cloudinit: Add permissions derived from sysadm.

Allow a similar amount of admin capability to cloud-init as sysadm.  Also add
a tunable to allow non-security file management for fallback.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>

policy/modules/admin/cloudinit.if

@@ -57,6 +57,25 @@ interface(`cloudinit_write_runtime_files',`
 	write_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t)
 ')
 
+########################################
+## <summary>
+##	Read and write cloud-init runtime files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cloudinit_rw_runtime_files',`
+	gen_require(`
+		type cloud_init_runtime_t;
+	')
+
+	files_search_runtime($1)
+	rw_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t)
+')
+
 ########################################
 ## <summary>
 ##	Create cloud-init runtime files.
@@ -125,3 +144,60 @@ interface(`cloudinit_getattr_state_files',`
 	allow $1 cloud_init_state_t:lnk_file read_lnk_file_perms;
 	allow $1 cloud_init_state_t:file getattr;
 ')
+
+########################################
+## <summary>
+##	Write inherited cloud-init temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cloudinit_write_inherited_tmp_files',`
+	gen_require(`
+		type cloud_init_t, cloud_init_tmp_t;
+	')
+
+	allow $1 cloud_init_t:fd use;
+	allow $1 cloud_init_tmp_t:file write_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write cloud-init temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cloudinit_rw_tmp_files',`
+	gen_require(`
+		type cloud_init_tmp_t;
+	')
+
+	files_search_tmp($1)
+	rw_files_pattern($1, cloud_init_tmp_t, cloud_init_tmp_t)
+')
+
+########################################
+## <summary>
+##	Create cloud-init temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cloudinit_create_tmp_files',`
+	gen_require(`
+		type cloud_init_tmp_t;
+	')
+
+	files_search_tmp($1)
+	create_files_pattern($1, cloud_init_tmp_t, cloud_init_tmp_t)
+')

policy/modules/admin/rpm.fc

@@ -52,11 +52,13 @@ ifdef(`distro_redhat',`
 /usr/share/yumex/yum_childtask\.py	--	gen_context(system_u:object_r:rpm_exec_t,s0)
 
 /var/cache/bcfg2(/.*)?	gen_context(system_u:object_r:rpm_var_cache_t,s0)
+/var/cache/t?dnf(/.*)?	gen_context(system_u:object_r:rpm_var_cache_t,s0)
 /var/cache/yum(/.*)?	gen_context(system_u:object_r:rpm_var_cache_t,s0)
 
 /var/lib/alternatives(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
 /var/lib/dnf(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
 /var/lib/rpm(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/t?dnf(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
 /var/lib/YaST2(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
 /var/lib/yum(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
 

policy/modules/admin/rpm.te

@@ -46,9 +46,19 @@ init_unit_file(rpm_unit_t)
 type rpm_var_lib_t;
 files_type(rpm_var_lib_t)
 
+optional_policy(`
+	# delete locks
+	systemd_tmpfilesd_managed(rpm_var_lib_t)
+')
+
 type rpm_var_cache_t;
 files_type(rpm_var_cache_t)
 
+optional_policy(`
+	# delete locks
+	systemd_tmpfilesd_managed(rpm_var_cache_t)
+')
+
 type rpm_script_t;
 type rpm_script_exec_t;
 domain_obj_id_change_exemption(rpm_script_t)
@@ -90,6 +100,7 @@ allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow rpm_t rpm_log_t:file { append_file_perms create_file_perms setattr_file_perms };
 logging_log_filetrans(rpm_t, rpm_log_t, file)
 
+allow rpm_t rpm_tmp_t:dir watch;
 manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
 manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
 files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
@@ -101,6 +112,7 @@ manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
 manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
 fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 
+allow rpm_t rpm_var_cache_t:dir watch;
 manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
 manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
 files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
@@ -211,6 +223,8 @@ seutil_read_file_contexts(rpm_t)
 
 userdom_use_user_terminals(rpm_t)
 userdom_use_unpriv_users_fds(rpm_t)
+userdom_watch_user_runtime_dirs(rpm_t)
+userdom_user_runtime_root_filetrans_user_runtime(rpm_t, dir)
 
 ifdef(`init_systemd', `
 	systemd_use_logind_fds(rpm_t)
@@ -335,7 +349,7 @@ term_getattr_unallocated_ttys(rpm_script_t)
 term_list_ptys(rpm_script_t)
 term_use_all_terms(rpm_script_t)
 
-auth_dontaudit_getattr_shadow(rpm_script_t)
+auth_dontaudit_read_shadow(rpm_script_t)
 auth_use_nsswitch(rpm_script_t)
 
 init_domtrans_script(rpm_script_t)
@@ -358,6 +372,7 @@ seutil_run_setfiles(rpm_script_t, rpm_roles)
 seutil_run_semanage(rpm_script_t, rpm_roles)
 
 userdom_use_all_users_fds(rpm_script_t)
+userdom_user_runtime_root_filetrans_user_runtime(rpm_script_t, dir)
 
 ifdef(`distro_redhat',`
 	optional_policy(`
@@ -400,11 +415,12 @@ optional_policy(`
 ')
 
 optional_policy(`
-	udev_domtrans(rpm_script_t)
+	udev_run_udevadm(rpm_script_t, rpm_roles)
 ')
 
 optional_policy(`
 	unconfined_domtrans(rpm_script_t)
+	unconfined_write_inherited_pipes(rpm_script_t)
 
 	optional_policy(`
 		java_domtrans_unconfined(rpm_script_t)

policy/modules/admin/usermanage.te

@@ -262,6 +262,10 @@ optional_policy(`
 	apt_use_fds(groupadd_t)
 ')
 
+optional_policy(`
+	cloudinit_write_inherited_tmp_files(groupadd_t)
+')
+
 optional_policy(`
 	dbus_system_bus_client(groupadd_t)
 ')
@@ -291,7 +295,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	unconfined_use_fds(groupadd_t)
+	unconfined_write_inherited_pipes(groupadd_t)
 ')
 
 ########################################
@@ -475,7 +479,7 @@ optional_policy(`
 #
 
 allow useradd_t self:capability { chown dac_override fowner fsetid kill setuid sys_resource };
-dontaudit useradd_t self:capability { net_admin sys_tty_config };
+dontaudit useradd_t self:capability { net_admin sys_ptrace sys_tty_config };
 dontaudit useradd_t self:cap_userns sys_ptrace;
 allow useradd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow useradd_t self:fd use;
@@ -571,6 +575,10 @@ optional_policy(`
 	apt_use_fds(useradd_t)
 ')
 
+optional_policy(`
+	cloudinit_write_inherited_tmp_files(useradd_t)
+')
+
 optional_policy(`
 	dbus_system_bus_client(useradd_t)
 ')
@@ -602,5 +610,5 @@ optional_policy(`
 ')
 
 optional_policy(`
-	unconfined_use_fds(useradd_t)
+	unconfined_write_inherited_pipes(useradd_t)
 ')

policy/modules/services/ssh.if

@@ -813,6 +813,31 @@ interface(`ssh_domtrans_keygen',`
 	domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
 ')
 
+######################################
+## <summary>
+##	Execute the ssh key generator in the ssh keygen domain,
+##	and allow the specified	role the ssh keygen domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_run_keygen',`
+	gen_require(`
+		type ssh_keygen_t;
+	')
+
+	ssh_domtrans_keygen($1)
+	role $2 types ssh_keygen_t;
+')
+
 ########################################
 ## <summary>
 ##	Read ssh server keys

policy/modules/system/fstools.te

@@ -200,6 +200,11 @@ optional_policy(`
 	amanda_append_log_files(fsadm_t)
 ')
 
+optional_policy(`
+	cloudinit_rw_tmp_files(fsadm_t)
+	cloudinit_create_tmp_files(fsadm_t)
+')
+
 optional_policy(`
 	container_read_device_blk_files(fsadm_t)
 ')

policy/modules/system/init.if

@@ -3793,6 +3793,26 @@ interface(`init_manage_all_unit_files',`
 	manage_lnk_files_pattern($1, systemdunit, systemdunit)
 ')
 
+########################################
+## <summary>
+##	Relabel from and to systemd unit types.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_relabel_all_unit_files',`
+	gen_require(`
+		attribute systemdunit;
+	')
+
+	list_dirs_pattern($1, systemdunit, systemdunit)
+	read_lnk_files_pattern($1, systemdunit, systemdunit)
+	relabel_files_pattern($1, systemdunit, systemdunit)
+')
+
 #########################################
 ## <summary>
 ##	Associate the specified domain to be a domain whose

policy/modules/system/selinuxutil.te

@@ -220,6 +220,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	unconfined_write_inherited_pipes(load_policy_t)
         # leaked file descriptors
         unconfined_dontaudit_read_pipes(load_policy_t)
 ')
@@ -533,6 +534,10 @@ term_use_all_terms(semanage_t)
 # Running genhomedircon requires this for finding all users
 auth_use_nsswitch(semanage_t)
 
+# Python module compilations
+libs_dontaudit_manage_lib_dirs(semanage_t)
+libs_dontaudit_manage_lib_files(semanage_t)
+
 logging_send_syslog_msg(semanage_t)
 
 miscfiles_read_localization(semanage_t)

policy/modules/system/systemd.if

@@ -1338,7 +1338,7 @@ interface(`systemd_write_logind_runtime_pipes',`
 
 	init_search_run($1)
 	files_search_runtime($1)
-	allow $1 systemd_logind_runtime_t:fifo_file { getattr write };
+	allow $1 systemd_logind_runtime_t:fifo_file write_fifo_file_perms;
 ')
 
 ######################################

policy/modules/system/systemd.te

@@ -526,7 +526,7 @@ init_rename_runtime_files(systemd_generator_t)
 init_search_runtime(systemd_generator_t)
 init_setattr_runtime_files(systemd_generator_t)
 init_write_runtime_files(systemd_generator_t)
-init_list_unit_dirs(systemd_generator_t)
+init_list_all_units(systemd_generator_t)
 init_read_generic_units_files(systemd_generator_t)
 init_read_generic_units_symlinks(systemd_generator_t)
 init_read_script_files(systemd_generator_t)
@@ -559,7 +559,7 @@ ifdef(`distro_gentoo',`
 
 optional_policy(`
 	cloudinit_create_runtime_dirs(systemd_generator_t)
-	cloudinit_write_runtime_files(systemd_generator_t)
+	cloudinit_rw_runtime_files(systemd_generator_t)
 	cloudinit_create_runtime_files(systemd_generator_t)
 	cloudinit_filetrans_runtime(systemd_generator_t, dir, "cloud-init")
 

policy/modules/system/udev.te

@@ -425,6 +425,8 @@ kernel_dontaudit_getattr_proc(udevadm_t)
 kernel_read_kernel_sysctls(udevadm_t)
 kernel_read_system_state(udevadm_t)
 
+selinux_use_status_page(udevadm_t)
+
 seutil_read_file_contexts(udevadm_t)
 
 storage_getattr_fixed_disk_dev(udevadm_t)

policy/modules/system/unconfined.if

@@ -386,6 +386,25 @@ interface(`unconfined_read_pipes',`
 	allow $1 unconfined_t:fifo_file read_fifo_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_write_inherited_pipes',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	allow $1 unconfined_t:fd use;
+	allow $1 unconfined_t:fifo_file write_inherited_fifo_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read unconfined domain unnamed pipes.

policy/modules/system/userdomain.if

@@ -3641,6 +3641,25 @@ interface(`userdom_manage_user_runtime_dirs',`
 	userdom_search_user_runtime_root($1)
 ')
 
+########################################
+## <summary>
+##	Watch user runtime dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_watch_user_runtime_dirs',`
+	gen_require(`
+		type user_runtime_t;
+	')
+
+	allow $1 user_runtime_t:dir watch;
+	userdom_search_user_runtime_root($1)
+')
+
 ########################################
 ## <summary>
 ##	Mount a filesystem on user runtime dir

policy/support/obj_perm_sets.spt

@@ -198,6 +198,7 @@ define(`getattr_fifo_file_perms',`{ getattr }')
 define(`setattr_fifo_file_perms',`{ setattr }')
 define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
 define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
+define(`write_inherited_fifo_file_perms',`{ getattr write append lock ioctl }')
 define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
 define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
 define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }')