_tmp_files(useradd_t)
+')
+
 optional_policy(`
 	dbus_system_bus_client(useradd_t)
 ')
@ -602,5 +610,5 @@ optional_policy(`
 ')

 optional_policy(`
-	unconfined_use_fds(useradd_t)
+	unconfined_write_inherited_pipes(useradd_t)
 ')
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@ -813,6 +813,31 @@ interface(`ssh_domtrans_keygen',`
 	domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
 ')

+######################################
+## <summary>
+##	Execute the ssh key generator in the ssh keygen domain,
+##	and allow the specified	role the ssh keygen domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_run_keygen',`
+	gen_require(`
+		type ssh_keygen_t;
+	')
+
+	ssh_domtrans_keygen($1)
+	role $2 types ssh_keygen_t;
+')
+
 ########################################
 ## <summary>
 ##	Read ssh server keys
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@ -200,6 +200,11 @@ optional_policy(`
 	amanda_append_log_files(fsadm_t)
 ')

+optional_policy(`
+	cloudinit_rw_tmp_files(fsadm_t)
+	cloudinit_create_tmp_files(fsadm_t)
+')
+
 optional_policy(`
 	container_read_device_blk_files(fsadm_t)
 ')
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@ -3793,6 +3793,26 @@ interface(`init_manage_all_unit_files',`
 	manage_lnk_files_pattern($1, systemdunit, systemdunit)
 ')

+########################################
+## <summary>
+##	Relabel from and to systemd unit types.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_relabel_all_unit_files',`
+	gen_require(`
+		attribute systemdunit;
+	')
+
+	list_dirs_pattern($1, systemdunit, systemdunit)
+	read_lnk_files_pattern($1, systemdunit, systemdunit)
+	relabel_files_pattern($1, systemdunit, systemdunit)
+')
+
 #########################################
 ## <summary>
 ##	Associate the specified domain to be a domain whose
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@ -220,6 +220,7 @@ optional_policy(`
 ')

 optional_policy(`
+	unconfined_write_inherited_pipes(load_policy_t)
        # leaked file descriptors
        unconfined_dontaudit_read_pipes(load_policy_t)
 ')
@ -533,6 +534,10 @@ term_use_all_terms(semanage_t)
 # Running genhomedircon requires this for finding all users
 auth_use_nsswitch(semanage_t)

+# Python module compilations
+libs_dontaudit_manage_lib_dirs(semanage_t)
+libs_dontaudit_manage_lib_files(semanage_t)
+
 logging_send_syslog_msg(semanage_t)

 miscfiles_read_localization(semanage_t)
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@ -1338,7 +1338,7 @@ interface(`systemd_write_logind_runtime_pipes',`

 	init_search_run($1)
 	files_search_runtime($1)
-	allow $1 systemd_logind_runtime_t:fifo_file { getattr write };
+	allow $1 systemd_logind_runtime_t:fifo_file write_fifo_file_perms;
 ')

 ######################################
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@ -526,7 +526,7 @@ init_rename_runtime_files(systemd_generator_t)
 init_search_runtime(systemd_generator_t)
 init_setattr_runtime_files(systemd_generator_t)
 init_write_runtime_files(systemd_generator_t)
-init_list_unit_dirs(systemd_generator_t)
+init_list_all_units(systemd_generator_t)
 init_read_generic_units_files(systemd_generator_t)
 init_read_generic_units_symlinks(systemd_generator_t)
 init_read_script_files(systemd_generator_t)
@ -559,7 +559,7 @@ ifdef(`distro_gentoo',`

 optional_policy(`
 	cloudinit_create_runtime_dirs(systemd_generator_t)
-	cloudinit_write_runtime_files(systemd_generator_t)
+	cloudinit_rw_runtime_files(systemd_generator_t)
 	cloudinit_create_runtime_files(systemd_generator_t)
 	cloudinit_filetrans_runtime(systemd_generator_t, dir, "cloud-init")

--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@ -425,6 +425,8 @@ kernel_dontaudit_getattr_proc(udevadm_t)
 kernel_read_kernel_sysctls(udevadm_t)
 kernel_read_system_state(udevadm_t)

+selinux_use_status_page(udevadm_t)
+
 seutil_read_file_contexts(udevadm_t)

 storage_getattr_fixed_disk_dev(udevadm_t)
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@ -386,6 +386,25 @@ interface(`unconfined_read_pipes',`
 	allow $1 unconfined_t:fifo_file read_fifo_file_perms;
 ')

+########################################
+## <summary>
+##	Read unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_write_inherited_pipes',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:fd use;
+	allow $1 unconfined_t:fifo_file write_inherited_fifo_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read unconfined domain unnamed pipes.
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@ -3641,6 +3641,25 @@ interface(`userdom_manage_user_runtime_dirs',`
 	userdom_search_user_runtime_root($1)
 ')

+########################################
+## <summary>
+##	Watch user runtime dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_watch_user_runtime_dirs',`
+	gen_require(`
+		type user_runtime_t;
+	')
+
+	allow $1 user_runtime_t:dir watch;
+	userdom_search_user_runtime_root($1)
+')
+
 ########################################
 ## <summary>
 ##	Mount a filesystem on user runtime dir
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@ -198,6 +198,7 @@ define(`getattr_fifo_file_perms',`{ getattr }')
 define(`setattr_fifo_file_perms',`{ setattr }')
 define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
 define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
+define(`write_inherited_fifo_file_perms',`{ getattr write append lock ioctl }')
 define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
 define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
 define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }')