Vagrantfile: add a specific SELinux policy module

When using Vagrant to run virtual machines with SELinux enabled, several
specific accesses need to be allowed. It does not make much sense to add
the needed rules to the refpolicy, as they are very specific to the use
of Vagrant to provision a virtual machine to test a policy. Therefore,
create a dedicated module to allow the required accesses.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This commit is contained in:
Nicolas Iooss 2019-12-22 18:17:36 +01:00
parent d1f92dae04
commit 7317bd64c0
No known key found for this signature in database
GPG Key ID: C191415F340DAAA0
2 changed files with 24 additions and 0 deletions

3
Vagrantfile vendored
View File

@ -19,6 +19,9 @@ $install_refpolicy = <<-SHELL
make -C /vagrant install-headers make -C /vagrant install-headers
semodule -s refpolicy -i /usr/share/selinux/refpolicy/*.pp semodule -s refpolicy -i /usr/share/selinux/refpolicy/*.pp
# Load the module specific to Vagrant VM
semodule -s refpolicy -i /vagrant/support/vagrant-vm.cil
if ! (LANG=C sestatus -v | grep '^Loaded policy name:\s*refpolicy$' > /dev/null) if ! (LANG=C sestatus -v | grep '^Loaded policy name:\s*refpolicy$' > /dev/null)
then then
# Use the reference policy # Use the reference policy

21
support/vagrant-vm.cil Normal file
View File

@ -0,0 +1,21 @@
; SELinux policy module for running virtual machines with Vagrant
; Vagrant performs "ssh sudo ..." without allocating a pseudo-terminal.
; This leads sudo to directly using sshd pipes, as well as other processes
; spawned from the provision scripts. Define an attribute for those processes.
(typeattribute vagrant_provisioning_cmd_type)
(typeattributeset vagrant_provisioning_cmd_type (
load_policy_t
semanage_t
setfiles_t
sudodomain
))
(allow vagrant_provisioning_cmd_type sshd_t (fifo_file (append getattr ioctl read write)))
; "vagrant rsync" makes Vagrant invoke "sudo rsync" without a shell which would
; make sudo transition out of sysadm_sudo_t.
; Therefore add a transition from sysadm_sudo_t to sysadm_t through rsync_exec_t
(optional sysadm_sudo_rsync_transition
(allow sysadm_t rsync_exec_t (file (entrypoint)))
(typetransition sysadm_sudo_t rsync_exec_t process sysadm_t)
)