Add keylime-selinux policy

Update .spec file to build keylime-selinux subpackage. Resolves: rhbz#2121058
2022-08-17 15:29:29 +02:00 · 2022-08-17 15:29:29 +02:00 · 97e752b0b6
commit 97e752b0b6
parent 3fa30ae884
4 changed files with 283 additions and 2 deletions
--- a/keylime.fc
+++ b/keylime.fc
@ -0,0 +1,24 @@
+/usr/bin/keylime_agent		--	gen_context(system_u:object_r:keylime_agent_exec_t,s0)
+/usr/bin/keylime_ima_emulator		--	gen_context(system_u:object_r:keylime_agent_exec_t,s0)
+/usr/bin/keylime_userdata_encrypt		--	gen_context(system_u:object_r:keylime_agent_exec_t,s0)
+
+/usr/bin/keylime_ca		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
+/usr/bin/keylime_migrations_apply		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
+/usr/bin/keylime_registrar		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
+/usr/bin/keylime_verifier		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
+/usr/bin/keylime_tenant		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
+
+/usr/local/bin/keylime_agent		--	gen_context(system_u:object_r:keylime_agent_exec_t,s0)
+/usr/local/bin/keylime_ima_emulator		--	gen_context(system_u:object_r:keylime_agent_exec_t,s0)
+/usr/local/bin/keylime_userdata_encrypt		--	gen_context(system_u:object_r:keylime_agent_exec_t,s0)
+
+/usr/local/bin/keylime_ca		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
+/usr/local/bin/keylime_migrations_apply		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
+/usr/local/bin/keylime_registrar		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
+/usr/local/bin/keylime_verifier		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
+/usr/local/bin/keylime_tenant		--	gen_context(system_u:object_r:keylime_server_exec_t,s0)
+
+/var/lib/keylime(/.*)?		gen_context(system_u:object_r:keylime_var_lib_t,s0)
+/var/lib/keylime-agent(/.*)?		gen_context(system_u:object_r:keylime_var_lib_t,s0)
+
+/var/log/keylime(/.*)?		gen_context(system_u:object_r:keylime_log_t,s0)
--- a/keylime.if
+++ b/keylime.if
@ -0,0 +1,37 @@
+## <summary>policy for keylime</summary>
+
+########################################
+## <summary>
+##      Add to specified type to keylime_type attribute .
+## </summary>
+## <param name="type">
+##      <summary>
+##      Type to be used for keylime domains.
+##      </summary>
+## </param>
+#
+interface(`keylime_use_keylime_domain',`
+        gen_require(`
+                attribute keylime_domain;
+        ')
+
+        typeattribute $1 keylime_domain;
+')
+
+########################################
+## <summary>
+##      Mounton keylime lib directory.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`keylime_mounton_var_lib',`
+        gen_require(`
+                type keylime_var_lib_t;
+        ')
+
+        allow $1 keylime_var_lib_t:dir mounton;
+')
--- a/keylime.spec
+++ b/keylime.spec
@ -1,4 +1,6 @@
 %global srcname keylime
+%global with_selinux 1
+%global selinuxtype targeted

 # Package is actually noarch, but it has an optional dependency that is
 # arch-specific.
@ -6,12 +8,17 @@

 Name:    keylime
 Version: 6.4.2
-Release: 2%{?dist}
+Release: 3%{?dist}
 Summary: Open source TPM software for Bootstrapping and Maintaining Trust

 URL:            https://github.com/keylime/keylime
 Source0:        https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz
 Source1:        %{srcname}.sysusers
+%if 0%{?with_selinux}
+Source2:        %{srcname}.te
+Source3:        %{srcname}.if
+Source4:        %{srcname}.fc
+%endif

 License: ASL 2.0 and MIT

@ -48,6 +55,12 @@ Requires: procps-ng
 Requires: tpm2-tss
 Requires: tpm2-tools

+%if 0%{?with_selinux}
+# This ensures that the *-selinux package and all it’s dependencies are not pulled
+# into containers and other systems that do not use SELinux
+Requires:       (%{srcname}-selinux if selinux-policy-%{selinuxtype})
+%endif
+
 %ifarch %efi
 Requires: efivar-libs
 %endif
@ -73,7 +86,6 @@ Requires: python3-requests
 Requires: python3-gpg
 Requires: python3-lark-parser

-
 %description -n python3-%{srcname}
 The python3-keylime module implements the functionality used
 by Keylime components.
@ -100,6 +112,20 @@ Requires: python3-%{srcname} = %{version}-%{release}
 The Keylime Registrar is a database of all agents registered
 with Keylime and hosts the public keys of the TPM vendors.

+%if 0%{?with_selinux}
+# SELinux subpackage
+%package selinux
+Summary:             keylime SELinux policy
+BuildArch:           noarch
+Requires:            selinux-policy-%{selinuxtype}
+Requires(post):      selinux-policy-%{selinuxtype}
+BuildRequires:       selinux-policy-devel
+%{?selinux_requires}
+
+%description selinux
+Custom SELinux policy module
+%endif
+
 %package tenant
 Summary: The Python Keylime Tenant
 License: MIT
@ -114,6 +140,18 @@ The Keylime Tenant can be used to provision a Keylime Agent.
 %prep
 %autosetup -S git -n %{srcname}-%{version}

+%if 0%{?with_selinux}
+# SELinux policy (originally from selinux-policy-contrib)
+# this policy module will override the production module
+mkdir selinux
+cp -p %{SOURCE2} selinux/
+cp -p %{SOURCE3} selinux/
+cp -p %{SOURCE4} selinux/
+
+make -f %{_datadir}/selinux/devel/Makefile %{srcname}.pp
+bzip2 -9 %{srcname}.pp
+%endif
+
 %build
 %py3_build

@ -147,6 +185,11 @@ sed -e 's/^run_as[[:space:]]*=.*/run_as = keylime:keylime/g' -i %{srcname}.conf
 # Using sha256 for tpm_hash_alg.
 sed -e 's/^tpm_hash_alg[[:space:]]*=.*/tpm_hash_alg = sha256/g' -i %{srcname}.conf

+%if 0%{?with_selinux}
+install -D -m 0644 %{srcname}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2
+install -D -p -m 0644 selinux/%{srcname}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{srcname}.if
+%endif
+
 install -Dpm 600 %{srcname}.conf \
    %{buildroot}%{_sysconfdir}/%{srcname}.conf

@ -197,6 +240,34 @@ exit 0
 %postun registrar
 %systemd_postun_with_restart %{srcname}_registrar.service

+%if 0%{?with_selinux}
+# SELinux contexts are saved so that only affected files can be
+# relabeled after the policy module installation
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.bz2
+%selinux_relabel_post -s %{selinuxtype}
+
+if [ "$1" -le "1" ]; then # First install
+    # The services need to be restarted for the custom label to be
+    # applied in case they where already present in the system,
+    # restart fails silently in case they where not.
+    for svc in agent registrar verifier; do
+        [ -f "%{_unitdir}/%{srcname}_${svc}".service ] && \
+            %systemd_postun_with_restart "%{srcname}_${svc}".service
+    done
+fi
+exit 0
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{srcname}
+    %selinux_relabel_post -s %{selinuxtype}
+fi
+%endif
+
 %files verifier
 %license LICENSE
 %{_bindir}/%{srcname}_verifier
@ -209,6 +280,13 @@ exit 0
 %{_bindir}/%{srcname}_registrar
 %{_unitdir}/keylime_registrar.service

+%if 0%{?with_selinux}
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{srcname}.pp.*
+%{_datadir}/selinux/devel/include/distributed/%{srcname}.if
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{srcname}
+%endif
+
 %files tenant
 %license LICENSE
 %{_bindir}/%{srcname}_tenant
@ -232,6 +310,11 @@ exit 0
 %license LICENSE

 %changelog
+* Wed Aug 17 2022 Patrik Koncity <pkoncity@redhat.com> - 6.4.2-3
+- Add keylime-selinux policy as subpackage
+- See https://fedoraproject.org/wiki/SELinux/IndependentPolicy
+- Resolves: rhbz#2121058
+
 * Mon Jul 11 2022 Sergio Correia <scorreia@redhat.com> - 6.4.2-2
 - Fix efivar-libs dependency
  Related: rhbz#2082989
--- a/keylime.te
+++ b/keylime.te
@ -0,0 +1,137 @@
+policy_module(keylime, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute keylime_domain;
+
+type keylime_agent_t;
+keylime_use_keylime_domain(keylime_agent_t)
+type keylime_agent_exec_t;
+init_daemon_domain(keylime_agent_t, keylime_agent_exec_t)
+
+type keylime_server_t;
+keylime_use_keylime_domain(keylime_server_t)
+type keylime_server_exec_t;
+init_daemon_domain(keylime_server_t, keylime_server_exec_t)
+
+type keylime_log_t;
+logging_log_file(keylime_log_t)
+
+type keylime_var_lib_t;
+files_type(keylime_var_lib_t)
+
+type keylime_tmp_t;
+files_tmp_file(keylime_tmp_t)
+
+########################################
+#
+# keylime domain policy
+#
+
+allow keylime_domain self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(keylime_domain, keylime_tmp_t, keylime_tmp_t)
+manage_files_pattern(keylime_domain, keylime_tmp_t, keylime_tmp_t)
+files_tmp_filetrans(keylime_domain, keylime_tmp_t, { dir file })
+
+manage_dirs_pattern(keylime_domain, keylime_var_lib_t, keylime_var_lib_t)
+manage_files_pattern(keylime_domain, keylime_var_lib_t, keylime_var_lib_t)
+files_var_lib_filetrans(keylime_domain, keylime_var_lib_t, { dir file lnk_file })
+
+corecmd_exec_bin(keylime_domain)
+
+corenet_tcp_bind_generic_node(keylime_domain)
+corenet_tcp_bind_all_ports(keylime_domain)
+corenet_tcp_connect_all_unreserved_ports(keylime_domain)
+
+dev_read_sysfs(keylime_domain)
+
+fs_tmpfs_filetrans(keylime_domain, keylime_var_lib_t, { dir file })
+
+init_named_socket_activation(keylime_domain, keylime_var_lib_t, "keylime")
+
+miscfiles_read_generic_certs(keylime_domain)
+
+sysnet_read_config(keylime_domain)
+
+
+########################################
+#
+# keylime server policy
+#
+
+allow keylime_server_t self:netlink_route_socket { create_stream_socket_perms nlmsg_read };
+allow keylime_server_t self:udp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(keylime_server_t, keylime_log_t, keylime_log_t)
+manage_files_pattern(keylime_server_t, keylime_log_t, keylime_log_t)
+
+fs_rw_inherited_tmpfs_files(keylime_server_t)
+
+optional_policy(`
+        gpg_exec(keylime_server_t)
+')
+
+optional_policy(`
+        kerberos_read_config(keylime_server_t)
+        kerberos_read_keytab(keylime_server_t)
+')
+
+optional_policy(`
+        sssd_run_stream_connect(keylime_server_t)
+')
+
+
+########################################
+#
+# keylime agent policy
+#
+#work with /var/lib/keylime/secure
+allow keylime_agent_t self:capability { chown dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
+allow keylime_agent_t self:chr_file getattr;
+
+#FIX ME, add to tabrmd policy interface related with this
+allow keylime_agent_t domain:unix_stream_socket rw_stream_socket_perms; #selint-disable:W-001
+
+dev_rw_tpm(keylime_agent_t)
+
+exec_files_pattern(keylime_agent_t, keylime_var_lib_t, keylime_var_lib_t)
+files_read_var_lib_files(keylime_agent_t)
+
+fs_dontaudit_search_cgroup_dirs(keylime_agent_t)
+fs_getattr_cgroup(keylime_agent_t)
+fs_mount_tmpfs(keylime_agent_t)
+fs_setattr_tmpfs_dirs(keylime_agent_t)
+
+init_dontaudit_stream_connect(keylime_agent_t)
+
+kernel_read_all_proc(keylime_agent_t)
+
+userdom_dontaudit_search_user_home_dirs(keylime_agent_t)
+userdom_read_user_tmp_files(keylime_agent_t)
+
+auth_read_passwd(keylime_agent_t)
+
+keylime_mounton_var_lib(keylime_agent_t)
+
+mount_domtrans(keylime_agent_t)
+
+selinux_read_policy(keylime_agent_t)
+
+optional_policy(`
+        #FIX ME, add to tabrmd policy interface related with this
+        #https://github.com/tpm2-software/tpm2-abrmd/blob/master/selinux
+        dbus_chat_system_bus(keylime_agent_t)
+')
+
+optional_policy(`
+        dbus_stream_connect_system_dbusd(keylime_agent_t)
+        dbus_system_bus_client(keylime_agent_t)
+')
+
+optional_policy(`
+        systemd_userdbd_stream_connect(keylime_agent_t)
+')