From 9408b0b09e7ba70a0e4a1f1e3e08e1f3dfbdd8c7 Mon Sep 17 00:00:00 2001 From: Michal Ruprich Date: Thu, 28 Jul 2022 13:35:19 +0200 Subject: [PATCH] Packaging SELinux policy for FRR --- frr.fc | 27 ++++++++++ frr.if | 162 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ frr.spec | 70 +++++++++++++++++++++++- frr.te | 114 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 371 insertions(+), 2 deletions(-) create mode 100644 frr.fc create mode 100644 frr.if create mode 100644 frr.te diff --git a/frr.fc b/frr.fc new file mode 100644 index 0000000..c2191df --- /dev/null +++ b/frr.fc @@ -0,0 +1,27 @@ +/usr/libexec/frr(/.*)? gen_context(system_u:object_r:frr_exec_t,s0) + +/usr/lib/systemd/system/frr.* gen_context(system_u:object_r:frr_unit_file_t,s0) + +/etc/frr(/.*)? gen_context(system_u:object_r:frr_conf_t,s0) + +/var/log/frr(/.*)? gen_context(system_u:object_r:frr_log_t,s0) +/var/tmp/frr(/.*)? gen_context(system_u:object_r:frr_tmp_t,s0) + +/var/lock/subsys/bfdd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/bgpd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/eigrpd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/fabricd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/isisd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/nhrpd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/ospf6d -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/ospfd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/pbrd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/pimd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/ripd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/ripngd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/staticd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/zebra -- gen_context(system_u:object_r:frr_lock_t,s0) + +/var/run/frr(/.*)? gen_context(system_u:object_r:frr_var_run_t,s0) + +/var/bin/vtysh -- gen_context(system_u:object_r:frr_exec_t,s0) diff --git a/frr.if b/frr.if new file mode 100644 index 0000000..d96499d --- /dev/null +++ b/frr.if @@ -0,0 +1,162 @@ +## policy for frr + +######################################## +## +## Execute frr_exec_t in the frr domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`frr_domtrans',` + gen_require(` + type frr_t, frr_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, frr_exec_t, frr_t) +') + +###################################### +## +## Execute frr in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`frr_exec',` + gen_require(` + type frr_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, frr_exec_t) +') + +######################################## +## +## Read frr's log files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`frr_read_log',` + gen_require(` + type frr_log_t; + ') + + read_files_pattern($1, frr_log_t, frr_log_t) + optional_policy(` + logging_search_logs($1) + ') +') + +######################################## +## +## Append to frr log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`frr_append_log',` + gen_require(` + type frr_log_t; + ') + + append_files_pattern($1, frr_log_t, frr_log_t) + optional_policy(` + logging_search_logs($1) + ') +') + +######################################## +## +## Manage frr log files +## +## +## +## Domain allowed access. +## +## +# +interface(`frr_manage_log',` + gen_require(` + type frr_log_t; + ') + + manage_dirs_pattern($1, frr_log_t, frr_log_t) + manage_files_pattern($1, frr_log_t, frr_log_t) + manage_lnk_files_pattern($1, frr_log_t, frr_log_t) + optional_policy(` + logging_search_logs($1) + ') +') + +######################################## +## +## Read frr PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`frr_read_pid_files',` + gen_require(` + type frr_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, frr_var_run_t, frr_var_run_t) +') + +######################################## +## +## All of the rules required to administrate +## an frr environment +## +## +## +## Domain allowed access. +## +## +# +interface(`frr_admin',` + gen_require(` + type frr_t; + type frr_log_t; + type frr_var_run_t; + ') + + allow $1 frr_t:process { signal_perms }; + ps_process_pattern($1, frr_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 frr_t:process ptrace; + ') + + admin_pattern($1, frr_log_t) + + files_search_pids($1) + admin_pattern($1, frr_var_run_t) + optional_policy(` + logging_search_logs($1) + ') + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') +') diff --git a/frr.spec b/frr.spec index 6b68594..723c93d 100644 --- a/frr.spec +++ b/frr.spec @@ -1,17 +1,23 @@ %global frr_libdir %{_libexecdir}/frr %global _hardened_build 1 +%global selinuxtype targeted %define _legacy_common_support 1 +%bcond_without selinux Name: frr Version: 8.2.2 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Routing daemon License: GPLv2+ URL: http://www.frrouting.org Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz Source1: %{name}-tmpfiles.conf Source2: %{name}-sysusers.conf +#Decentralized SELinux policy +Source3: frr.fc +Source4: frr.te +Source5: frr.if Patch0000: 0000-remove-babeld-and-ldpd.patch Patch0002: 0002-enable-openssl.patch @@ -58,6 +64,11 @@ Requires(post): hostname Requires(post): systemd Requires(postun): systemd Requires(preun): systemd + +%if 0%{?with_selinux} +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) +%endif + Obsoletes: quagga < 1.2.4-17 Provides: routingdaemon = %{version}-%{release} @@ -70,8 +81,25 @@ FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP FRRouting is a fork of Quagga. +%if 0%{?with_selinux} +%package selinux +Summary: Selinux policy for FRR +BuildArch: noarch +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +%{?selinux_requires} + +%description selinux +SELinux policy modules for FRR package + +%endif + %prep %autosetup -S git +#Selinux +mkdir selinux +cp -p %{SOURCE3} %{SOURCE4} %{SOURCE5} selinux %build autoreconf -ivf @@ -106,6 +134,12 @@ autoreconf -ivf # Build info documentation %make_build -C doc info +#SELinux policy +%if 0%{?with_selinux} +make -C selinux -f %{_datadir}/selinux/devel/Makefile %{name}.pp +bzip2 -9 selinux/%{name}.pp +%endif + %install mkdir -p %{buildroot}%{_sysconfdir}/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \ %{buildroot}%{_localstatedir}/log/frr %{buildroot}%{_infodir} \ @@ -132,6 +166,12 @@ install -p -m 644 redhat/frr.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/fr install -p -m 644 redhat/frr.pam %{buildroot}%{_sysconfdir}/pam.d/frr install -d -m 775 %{buildroot}/run/frr +%if 0%{?with_selinux} +install -D -m 644 selinux/%{name}.pp.bz2 \ + %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +install -D -m 644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if +%endif + # Delete libtool archives find %{buildroot} -type f -name "*.la" -delete -print @@ -142,7 +182,6 @@ rm -r %{buildroot}%{_includedir}/frr/ %pre %sysusers_create_compat %{SOURCE2} - %post %systemd_post frr.service @@ -166,6 +205,23 @@ fi %preun %systemd_preun frr.service +#SELinux +%if 0%{?with_selinux} +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +%selinux_relabel_post -s %{selinuxtype} + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{name} + %selinux_relabel_post -s %{selinuxtype} +fi + +%endif + %check #this should be temporary, the grpc test is just badly designed rm tests/lib/*grpc* @@ -195,7 +251,17 @@ rm tests/lib/*grpc* %{_tmpfilesdir}/%{name}.conf %{_sysusersdir}/%{name}.conf +%if 0%{?with_selinux} +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.* +%{_datadir}/selinux/devel/include/distributed/%{name}.if +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} +%endif + %changelog +* Wed Jun 15 2022 Michal Ruprich - 8.2.2-5 +- Packaging SELinux policy for FRR + * Thu Jul 21 2022 Fedora Release Engineering - 8.2.2-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild diff --git a/frr.te b/frr.te new file mode 100644 index 0000000..307d363 --- /dev/null +++ b/frr.te @@ -0,0 +1,114 @@ +policy_module(frr, 1.0.0) + +######################################## +# +# Declarations +# + +type frr_t; +type frr_exec_t; +init_daemon_domain(frr_t, frr_exec_t) + +type frr_log_t; +logging_log_file(frr_log_t) + +type frr_tmp_t; +files_tmp_file(frr_tmp_t) + +type frr_lock_t; +files_lock_file(frr_lock_t) + +type frr_conf_t; +files_config_file(frr_conf_t) + +type frr_unit_file_t; +systemd_unit_file(frr_unit_file_t) + +type frr_var_run_t; +files_pid_file(frr_var_run_t) + +######################################## +# +# frr local policy +# +allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid }; +allow frr_t self:netlink_route_socket rw_netlink_socket_perms; +allow frr_t self:packet_socket create; +allow frr_t self:process { setcap setpgid }; +allow frr_t self:rawip_socket create_socket_perms; +allow frr_t self:tcp_socket { connect connected_stream_socket_perms }; +allow frr_t self:udp_socket create_socket_perms; +allow frr_t self:unix_stream_socket connectto; + +allow frr_t frr_conf_t:dir list_dir_perms; +manage_files_pattern(frr_t, frr_conf_t, frr_conf_t) +read_lnk_files_pattern(frr_t, frr_conf_t, frr_conf_t) + +manage_dirs_pattern(frr_t, frr_log_t, frr_log_t) +manage_files_pattern(frr_t, frr_log_t, frr_log_t) +manage_lnk_files_pattern(frr_t, frr_log_t, frr_log_t) +logging_log_filetrans(frr_t, frr_log_t, { dir file lnk_file }) + +allow frr_t frr_tmp_t:file map; +manage_dirs_pattern(frr_t, frr_tmp_t, frr_tmp_t) +manage_files_pattern(frr_t, frr_tmp_t, frr_tmp_t) +files_tmp_filetrans(frr_t, frr_tmp_t, { file dir }) + +manage_files_pattern(frr_t, frr_lock_t, frr_lock_t) +manage_lnk_files_pattern(frr_t, frr_lock_t, frr_lock_t) +files_lock_filetrans(frr_t, frr_lock_t, { file lnk_file }) + +manage_dirs_pattern(frr_t, frr_var_run_t, frr_var_run_t) +manage_files_pattern(frr_t, frr_var_run_t, frr_var_run_t) +manage_lnk_files_pattern(frr_t, frr_var_run_t, frr_var_run_t) +manage_sock_files_pattern(frr_t, frr_var_run_t, frr_var_run_t) +files_pid_filetrans(frr_t, frr_var_run_t, { dir file lnk_file }) + +allow frr_t frr_exec_t:dir search_dir_perms; +can_exec(frr_t, frr_exec_t) + +kernel_read_network_state(frr_t) +kernel_read_net_sysctls(frr_t) +kernel_read_system_state(frr_t) + +auth_use_nsswitch(frr_t) + +corecmd_exec_bin(frr_t) + +corenet_tcp_bind_appswitch_emp_port(frr_t) +corenet_udp_bind_bfd_control_port(frr_t) +corenet_udp_bind_bfd_echo_port(frr_t) +corenet_udp_bind_bfd_multi_port(frr_t) +corenet_tcp_bind_bgp_port(frr_t) +corenet_tcp_bind_cmadmin_port(frr_t) +corenet_udp_bind_cmadmin_port(frr_t) +corenet_tcp_bind_firepower_port(frr_t) +corenet_tcp_bind_priority_e_com_port(frr_t) +corenet_udp_bind_router_port(frr_t) +corenet_tcp_bind_qpasa_agent_port(frr_t) +corenet_tcp_bind_smntubootstrap_port(frr_t) +corenet_tcp_bind_versa_tek_port(frr_t) +corenet_tcp_bind_zebra_port(frr_t) + +domain_use_interactive_fds(frr_t) + +fs_read_nsfs_files(frr_t) + +sysnet_exec_ifconfig(frr_t) + +userdom_read_admin_home_files(frr_t) + +optional_policy(` + logging_send_syslog_msg(frr_t) +') + +optional_policy(` + modutils_exec_kmod(frr_t) + modutils_getattr_module_deps(frr_t) + modutils_read_module_config(frr_t) + modutils_read_module_deps_files(frr_t) +') + +optional_policy(` + networkmanager_read_state(frr_t) +')