cloudinit: Add permissions derived from sysadm.

Allow a similar amount of admin capability to cloud-init as sysadm.  Also add
a tunable to allow non-security file management for fallback.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
This commit is contained in:
Chris PeBenito 2023-03-30 14:33:57 +00:00 committed by Chris PeBenito
parent 65dfbda501
commit 0c41682fc4
15 changed files with 1216 additions and 26 deletions

View File

@ -57,6 +57,25 @@ interface(`cloudinit_write_runtime_files',`
write_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t)
')
########################################
## <summary>
## Read and write cloud-init runtime files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cloudinit_rw_runtime_files',`
gen_require(`
type cloud_init_runtime_t;
')
files_search_runtime($1)
rw_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t)
')
########################################
## <summary>
## Create cloud-init runtime files.
@ -125,3 +144,60 @@ interface(`cloudinit_getattr_state_files',`
allow $1 cloud_init_state_t:lnk_file read_lnk_file_perms;
allow $1 cloud_init_state_t:file getattr;
')
########################################
## <summary>
## Write inherited cloud-init temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cloudinit_write_inherited_tmp_files',`
gen_require(`
type cloud_init_t, cloud_init_tmp_t;
')
allow $1 cloud_init_t:fd use;
allow $1 cloud_init_tmp_t:file write_inherited_file_perms;
')
########################################
## <summary>
## Read and write cloud-init temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cloudinit_rw_tmp_files',`
gen_require(`
type cloud_init_tmp_t;
')
files_search_tmp($1)
rw_files_pattern($1, cloud_init_tmp_t, cloud_init_tmp_t)
')
########################################
## <summary>
## Create cloud-init temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cloudinit_create_tmp_files',`
gen_require(`
type cloud_init_tmp_t;
')
files_search_tmp($1)
create_files_pattern($1, cloud_init_tmp_t, cloud_init_tmp_t)
')

File diff suppressed because it is too large Load Diff

View File

@ -52,11 +52,13 @@ ifdef(`distro_redhat',`
/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
/var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/cache/t?dnf(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/dnf(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/t?dnf(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)

View File

@ -46,9 +46,19 @@ init_unit_file(rpm_unit_t)
type rpm_var_lib_t;
files_type(rpm_var_lib_t)
optional_policy(`
# delete locks
systemd_tmpfilesd_managed(rpm_var_lib_t)
')
type rpm_var_cache_t;
files_type(rpm_var_cache_t)
optional_policy(`
# delete locks
systemd_tmpfilesd_managed(rpm_var_cache_t)
')
type rpm_script_t;
type rpm_script_exec_t;
domain_obj_id_change_exemption(rpm_script_t)
@ -90,6 +100,7 @@ allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms;
allow rpm_t rpm_log_t:file { append_file_perms create_file_perms setattr_file_perms };
logging_log_filetrans(rpm_t, rpm_log_t, file)
allow rpm_t rpm_tmp_t:dir watch;
manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
@ -101,6 +112,7 @@ manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
allow rpm_t rpm_var_cache_t:dir watch;
manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
@ -211,6 +223,8 @@ seutil_read_file_contexts(rpm_t)
userdom_use_user_terminals(rpm_t)
userdom_use_unpriv_users_fds(rpm_t)
userdom_watch_user_runtime_dirs(rpm_t)
userdom_user_runtime_root_filetrans_user_runtime(rpm_t, dir)
ifdef(`init_systemd', `
systemd_use_logind_fds(rpm_t)
@ -335,7 +349,7 @@ term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
term_use_all_terms(rpm_script_t)
auth_dontaudit_getattr_shadow(rpm_script_t)
auth_dontaudit_read_shadow(rpm_script_t)
auth_use_nsswitch(rpm_script_t)
init_domtrans_script(rpm_script_t)
@ -358,6 +372,7 @@ seutil_run_setfiles(rpm_script_t, rpm_roles)
seutil_run_semanage(rpm_script_t, rpm_roles)
userdom_use_all_users_fds(rpm_script_t)
userdom_user_runtime_root_filetrans_user_runtime(rpm_script_t, dir)
ifdef(`distro_redhat',`
optional_policy(`
@ -400,11 +415,12 @@ optional_policy(`
')
optional_policy(`
udev_domtrans(rpm_script_t)
udev_run_udevadm(rpm_script_t, rpm_roles)
')
optional_policy(`
unconfined_domtrans(rpm_script_t)
unconfined_write_inherited_pipes(rpm_script_t)
optional_policy(`
java_domtrans_unconfined(rpm_script_t)

View File

@ -262,6 +262,10 @@ optional_policy(`
apt_use_fds(groupadd_t)
')
optional_policy(`
cloudinit_write_inherited_tmp_files(groupadd_t)
')
optional_policy(`
dbus_system_bus_client(groupadd_t)
')
@ -291,7 +295,7 @@ optional_policy(`
')
optional_policy(`
unconfined_use_fds(groupadd_t)
unconfined_write_inherited_pipes(groupadd_t)
')
########################################
@ -475,7 +479,7 @@ optional_policy(`
#
allow useradd_t self:capability { chown dac_override fowner fsetid kill setuid sys_resource };
dontaudit useradd_t self:capability { net_admin sys_tty_config };
dontaudit useradd_t self:capability { net_admin sys_ptrace sys_tty_config };
dontaudit useradd_t self:cap_userns sys_ptrace;
allow useradd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow useradd_t self:fd use;
@ -571,6 +575,10 @@ optional_policy(`
apt_use_fds(useradd_t)
')
optional_policy(`
cloudinit_write_inherited_tmp_files(useradd_t)
')
optional_policy(`
dbus_system_bus_client(useradd_t)
')
@ -602,5 +610,5 @@ optional_policy(`
')
optional_policy(`
unconfined_use_fds(useradd_t)
unconfined_write_inherited_pipes(useradd_t)
')

View File

@ -813,6 +813,31 @@ interface(`ssh_domtrans_keygen',`
domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
')
######################################
## <summary>
## Execute the ssh key generator in the ssh keygen domain,
## and allow the specified role the ssh keygen domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
#
interface(`ssh_run_keygen',`
gen_require(`
type ssh_keygen_t;
')
ssh_domtrans_keygen($1)
role $2 types ssh_keygen_t;
')
########################################
## <summary>
## Read ssh server keys

View File

@ -200,6 +200,11 @@ optional_policy(`
amanda_append_log_files(fsadm_t)
')
optional_policy(`
cloudinit_rw_tmp_files(fsadm_t)
cloudinit_create_tmp_files(fsadm_t)
')
optional_policy(`
container_read_device_blk_files(fsadm_t)
')

View File

@ -3793,6 +3793,26 @@ interface(`init_manage_all_unit_files',`
manage_lnk_files_pattern($1, systemdunit, systemdunit)
')
########################################
## <summary>
## Relabel from and to systemd unit types.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_relabel_all_unit_files',`
gen_require(`
attribute systemdunit;
')
list_dirs_pattern($1, systemdunit, systemdunit)
read_lnk_files_pattern($1, systemdunit, systemdunit)
relabel_files_pattern($1, systemdunit, systemdunit)
')
#########################################
## <summary>
## Associate the specified domain to be a domain whose

View File

@ -220,6 +220,7 @@ optional_policy(`
')
optional_policy(`
unconfined_write_inherited_pipes(load_policy_t)
# leaked file descriptors
unconfined_dontaudit_read_pipes(load_policy_t)
')
@ -533,6 +534,10 @@ term_use_all_terms(semanage_t)
# Running genhomedircon requires this for finding all users
auth_use_nsswitch(semanage_t)
# Python module compilations
libs_dontaudit_manage_lib_dirs(semanage_t)
libs_dontaudit_manage_lib_files(semanage_t)
logging_send_syslog_msg(semanage_t)
miscfiles_read_localization(semanage_t)

View File

@ -1338,7 +1338,7 @@ interface(`systemd_write_logind_runtime_pipes',`
init_search_run($1)
files_search_runtime($1)
allow $1 systemd_logind_runtime_t:fifo_file { getattr write };
allow $1 systemd_logind_runtime_t:fifo_file write_fifo_file_perms;
')
######################################

View File

@ -526,7 +526,7 @@ init_rename_runtime_files(systemd_generator_t)
init_search_runtime(systemd_generator_t)
init_setattr_runtime_files(systemd_generator_t)
init_write_runtime_files(systemd_generator_t)
init_list_unit_dirs(systemd_generator_t)
init_list_all_units(systemd_generator_t)
init_read_generic_units_files(systemd_generator_t)
init_read_generic_units_symlinks(systemd_generator_t)
init_read_script_files(systemd_generator_t)
@ -559,7 +559,7 @@ ifdef(`distro_gentoo',`
optional_policy(`
cloudinit_create_runtime_dirs(systemd_generator_t)
cloudinit_write_runtime_files(systemd_generator_t)
cloudinit_rw_runtime_files(systemd_generator_t)
cloudinit_create_runtime_files(systemd_generator_t)
cloudinit_filetrans_runtime(systemd_generator_t, dir, "cloud-init")

View File

@ -425,6 +425,8 @@ kernel_dontaudit_getattr_proc(udevadm_t)
kernel_read_kernel_sysctls(udevadm_t)
kernel_read_system_state(udevadm_t)
selinux_use_status_page(udevadm_t)
seutil_read_file_contexts(udevadm_t)
storage_getattr_fixed_disk_dev(udevadm_t)

View File

@ -386,6 +386,25 @@ interface(`unconfined_read_pipes',`
allow $1 unconfined_t:fifo_file read_fifo_file_perms;
')
########################################
## <summary>
## Read unconfined domain unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_write_inherited_pipes',`
gen_require(`
type unconfined_t;
')
allow $1 unconfined_t:fd use;
allow $1 unconfined_t:fifo_file write_inherited_fifo_file_perms;
')
########################################
## <summary>
## Do not audit attempts to read unconfined domain unnamed pipes.

View File

@ -3641,6 +3641,25 @@ interface(`userdom_manage_user_runtime_dirs',`
userdom_search_user_runtime_root($1)
')
########################################
## <summary>
## Watch user runtime dirs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_watch_user_runtime_dirs',`
gen_require(`
type user_runtime_t;
')
allow $1 user_runtime_t:dir watch;
userdom_search_user_runtime_root($1)
')
########################################
## <summary>
## Mount a filesystem on user runtime dir

View File

@ -198,6 +198,7 @@ define(`getattr_fifo_file_perms',`{ getattr }')
define(`setattr_fifo_file_perms',`{ setattr }')
define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
define(`write_inherited_fifo_file_perms',`{ getattr write append lock ioctl }')
define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }')