Attachment 919929 Details for Bug 1110758 – Initial try at updating cockpit rawhide selinux policy

[patch] Initial try at updating cockpit rawhide selinux policy

0001-Update-cockpit-selinux-policy.patch (text/plain), 9.18 KB, created by Stef Walter on 2014-07-22 13:24:48 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Stef Walter

Created: 2014-07-22 13:24:48 UTC

Size: 9.18 KB

patch

obsolete

>From bdf2bd92b7956556b4e4d7a020c1cae59c07e290 Mon Sep 17 00:00:00 2001
>From: Stef Walter <stefw@redhat.com>
>Date: Tue, 22 Jul 2014 15:18:11 +0200
>Subject: [PATCH] Update cockpit selinux policy
>
> * Run various cockpit components in correct context
> * Run cockpit-agent as a login session, unconfined
> * Tighten up permissions for network facing cockpit-ws
>---
> cockpit.fc |  15 +++++---
> cockpit.if |  70 +++++++++++++++++++------------------
> cockpit.te | 116 ++++++++++++++++++++++++++++++-------------------------------
> 3 files changed, 105 insertions(+), 96 deletions(-)
>
>diff --git a/cockpit.fc b/cockpit.fc
>index ee6e817..f341f59 100644
>--- a/cockpit.fc
>+++ b/cockpit.fc
>@@ -1,9 +1,16 @@
>-/usr/lib/systemd/system/cockpit.service		--	gen_context(system_u:object_r:cockpit_unit_file_t,s0)
>+# cockpit stuff
> 
>-/usr/lib/systemd/system/cockpit.socket		--	gen_context(system_u:object_r:cockpit_unit_file_t,s0)
>+/usr/lib/systemd/system/cockpit.*		--	gen_context(system_u:object_r:cockpit_unit_file_t,s0)
>+/etc/systemd/system/cockpit.*	--	gen_context(system_u:object_r:cockpit_unit_file_t,s0)
> 
>-/usr/lib/systemd/system/cockpitd.service		--	gen_context(system_u:object_r:cockpit_unit_file_t,s0)
>+/usr/libexec/cockpit-ws		--	gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
> 
>-/usr/libexec/cockpitd		--	gen_context(system_u:object_r:cockpit_exec_t,s0)
>+/usr/libexec/cockpit-session	--	gen_context(system_u:object_r:cockpit_session_exec_t,s0)
>+
>+/usr/libexec/cockpit-agent	--	gen_context(system_u:object_r:shell_exec_t,s0)
> 
> /var/lib/cockpit(/.*)?		gen_context(system_u:object_r:cockpit_var_lib_t,s0)
>+
>+# test-server stuff
>+
>+/usr/share/cockpit-test-assets/test-server      --      gen_context(system_u:object_r:unconfined_exec_t,s0)
>diff --git a/cockpit.if b/cockpit.if
>index 25e3237..573dcae 100644
>--- a/cockpit.if
>+++ b/cockpit.if
>@@ -1,4 +1,3 @@
>-
> ## <summary>policy for cockpit</summary>
> 
> ########################################
>@@ -11,13 +10,32 @@
> ## </summary>
> ## </param>
> #
>-interface(`cockpit_domtrans',`
>+interface(`cockpit_ws_domtrans',`
>+	gen_require(`
>+		type cockpit_ws_t, cockpit_ws_exec_t;
>+	')
>+
>+	corecmd_search_bin($1)
>+	domtrans_pattern($1, cockpit_ws_exec_t, cockpit_ws_t)
>+')
>+
>+########################################
>+## <summary>
>+##	Execute TEMPLATE in the cockpit domin.
>+## </summary>
>+## <param name="domain">
>+## <summary>
>+##	Domain allowed to transition.
>+## </summary>
>+## </param>
>+#
>+interface(`cockpit_session_domtrans',`
> 	gen_require(`
>-		type cockpit_t, cockpit_exec_t;
>+		type cockpit_session_t, cockpit_session_exec_t;
> 	')
> 
> 	corecmd_search_bin($1)
>-	domtrans_pattern($1, cockpit_exec_t, cockpit_t)
>+	domtrans_pattern($1, cockpit_session_exec_t, cockpit_session_t)
> ')
> 
> ########################################
>@@ -108,7 +126,7 @@ interface(`cockpit_manage_lib_dirs',`
> #
> interface(`cockpit_systemctl',`
> 	gen_require(`
>-		type cockpit_t;
>+		type cockpit_ws_t;
> 		type cockpit_unit_file_t;
> 	')
> 
>@@ -117,33 +135,12 @@ interface(`cockpit_systemctl',`
> 	allow $1 cockpit_unit_file_t:file read_file_perms;
> 	allow $1 cockpit_unit_file_t:service manage_service_perms;
> 
>-	ps_process_pattern($1, cockpit_t)
>+	ps_process_pattern($1, cockpit_ws_t)
> ')
> 
> 
> ########################################
> ## <summary>
>-##	Send and receive messages from
>-##	cockpit over dbus.
>-## </summary>
>-## <param name="domain">
>-##	<summary>
>-##	Domain allowed access.
>-##	</summary>
>-## </param>
>-#
>-interface(`cockpit_dbus_chat',`
>-	gen_require(`
>-		type cockpit_t;
>-		class dbus send_msg;
>-	')
>-
>-	allow $1 cockpit_t:dbus send_msg;
>-	allow cockpit_t $1:dbus send_msg;
>-')
>-
>-########################################
>-## <summary>
> ##	All of the rules required to administrate
> ##	an cockpit environment
> ## </summary>
>@@ -161,17 +158,22 @@ interface(`cockpit_dbus_chat',`
> #
> interface(`cockpit_admin',`
> 	gen_require(`
>-		type cockpit_t;
>+		type cockpit_ws_t;
>+		type cockpit_session_t;
> 		type cockpit_var_lib_t;
>-	type cockpit_unit_file_t;
>+		type cockpit_unit_file_t;
> 	')
> 
>-	allow $1 cockpit_t:process { signal_perms };
>-	ps_process_pattern($1, cockpit_t)
>+	allow $1 cockpit_ws_t:process { signal_perms };
>+	ps_process_pattern($1, cockpit_ws_t)
> 
>-    tunable_policy(`deny_ptrace',`',`
>-        allow $1 cockpit_t:process ptrace;
>-    ')
>+	allow $1 cockpit_session_t:process { signal_perms };
>+	ps_process_pattern($1, cockpit_session_t)
>+
>+	tunable_policy(`deny_ptrace',`',`
>+		allow $1 cockpit_ws_t:process ptrace;
>+		allow $1 cockpit_session_t:process ptrace;
>+	')
> 
> 	files_search_var_lib($1)
> 	admin_pattern($1, cockpit_var_lib_t)
>diff --git a/cockpit.te b/cockpit.te
>index 589262d..87813fa 100644
>--- a/cockpit.te
>+++ b/cockpit.te
>@@ -5,91 +5,91 @@ policy_module(cockpit, 1.0.0)
> # Declarations
> #
> 
>-type cockpit_t;
>-type cockpit_exec_t;
>-init_daemon_domain(cockpit_t, cockpit_exec_t)
>+type cockpit_ws_t;
>+type cockpit_ws_exec_t;
>+init_daemon_domain(cockpit_ws_t,cockpit_ws_exec_t)
> 
> type cockpit_var_lib_t;
> files_type(cockpit_var_lib_t)
> 
>+type cockpit_tmp_t;
>+files_tmp_file(cockpit_tmp_t)
>+
> type cockpit_unit_file_t;
> systemd_unit_file(cockpit_unit_file_t)
> 
>+type cockpit_session_t;
>+type cockpit_session_exec_t;
>+domain_type(cockpit_session_t)
>+domain_entry_file(cockpit_session_t,cockpit_session_exec_t)
>+
> ########################################
> #
>-# cockpit local policy
>+# cockpit_ws_t local policy
> #
>-allow cockpit_t self:capability net_admin;
>-allow cockpit_t self:fifo_file rw_fifo_file_perms;
>-allow cockpit_t self:unix_stream_socket create_stream_socket_perms;
>-allow cockpit_t self:netlink_kobject_uevent_socket create_socket_perms;
>-allow cockpit_t self:unix_dgram_socket create_socket_perms;
> 
>-manage_dirs_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t)
>-manage_files_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t)
>-manage_lnk_files_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t)
>-files_var_lib_filetrans(cockpit_t, cockpit_var_lib_t, { dir file lnk_file })
>+allow cockpit_ws_t self:capability net_admin;
>+allow cockpit_ws_t self:tcp_socket create_stream_socket_perms;
>+
>+# cockpit-ws can read from /var/lib/cockpit, but not write to it
>+cockpit_read_lib_files(cockpit_ws_t)
>+
>+# cockpit-ws can execute cockpit-session
>+can_exec(cockpit_ws_t,cockpit_session_exec_t)
> 
>-kernel_read_system_state(cockpit_t)
>-kernel_read_network_state(cockpit_t)
>+# cockpit-ws can read from /dev/urandom
>+dev_read_urand(cockpit_ws_t) # for authkey
>+dev_read_rand(cockpit_ws_t)  # for libssh
> 
>-corecmd_exec_bin(cockpit_t)
>-corecmd_exec_shell(cockpit_t)
>+# cockpit-ws can read from the cockpit port
>+# TODO: disable this until we have it in our f20 selinux-policy-targeted
>+# corenet_tcp_bind_cockpit_port(cockpit_ws_t)
>+allow cockpit_ws_t init_t:tcp_socket accept;
>+corenet_tcp_bind_all_reserved_ports(cockpit_ws_t)
> 
>-corenet_tcp_bind_cockpit_port(cockpit_t)
>+# cockpit-ws can connect to other hosts via ssh
>+corenet_tcp_connect_ssh_port(cockpit_ws_t)
> 
>-dev_read_sysfs(cockpit_t)
>+# cockpit-ws can write to its temp files
>+manage_dirs_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
>+manage_files_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
>+files_tmp_filetrans(cockpit_ws_t, cockpit_tmp_t, { dir file })
> 
>-domain_use_interactive_fds(cockpit_t)
>-domain_read_all_domains_state(cockpit_t)
>+auth_use_nsswitch(cockpit_ws_t)
> 
>-files_read_etc_files(cockpit_t)
>-files_list_tmp(cockpit_t)
>+logging_send_syslog_msg(cockpit_ws_t)
> 
>-fs_read_tmpfs_symlinks(cockpit_t)
>-fs_list_cgroup_dirs(cockpit_t)
>-fs_read_cgroup_files(cockpit_t)
>-fs_getattr_all_fs(cockpit_t)
>+# cockpit-ws launches cockpit-session
>+cockpit_session_domtrans(cockpit_ws_t)
>+allow cockpit_ws_t cockpit_session_t:process signal_perms;
> 
>-auth_use_nsswitch(cockpit_t)
>+# cockpit-session communicates back with cockpit-ws
>+allow cockpit_session_t cockpit_ws_t:unix_stream_socket rw_stream_socket_perms;
> 
>-init_dbus_chat(cockpit_t)
>-init_status(cockpit_t)
>-init_read_state(cockpit_t)
>-init_list_pid_dirs(cockpit_t)
>+optional_policy(`
>+	ssh_read_user_home_files(cockpit_ws_t)
>+')
> 
>-logging_send_syslog_msg(cockpit_t)
>+#########################################################
>+#
>+#  cockpit-session local policy
>+#
> 
>-miscfiles_read_localization(cockpit_t)
>+# cockpit-session changes to the actual logged in user
>+allow cockpit_session_t self:capability { sys_admin dac_override setuid setgid };
>+allow cockpit_session_t self:process { setexec setsched signal_perms };
> 
>-systemd_status_all_unit_files(cockpit_t)
>-systemd_read_logind_sessions_files(cockpit_t)
>+# cockpit-session runs a full pam stack, including pam_selinux.so
>+auth_login_pgm_domain(cockpit_session_t)
>+auth_write_login_records(cockpit_session_t);
> 
>-udev_read_pid_files(cockpit_t)
>+# cockpit-session can execute cockpit-agent as the user
>+userdom_spec_domtrans_all_users(cockpit_session_t)
> 
> optional_policy(`
>-	dbus_system_bus_client(cockpit_t)
>-	dbus_connect_system_bus(cockpit_t)
>-
>-	optional_policy(`
>-		accountsd_dbus_chat(cockpit_t)
>-	')
>-
>-	optional_policy(`
>-		devicekit_dbus_chat_disk(cockpit_t)
>-		devicekit_dbus_chat_power(cockpit_t)
>-	')
>-
>-	optional_policy(`
>-		networkmanager_dbus_chat(cockpit_t)
>-		networkmanager_stream_connect(cockpit_t)
>-	')
>-
>-	optional_policy(`
>-		realmd_dbus_chat(cockpit_t)
>-	')
>+    userdom_signal_all_users(cockpit_session_t)
> ')
> 
> optional_policy(`
>-	docker_stream_connect(cockpit_t)
>+	unconfined_domtrans(cockpit_session_t)
> ')
>-- 
>1.9.3
>

Actions: View | Diff

Attachments on bug 1110758: 919929