SELinux policy for cockpit
Setup domain for cockpit-certificate-ensure Setup service rules Signed-off-by: Dave Sugar <dsugar100@gmail.com>
This commit is contained in:
parent
a81eefc3c1
commit
cc46c3296a
|
@ -327,6 +327,7 @@ ifdef(`distro_debian',`
|
|||
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/cockpit/motd/update-motd -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/gedit/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
|
@ -283,6 +283,10 @@ optional_policy(`
|
|||
cobbler_admin(sysadm_t, sysadm_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
cockpit_admin(sysadm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
collectd_admin(sysadm_t, sysadm_r)
|
||||
')
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
# cockpit stuff
|
||||
|
||||
/etc/cockpit/ws-certs\.d(/.*)? gen_context(system_u:object_r:cockpit_cert_t,s0)
|
||||
|
||||
/run/cockpit(/.*)? gen_context(system_u:object_r:cockpit_runtime_t,s0)
|
||||
/run/cockpit/certificate-helper(/.*) gen_context(system_u:object_r:cockpit_cert_t,s0)
|
||||
|
||||
/usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_t,s0)
|
||||
|
||||
/usr/libexec/cockpit-certificate-ensure -- gen_context(system_u:object_r:cockpit_cert_manage_exec_t,s0)
|
||||
/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
|
||||
/usr/libexec/cockpit-tls -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
|
||||
/usr/libexec/cockpit-wsinstance-factory -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
|
||||
/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
|
||||
/usr/libexec/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
|
||||
|
||||
/var/lib/cockpit(/.*)? gen_context(system_u:object_r:cockpit_state_t,s0)
|
||||
|
||||
/var/run/cockpit(/.*)? gen_context(system_u:object_r:cockpit_runtime_t,s0)
|
||||
/var/run/cockpit-ws(/.*)? gen_context(system_u:object_r:cockpit_runtime_t,s0)
|
|
@ -0,0 +1,202 @@
|
|||
## <summary>Cockpit web management system for Linux</summary>
|
||||
##
|
||||
## <desc>
|
||||
## Cockpit is a web console that enables users to administer Linux servers
|
||||
## via a web browser.
|
||||
## see https://cockpit-project.org/
|
||||
##
|
||||
## For linux logins that are allowed access they must be associated with a
|
||||
## SELinux user that uses ssh_role_template (sysadm, system). To be able
|
||||
## to alter system settings the must be allowed sudo access.
|
||||
## </desc>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Transition to the cockpit session domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`cockpit_domtrans_session',`
|
||||
gen_require(`
|
||||
type cockpit_session_t, cockpit_session_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, cockpit_session_exec_t, cockpit_session_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow specified domain to get status of cockpit service
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`cockpit_get_service_status',`
|
||||
gen_require(`
|
||||
type cockpit_unit_t;
|
||||
class service status;
|
||||
')
|
||||
|
||||
allow $1 cockpit_unit_t:service status;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow specified domain to enable cockpit units
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`cockpit_enabledisable',`
|
||||
gen_require(`
|
||||
type cockpit_unit_t;
|
||||
class service { enable disable };
|
||||
')
|
||||
|
||||
cockpit_get_service_status($1)
|
||||
allow $1 cockpit_unit_t:service { enable disable };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow specified domain to start cockpit units
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`cockpit_startstop',`
|
||||
gen_require(`
|
||||
type cockpit_unit_t;
|
||||
class service { start stop };
|
||||
')
|
||||
|
||||
cockpit_get_service_status($1)
|
||||
allow $1 cockpit_unit_t:service { start stop };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete the cockpick runtime symlink files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`cockpit_manage_runtime_symlnks',`
|
||||
gen_require(`
|
||||
type cockpit_runtime_t;
|
||||
')
|
||||
|
||||
files_search_runtime($1)
|
||||
manage_lnk_files_pattern($1, cockpit_runtime_t, cockpit_runtime_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage the cockpit certificate files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`cockpit_manage_cert_files',`
|
||||
gen_require(`
|
||||
type cockpit_cert_t;
|
||||
')
|
||||
|
||||
manage_files_pattern($1, cockpit_cert_t, cockpit_cert_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read cockpit certificate files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`cockpit_read_cert_files',`
|
||||
gen_require(`
|
||||
type cockpit_cert_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
list_dirs_pattern($1, cockpit_cert_t, cockpit_cert_t)
|
||||
read_files_pattern($1, cockpit_cert_t, cockpit_cert_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Delete cockpit certificate files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`cockpit_delete_cert_files',`
|
||||
gen_require(`
|
||||
type cockpit_cert_t;
|
||||
type cockpit_runtime_t;
|
||||
')
|
||||
|
||||
list_dirs_pattern($1, cockpit_runtime_t, cockpit_runtime_t)
|
||||
delete_files_pattern($1, cockpit_runtime_t, cockpit_cert_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an cockpit environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`cockpit_admin',`
|
||||
gen_require(`
|
||||
type cockpit_ws_t;
|
||||
type cockpit_session_t;
|
||||
type cockpit_state_t;
|
||||
type cockpit_runtime_t;
|
||||
type cockpit_unit_t;
|
||||
')
|
||||
|
||||
allow $1 cockpit_ws_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, cockpit_ws_t)
|
||||
|
||||
allow $1 cockpit_session_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, cockpit_session_t)
|
||||
|
||||
files_search_var_lib($1)
|
||||
admin_pattern($1, cockpit_state_t)
|
||||
admin_pattern($1, cockpit_runtime_t)
|
||||
|
||||
cockpit_enabledisable($1)
|
||||
cockpit_startstop($1)
|
||||
admin_pattern($1, cockpit_unit_t)
|
||||
')
|
|
@ -0,0 +1,262 @@
|
|||
policy_module(cockpit)
|
||||
|
||||
# https://cockpit-project.org/
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type cockpit_cert_manage_t;
|
||||
type cockpit_cert_manage_exec_t;
|
||||
init_daemon_domain(cockpit_cert_manage_t, cockpit_cert_manage_exec_t)
|
||||
|
||||
type cockpit_cert_t;
|
||||
miscfiles_cert_type(cockpit_cert_t)
|
||||
|
||||
type cockpit_runtime_t;
|
||||
files_runtime_file(cockpit_runtime_t)
|
||||
init_daemon_runtime_file(cockpit_runtime_t, file, "active.motd")
|
||||
init_daemon_runtime_file(cockpit_runtime_t, file, "iuactive.motd")
|
||||
init_daemon_runtime_file(cockpit_runtime_t, lnk_file, "motd")
|
||||
|
||||
optional_policy(`
|
||||
systemd_tmpfilesd_managed(cockpit_runtime_t)
|
||||
')
|
||||
|
||||
type cockpit_state_t;
|
||||
files_type(cockpit_state_t)
|
||||
|
||||
type cockpit_session_t;
|
||||
type cockpit_session_exec_t;
|
||||
domain_type(cockpit_session_t)
|
||||
domain_entry_file(cockpit_session_t,cockpit_session_exec_t)
|
||||
|
||||
type cockpit_tmp_t;
|
||||
files_tmp_file(cockpit_tmp_t)
|
||||
|
||||
type cockpit_tmpfs_t;
|
||||
userdom_user_tmpfs_file(cockpit_tmpfs_t)
|
||||
|
||||
type cockpit_unit_t;
|
||||
init_unit_file(cockpit_unit_t)
|
||||
|
||||
type cockpit_ws_t;
|
||||
type cockpit_ws_exec_t;
|
||||
init_daemon_domain(cockpit_ws_t,cockpit_ws_exec_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# cockpit_ws_t local policy
|
||||
#
|
||||
|
||||
allow cockpit_ws_t self:process setrlimit;
|
||||
allow cockpit_ws_t self:tcp_socket create_stream_socket_perms;
|
||||
allow cockpit_ws_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
# cockpit-ws launches cockpit-session
|
||||
cockpit_domtrans_session(cockpit_ws_t)
|
||||
allow cockpit_ws_t cockpit_session_t:process signal_perms;
|
||||
|
||||
# cockpit-tls and cockpit-ws communicate over a Unix socket
|
||||
allow cockpit_ws_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
|
||||
allow cockpit_ws_t cockpit_cert_t:file unlink;
|
||||
|
||||
kernel_read_system_state(cockpit_ws_t)
|
||||
|
||||
# cockpit-tls can execute cockpit-ws
|
||||
can_exec(cockpit_ws_t,cockpit_ws_exec_t)
|
||||
|
||||
corecmd_exec_shell(cockpit_ws_t)
|
||||
|
||||
# cockpit-ws can read from /dev/urandom
|
||||
dev_read_urand(cockpit_ws_t) # for authkey
|
||||
dev_read_rand(cockpit_ws_t) # for libssh
|
||||
|
||||
corenet_tcp_bind_generic_node(cockpit_ws_t)
|
||||
corenet_tcp_bind_websm_port(cockpit_ws_t)
|
||||
corenet_sendrecv_websm_server_packets(cockpit_ws_t)
|
||||
|
||||
# cockpit-ws can connect to other hosts via ssh
|
||||
corenet_tcp_connect_ssh_port(cockpit_ws_t)
|
||||
|
||||
# cockpit-ws can write to its temp files
|
||||
manage_dirs_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
|
||||
manage_files_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
|
||||
files_tmp_filetrans(cockpit_ws_t, cockpit_tmp_t, { dir file })
|
||||
|
||||
manage_dirs_pattern(cockpit_ws_t, cockpit_tmpfs_t, cockpit_tmpfs_t)
|
||||
manage_files_pattern(cockpit_ws_t, cockpit_tmpfs_t, cockpit_tmpfs_t)
|
||||
fs_tmpfs_filetrans(cockpit_ws_t, cockpit_tmpfs_t, { file })
|
||||
|
||||
manage_dirs_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t)
|
||||
manage_files_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t)
|
||||
manage_lnk_files_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t)
|
||||
manage_sock_files_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t)
|
||||
files_runtime_filetrans(cockpit_ws_t, cockpit_runtime_t, { file dir sock_file })
|
||||
|
||||
manage_files_pattern(cockpit_ws_t, cockpit_state_t, cockpit_state_t)
|
||||
manage_dirs_pattern(cockpit_ws_t, cockpit_state_t, cockpit_state_t)
|
||||
|
||||
|
||||
cockpit_startstop(cockpit_ws_t)
|
||||
cockpit_read_cert_files(cockpit_ws_t)
|
||||
|
||||
files_map_usr_files(cockpit_ws_t)
|
||||
files_read_usr_files(cockpit_ws_t)
|
||||
kernel_recvfrom_unlabeled_peer(cockpit_ws_t)
|
||||
|
||||
kernel_getattr_proc(cockpit_ws_t)
|
||||
kernel_read_network_state(cockpit_ws_t)
|
||||
|
||||
auth_use_nsswitch(cockpit_ws_t)
|
||||
|
||||
corecmd_exec_bin(cockpit_ws_t)
|
||||
|
||||
fs_read_efivarfs_files(cockpit_ws_t)
|
||||
|
||||
init_read_state(cockpit_ws_t)
|
||||
init_stream_connect(cockpit_ws_t)
|
||||
|
||||
dbus_system_bus_client(cockpit_ws_t)
|
||||
|
||||
logging_send_syslog_msg(cockpit_ws_t)
|
||||
|
||||
miscfiles_read_localization(cockpit_ws_t)
|
||||
|
||||
sysnet_exec_ifconfig(cockpit_ws_t)
|
||||
|
||||
optional_policy(`
|
||||
hostname_exec(cockpit_ws_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
kerberos_use(cockpit_ws_t)
|
||||
kerberos_etc_filetrans_keytab(cockpit_ws_t, file)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
ssh_read_user_home_files(cockpit_ws_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
systemd_exec_systemctl(cockpit_ws_t)
|
||||
')
|
||||
|
||||
#########################################################
|
||||
#
|
||||
# cockpit-session local policy
|
||||
#
|
||||
|
||||
# cockpit-session changes to the actual logged in user
|
||||
allow cockpit_session_t self:capability { sys_admin dac_read_search dac_override setuid setgid sys_resource};
|
||||
allow cockpit_session_t self:process { setexec setsched signal_perms setrlimit };
|
||||
allow cockpit_session_t self:fifo_file rw_inherited_fifo_file_perms;
|
||||
|
||||
# cockpit-session communicates back with cockpit-ws
|
||||
allow cockpit_session_t cockpit_ws_t:unix_stream_socket rw_stream_socket_perms;
|
||||
|
||||
read_files_pattern(cockpit_session_t, cockpit_state_t, cockpit_state_t)
|
||||
list_dirs_pattern(cockpit_session_t, cockpit_state_t, cockpit_state_t)
|
||||
|
||||
manage_dirs_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
|
||||
manage_files_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
|
||||
manage_sock_files_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
|
||||
files_tmp_filetrans(cockpit_session_t, cockpit_tmp_t, { dir file sock_file })
|
||||
|
||||
manage_dirs_pattern(cockpit_session_t, cockpit_tmpfs_t, cockpit_tmpfs_t)
|
||||
manage_files_pattern(cockpit_session_t, cockpit_tmpfs_t, cockpit_tmpfs_t)
|
||||
fs_tmpfs_filetrans(cockpit_session_t, cockpit_tmpfs_t, { file })
|
||||
|
||||
read_files_pattern(cockpit_session_t, cockpit_runtime_t, cockpit_runtime_t)
|
||||
list_dirs_pattern(cockpit_session_t, cockpit_runtime_t, cockpit_runtime_t)
|
||||
|
||||
# cockpit-session can execute cockpit-agent as the user
|
||||
usermanage_read_crack_db(cockpit_session_t)
|
||||
|
||||
corenet_tcp_bind_ssh_port(cockpit_session_t)
|
||||
corenet_tcp_connect_ssh_port(cockpit_session_t)
|
||||
|
||||
files_read_usr_files(cockpit_session_t)
|
||||
|
||||
kernel_read_kernel_sysctls(cockpit_session_t)
|
||||
kernel_read_network_state(cockpit_session_t)
|
||||
|
||||
selinux_use_status_page(cockpit_session_t)
|
||||
|
||||
dbus_system_bus_client(cockpit_session_t)
|
||||
|
||||
# cockpit-session runs a full pam stack, including pam_selinux.so
|
||||
auth_login_pgm_domain(cockpit_session_t)
|
||||
# cockpit-session resseting expired passwords
|
||||
auth_manage_shadow(cockpit_session_t)
|
||||
auth_write_login_records(cockpit_session_t)
|
||||
|
||||
init_rw_inherited_stream_socket(cockpit_session_t)
|
||||
init_use_fds(cockpit_session_t)
|
||||
init_named_socket_activation(cockpit_session_t, cockpit_runtime_t)
|
||||
|
||||
miscfiles_read_localization(cockpit_session_t)
|
||||
|
||||
# cockpit-session can execute cockpit-agent as the user
|
||||
userdom_spec_domtrans_all_users(cockpit_session_t)
|
||||
|
||||
optional_policy(`
|
||||
systemd_dbus_chat_logind(cockpit_session_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
sssd_dbus_chat(cockpit_session_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
userdom_signal_all_users(cockpit_session_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
unconfined_domtrans(cockpit_session_t)
|
||||
')
|
||||
|
||||
|
||||
###################################################################
|
||||
#
|
||||
# cockpit-certificate-ensure policy
|
||||
#
|
||||
|
||||
allow cockpit_cert_manage_t self:capability { chown dac_read_search dac_override };
|
||||
allow cockpit_cert_manage_t self:fifo_file rw_inherited_fifo_file_perms;
|
||||
allow cockpit_cert_manage_t self:process setfscreate;
|
||||
allow cockpit_cert_manage_t self:unix_stream_socket { connect create };
|
||||
|
||||
manage_dirs_pattern(cockpit_cert_manage_t, cockpit_runtime_t, cockpit_runtime_t)
|
||||
#manage_files_pattern(cockpit_cert_manage_t, cockpit_runtime_t, cockpit_runtime_t)
|
||||
create_files_pattern(cockpit_cert_manage_t, cockpit_runtime_t, cockpit_runtime_t)
|
||||
write_files_pattern(cockpit_cert_manage_t, cockpit_runtime_t, cockpit_runtime_t)
|
||||
setattr_files_pattern(cockpit_cert_manage_t, cockpit_runtime_t, cockpit_runtime_t)
|
||||
create_lnk_files_pattern(cockpit_cert_manage_t, cockpit_runtime_t, cockpit_runtime_t)
|
||||
|
||||
create_dirs_pattern(cockpit_cert_manage_t, cockpit_runtime_t, cockpit_cert_t)
|
||||
delete_dirs_pattern(cockpit_cert_manage_t, cockpit_runtime_t, cockpit_cert_t)
|
||||
allow cockpit_cert_manage_t cockpit_cert_t:file relabel_file_perms;
|
||||
filetrans_pattern(cockpit_cert_manage_t, cockpit_runtime_t, cockpit_cert_t, dir, "certificate-helper")
|
||||
cockpit_manage_cert_files(cockpit_cert_manage_t)
|
||||
|
||||
corecmd_exec_bin(cockpit_cert_manage_t)
|
||||
corecmd_exec_shell(cockpit_cert_manage_t)
|
||||
|
||||
files_read_etc_files(cockpit_cert_manage_t)
|
||||
files_read_etc_runtime_files(cockpit_cert_manage_t)
|
||||
files_read_usr_files(cockpit_cert_manage_t)
|
||||
|
||||
fs_getattr_tmpfs(cockpit_cert_manage_t)
|
||||
|
||||
kernel_read_system_state(cockpit_cert_manage_t)
|
||||
|
||||
selinux_compute_create_context(cockpit_cert_manage_t)
|
||||
selinux_validate_context(cockpit_cert_manage_t)
|
||||
|
||||
miscfiles_read_all_certs(cockpit_cert_manage_t)
|
||||
miscfiles_read_localization(cockpit_cert_manage_t)
|
||||
|
||||
seutil_read_file_contexts(cockpit_cert_manage_t)
|
|
@ -1235,6 +1235,11 @@ optional_policy(`
|
|||
clamav_read_config(initrc_t)
|
||||
')
|
||||
|
||||
|
||||
optional_policy(`
|
||||
cockpit_manage_runtime_symlnks(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
courier_read_config(initrc_t)
|
||||
')
|
||||
|
|
Loading…
Reference in New Issue