From c8c3ae2cbabffd1f3bb37b585e5b359a80dd504f Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Thu, 27 Jun 2024 10:34:25 -0400 Subject: [PATCH 1/2] haproxy: initial policy Signed-off-by: Kenton Groombridge --- policy/modules/services/haproxy.fc | 12 +++ policy/modules/services/haproxy.if | 89 +++++++++++++++++++++ policy/modules/services/haproxy.te | 121 +++++++++++++++++++++++++++++ 3 files changed, 222 insertions(+) create mode 100644 policy/modules/services/haproxy.fc create mode 100644 policy/modules/services/haproxy.if create mode 100644 policy/modules/services/haproxy.te diff --git a/policy/modules/services/haproxy.fc b/policy/modules/services/haproxy.fc new file mode 100644 index 000000000..63e1b8a4c --- /dev/null +++ b/policy/modules/services/haproxy.fc @@ -0,0 +1,12 @@ +/etc/rc\.d/init\.d/haproxy.* -- gen_context(system_u:object_r:haproxy_initrc_exec_t,s0) + +/etc/haproxy(/.*)? gen_context(system_u:object_r:haproxy_conf_t,s0) + +/usr/bin/haproxy -- gen_context(system_u:object_r:haproxy_exec_t,s0) +/usr/sbin/haproxy -- gen_context(system_u:object_r:haproxy_exec_t,s0) + +/run/haproxy(/.*)? gen_context(system_u:object_r:haproxy_runtime_t,s0) +/run/haproxy\.pid -- gen_context(system_u:object_r:haproxy_runtime_t,s0) +/run/haproxy-master\.sock -s gen_context(system_u:object_r:haproxy_runtime_t,s0) + +/var/log/haproxy(/.*)? gen_context(system_u:object_r:haproxy_log_t,s0) diff --git a/policy/modules/services/haproxy.if b/policy/modules/services/haproxy.if new file mode 100644 index 000000000..45399bd2e --- /dev/null +++ b/policy/modules/services/haproxy.if @@ -0,0 +1,89 @@ +## A TCP/HTTP reverse proxy for high availability environments. + +######################################## +## +## Execute haproxy in the haproxy domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`haproxy_domtrans',` + gen_require(` + type haproxy_t, haproxy_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, haproxy_exec_t, haproxy_t) +') + +######################################## +## +## Execute haproxy in the haproxy domain, and +## allow the specified role the haproxy domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`haproxy_run',` + gen_require(` + type haproxy_t; + ') + + haproxy_domtrans($1) + role $2 types haproxy_t; +') + +######################################## +## +## All of the rules required to +## administrate an haproxy environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`haproxy_admin',` + gen_require(` + type haproxy_t, haproxy_initrc_exec_t, haproxy_conf_t; + type haproxy_log_t, haproxy_runtime_t, haproxy_tmpfs_t; + ') + + haproxy_run($1, $2) + + init_startstop_service($1, $2, haproxy_t, haproxy_initrc_exec_t) + + allow $1 haproxy_t:process { ptrace signal_perms }; + ps_process_pattern($1, haproxy_t) + + files_search_etc($1) + admin_pattern($1, haproxy_conf_t) + + logging_search_logs($1) + admin_pattern($1, haproxy_log_t) + + fs_search_tmpfs($1) + admin_pattern($1, haproxy_tmpfs_t) + + files_search_runtime($1) + admin_pattern($1, haproxy_runtime_t) +') diff --git a/policy/modules/services/haproxy.te b/policy/modules/services/haproxy.te new file mode 100644 index 000000000..fd5bc3804 --- /dev/null +++ b/policy/modules/services/haproxy.te @@ -0,0 +1,121 @@ +policy_module(haproxy) + +######################################## +# +# Declarations +# + +## +##

+## Determine whether haproxy can bind to +## all TCP ports. +##

+##
+gen_tunable(haproxy_bind_all_tcp_ports, false) + +## +##

+## Determine whether haproxy can bind to +## kubernetes ports (typically 6443/tcp). +##

+##
+gen_tunable(haproxy_bind_kubernetes_port, false) + +## +##

+## Determine whether haproxy can connect to +## all TCP ports. +##

+##
+gen_tunable(haproxy_connect_all_tcp_ports, false) + +## +##

+## Determine whether haproxy can connect to +## kubernetes ports (typically 6443/tcp). +##

+##
+gen_tunable(haproxy_connect_kubernetes_port, false) + +type haproxy_t; +type haproxy_exec_t; +init_daemon_domain(haproxy_t, haproxy_exec_t) + +type haproxy_conf_t; +files_config_file(haproxy_conf_t) + +type haproxy_initrc_exec_t; +init_script_file(haproxy_initrc_exec_t) + +type haproxy_log_t; +logging_log_file(haproxy_log_t) + +type haproxy_runtime_t; +files_runtime_file(haproxy_runtime_t) + +type haproxy_tmpfs_t; +files_tmpfs_file(haproxy_tmpfs_t) + +######################################## +# +# haproxy local policy +# + +allow haproxy_t self:process { getsched setrlimit signal }; +allow haproxy_t self:capability { kill setuid setgid }; +dontaudit haproxy_t self:capability net_admin; +allow haproxy_t self:fifo_file rw_fifo_file_perms; +allow haproxy_t self:tcp_socket create_stream_socket_perms; +allow haproxy_t self:udp_socket create_socket_perms; +allow haproxy_t self:unix_dgram_socket create_socket_perms; + +read_files_pattern(haproxy_t, haproxy_conf_t, haproxy_conf_t) + +create_dirs_pattern(haproxy_t, haproxy_log_t, haproxy_log_t) +create_files_pattern(haproxy_t, haproxy_log_t, haproxy_log_t) +append_files_pattern(haproxy_t, haproxy_log_t, haproxy_log_t) +logging_log_filetrans(haproxy_t, haproxy_log_t, { dir file }) + +manage_files_pattern(haproxy_t, haproxy_runtime_t, haproxy_runtime_t) +manage_sock_files_pattern(haproxy_t, haproxy_runtime_t, haproxy_runtime_t) +files_runtime_filetrans(haproxy_t, haproxy_runtime_t, { dir file sock_file }) + +mmap_manage_files_pattern(haproxy_t, haproxy_tmpfs_t, haproxy_tmpfs_t) +fs_tmpfs_filetrans(haproxy_t, haproxy_tmpfs_t, file) + +corenet_tcp_bind_http_port(haproxy_t) +corenet_tcp_connect_http_port(haproxy_t) +corenet_tcp_bind_generic_node(haproxy_t) + +corecmd_search_bin(haproxy_t) + +dev_dontaudit_read_sysfs(haproxy_t) + +kernel_read_kernel_sysctls(haproxy_t) +kernel_read_state(haproxy_t) +kernel_read_system_state(haproxy_t) + +auth_use_nsswitch(haproxy_t) + +miscfiles_read_generic_certs(haproxy_t) +miscfiles_read_localization(haproxy_t) + +logging_send_syslog_msg(haproxy_t) + +can_exec(haproxy_t, haproxy_exec_t) + +tunable_policy(`haproxy_bind_all_tcp_ports',` + corenet_tcp_bind_all_ports(haproxy_t) +') + +tunable_policy(`haproxy_bind_kubernetes_port',` + corenet_tcp_bind_kubernetes_port(haproxy_t) +') + +tunable_policy(`haproxy_connect_all_tcp_ports',` + corenet_tcp_connect_all_ports(haproxy_t) +') + +tunable_policy(`haproxy_connect_kubernetes_port',` + corenet_tcp_connect_kubernetes_port(haproxy_t) +') From 09a747a16dfa038a56fd4a47e9fa1791c3cb3dfb Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Thu, 27 Jun 2024 10:34:40 -0400 Subject: [PATCH 2/2] sysadm: make haproxy admin Signed-off-by: Kenton Groombridge --- policy/modules/roles/sysadm.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 08cc0e117..69777df20 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -472,6 +472,10 @@ optional_policy(` hadoop_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r) ') +optional_policy(` + haproxy_admin(sysadm_t, sysadm_r) +') + optional_policy(` hddtemp_admin(sysadm_t, sysadm_r) ')