Skip to content

Commit

Permalink
Merge pull request #5358 from vpodzime/master-selinux_fixes_10_2023
Browse files Browse the repository at this point in the history
A round of SELinux policy updates and fixes
  • Loading branch information
vpodzime authored Nov 8, 2023
2 parents 2b06566 + ba92b7b commit a2e99c3
Show file tree
Hide file tree
Showing 5 changed files with 49 additions and 8 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -188,4 +188,5 @@ __pycache__
# SELinux policy build artifacts
misc/selinux/cfengine-enterprise.pp
misc/selinux/cfengine-enterprise.if
misc/selinux/cfengine-enterprise.te
misc/selinux/tmp
8 changes: 8 additions & 0 deletions configure.ac
Original file line number Diff line number Diff line change
Expand Up @@ -1618,6 +1618,13 @@ AC_ARG_WITH(selinux-policy,
[], [with_selinux_policy=no])
AM_CONDITIONAL([WITH_SELINUX], [test "x$with_selinux_policy" != "xno"])

if test "x$with_selinux_policy" != "xno"; then
platform_id=$(sed -r -e '/PLATFORM_ID/!d;s/PLATFORM_ID="platform:(@<:@^"@:>@+)"/\1/' < /etc/os-release)
if test -f ${srcdir}/misc/selinux/cfengine-enterprise.te.$platform_id; then
PLATFORM_SELINUX_POLICIES=cfengine-enterprise.te.$platform_id
AC_SUBST(PLATFORM_SELINUX_POLICIES)
fi
fi

dnl #####################################################################
dnl Hostname and Version stuff
Expand Down Expand Up @@ -1814,6 +1821,7 @@ fi

if test "x$with_selinux_policy" != "xno"; then
AC_MSG_RESULT([-> SELinux policy: enabled])
AC_MSG_RESULT([-> SELinux platform policies: $PLATFORM_SELINUX_POLICIES])
else
AC_MSG_RESULT([-> SELinux policy: disabled])
fi
Expand Down
8 changes: 6 additions & 2 deletions misc/selinux/Makefile.am
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
if WITH_SELINUX
cfengine-enterprise.te: cfengine-enterprise.te.all $(PLATFORM_SELINUX_POLICIES)
cat cfengine-enterprise.te.all $(PLATFORM_SELINUX_POLICIES) > cfengine-enterprise.te

cfengine-enterprise.pp: cfengine-enterprise.te cfengine-enterprise.fc
$(MAKE) -f /usr/share/selinux/devel/Makefile -j1

Expand All @@ -13,6 +16,7 @@ endif

# explicit DISTFILES are required for these files to be part of a 'make dist'
# tarball even without running './configure --with-selinux-policy'
DISTFILES = Makefile.in Makefile.am cfengine-enterprise.te cfengine-enterprise.fc
DISTFILES = Makefile.in Makefile.am cfengine-enterprise.fc cfengine-enterprise.te.all
DISTFILES += cfengine-enterprise.te.el9

CLEANFILES = cfengine-enterprise.pp cfengine-enterprise.if
CLEANFILES = cfengine-enterprise.pp cfengine-enterprise.if cfengine-enterprise.te
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ require {
type proc_t;
type proc_net_t;
type proc_xen_t;
type proc_security_t;
type cfengine_serverd_exec_t;
type http_port_t;
type ldap_port_t;
Expand All @@ -52,6 +53,7 @@ require {
type hugetlbfs_t;
type init_exec_t;
type init_var_run_t;
type ifconfig_t;
type ifconfig_exec_t;
type journalctl_exec_t;
type cfengine_execd_t;
Expand Down Expand Up @@ -153,7 +155,8 @@ require {
class dccp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
class ib_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
class mpls_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
class process { setrlimit transition dyntransition execstack execheap execmem signull siginh getattr };
class process { setrlimit transition dyntransition execstack execheap execmem signull siginh getattr sigchld };
class fd use;
class file { execute execute_no_trans getattr ioctl map open read unlink write entrypoint lock link rename append setattr create relabelfrom relabelto watch watch_reads };
class fifo_file { create open getattr setattr read write append rename link unlink ioctl lock relabelfrom relabelto };
class dir { getattr read search open write add_name remove_name lock ioctl create setattr rmdir };
Expand All @@ -165,6 +168,7 @@ require {
class association { sendto recvfrom setcontext polmatch };
class security setsecparam;
class service { start stop status reload enable disable };
class system { module_request };
class memprotect mmap_zero;
class peer recv;
class chr_file { getattr };
Expand Down Expand Up @@ -237,6 +241,8 @@ allow cfengine_execd_t init_t:unix_stream_socket connectto;
allow cfengine_execd_t journalctl_exec_t:file getattr;
allow cfengine_execd_t ping_exec_t:file getattr;
allow cfengine_execd_t proc_net_t:file { getattr open read };
allow cfengine_execd_t proc_net_t:lnk_file { getattr read };
allow cfengine_execd_t proc_security_t:file { getattr open read };
allow cfengine_execd_t rpm_exec_t:file getattr;
allow cfengine_execd_t rpm_var_lib_t:dir search;
allow cfengine_execd_t rpm_var_lib_t:file open;
Expand Down Expand Up @@ -293,6 +299,8 @@ allow cfengine_monitord_t tty_device_t:chr_file getattr;
allow cfengine_monitord_t user_devpts_t:chr_file getattr;
allow cfengine_monitord_t sysctl_t:dir read;
allow cfengine_monitord_t ssh_exec_t:file getattr;
allow cfengine_monitord_t proc_net_t:file { getattr open read };
allow cfengine_monitord_t proc_security_t:file { getattr open read };

# TODO: this should not be needed
allow cfengine_monitord_t proc_xen_t:dir search;
Expand Down Expand Up @@ -338,6 +346,8 @@ allow cfengine_serverd_t init_t:file { getattr open read };
allow cfengine_serverd_t journalctl_exec_t:file getattr;
allow cfengine_serverd_t ping_exec_t:file getattr;
allow cfengine_serverd_t proc_net_t:file { getattr open read };
allow cfengine_serverd_t proc_net_t:lnk_file { getattr read };
allow cfengine_serverd_t proc_security_t:file { getattr open read };
allow cfengine_serverd_t rpm_exec_t:file getattr;
allow cfengine_serverd_t self:process setrlimit;
allow cfengine_serverd_t self:tcp_socket { accept listen };
Expand Down Expand Up @@ -437,6 +447,8 @@ allow cfengine_hub_t net_conf_t:file { getattr open read };
allow cfengine_hub_t passwd_file_t:file { getattr open read };
allow cfengine_hub_t ping_exec_t:file getattr;
allow cfengine_hub_t proc_net_t:file { getattr open read };
allow cfengine_hub_t proc_net_t:lnk_file { getattr read };
allow cfengine_hub_t proc_security_t:file { getattr open read };
allow cfengine_hub_t proc_t:dir read;
allow cfengine_hub_t rpm_exec_t:file getattr;
allow cfengine_hub_t self:capability { dac_override chown dac_read_search };
Expand Down Expand Up @@ -466,8 +478,13 @@ allow cfengine_hub_t var_t:dir read;
allow cfengine_hub_t ssh_exec_t:file getattr;
allow cfengine_hub_t tmp_t:dir read;

# Use of the TLS kernel module
allow cfengine_hub_t kernel_t:system module_request;

# TODO: these should not be needed
allow cfengine_hub_t ifconfig_exec_t:file { execute execute_no_trans open read getattr map };
# this is a macro invocation, the file has to be processed with
# make -f /usr/share/selinux/devel/Makefile
sysnet_domtrans_ifconfig(cfengine_hub_t)
allow cfengine_hub_t shell_exec_t:file map;
allow cfengine_hub_t shell_exec_t:file { execute execute_no_trans };
allow cfengine_hub_t proc_xen_t:dir search;
Expand Down Expand Up @@ -496,12 +513,14 @@ allow cfengine_postgres_t cfengine_postgres_exec_t:file { ioctl read getattr loc

# TODO: Why are 'map', 'execute' and 'execute_no_trans' needed for postgres?
allow cfengine_postgres_t cfengine_var_lib_t:file map;
allow cfengine_postgres_t cfengine_var_lib_t:file { create execute execute_no_trans getattr link open read rename unlink write };

allow cfengine_postgres_t cfengine_var_lib_t:file { create execute execute_no_trans getattr link open read rename unlink write rename };
allow cfengine_postgres_t cfengine_var_lib_t:lnk_file read;
allow cfengine_postgres_t cfengine_var_lib_t:dir { add_name getattr open create read remove_name search write };

allow cfengine_postgres_t postgresql_port_t:tcp_socket name_bind;

allow cfengine_postgres_t cert_t:dir search;
allow cfengine_postgres_t cert_t:file { getattr open read };
allow cfengine_postgres_t hugetlbfs_t:file map;
allow cfengine_postgres_t hugetlbfs_t:file { read write };
allow cfengine_postgres_t init_t:unix_stream_socket { getattr ioctl read write }; # pg_ctl, systemd, PAM?
Expand All @@ -514,14 +533,15 @@ allow cfengine_postgres_t proc_t:file { getattr open read };
allow cfengine_postgres_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow cfengine_postgres_t self:tcp_socket { bind create listen setopt read write };
allow cfengine_postgres_t self:udp_socket { bind connect create getattr getopt read write };
allow cfengine_postgres_t self:unix_stream_socket connectto;
allow cfengine_postgres_t sssd_public_t:dir search;
allow cfengine_postgres_t sssd_public_t:file map;
allow cfengine_postgres_t sssd_public_t:file { getattr open read };
allow cfengine_postgres_t sssd_var_lib_t:sock_file write;
allow cfengine_postgres_t sssd_var_lib_t:dir search;
allow cfengine_postgres_t sssd_t:unix_stream_socket connectto;
allow cfengine_postgres_t tmp_t:dir { add_name write remove_name };
allow cfengine_postgres_t tmp_t:file { create write unlink };
allow cfengine_postgres_t tmp_t:file { create open write unlink };
allow cfengine_postgres_t tmp_t:sock_file { create setattr unlink write };
allow cfengine_postgres_t tmpfs_t:dir { add_name write remove_name };
allow cfengine_postgres_t tmpfs_t:file { create open read write map unlink getattr };
Expand All @@ -533,7 +553,7 @@ allow cfengine_postgres_t passwd_file_t:file { open read getattr };

# Needed for systemd to be able to check PostgreSQL's PID file
allow init_t cfengine_var_lib_t:dir { read remove_name write };
allow init_t cfengine_var_lib_t:file { getattr open read unlink };
allow init_t cfengine_var_lib_t:file { getattr open read unlink ioctl };

# TODO: these should not be needed
allow cfengine_postgres_t shell_exec_t:file map;
Expand Down
8 changes: 8 additions & 0 deletions misc/selinux/cfengine-enterprise.te.el9
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
require {
type systemd_userdbd_runtime_t;
}

# PAM module for dynamic users
allow cfengine_httpd_t systemd_userdbd_runtime_t:dir { getattr open read search };
allow cfengine_httpd_t systemd_userdbd_runtime_t:sock_file write;
allow cfengine_httpd_t kernel_t:unix_stream_socket connectto;

0 comments on commit a2e99c3

Please sign in to comment.