From 959c5926888713e417d6fd7bdf111f56743d91a9 Mon Sep 17 00:00:00 2001 From: Vitezslav Crhonek Date: Tue, 8 Jun 2021 13:13:35 +0200 Subject: [PATCH] Add SELinux subpackage Signed-off-by: Vitezslav Crhonek --- openwsman.fc | 7 ++++ openwsman.if | 79 +++++++++++++++++++++++++++++++++++++++++++ openwsman.spec | 81 ++++++++++++++++++++++++++++++++++++++++++++- openwsman.te | 74 +++++++++++++++++++++++++++++++++++++++++ tests/tests-DSP.yml | 37 +++++++++++++++++++++ 5 files changed, 277 insertions(+), 1 deletion(-) create mode 100644 openwsman.fc create mode 100644 openwsman.if create mode 100644 openwsman.te create mode 100644 tests/tests-DSP.yml diff --git a/openwsman.fc b/openwsman.fc new file mode 100644 index 0000000..00d0643 --- /dev/null +++ b/openwsman.fc @@ -0,0 +1,7 @@ +/usr/lib/systemd/system/openwsmand.* -- gen_context(system_u:object_r:openwsman_unit_file_t,s0) + +/usr/sbin/openwsmand -- gen_context(system_u:object_r:openwsman_exec_t,s0) + +/var/log/wsmand.* -- gen_context(system_u:object_r:openwsman_log_t,s0) + +/var/run/wsmand.* -- gen_context(system_u:object_r:openwsman_run_t,s0) diff --git a/openwsman.if b/openwsman.if new file mode 100644 index 0000000..747853a --- /dev/null +++ b/openwsman.if @@ -0,0 +1,79 @@ +## WS-Management Server + +######################################## +## +## Execute openwsman in the openwsman domin. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`openwsman_domtrans',` + gen_require(` + type openwsman_t, openwsman_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, openwsman_exec_t, openwsman_t) +') +######################################## +## +## Execute openwsman server in the openwsman domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`openwsman_systemctl',` + gen_require(` + type openwsman_t; + type openwsman_unit_file_t; + ') + + systemd_exec_systemctl($1) + init_reload_services($1) + systemd_read_fifo_file_passwd_run($1) + allow $1 openwsman_unit_file_t:file read_file_perms; + allow $1 openwsman_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, openwsman_t) +') + + +######################################## +## +## All of the rules required to administrate +## an openwsman environment +## +## +## +## Domain allowed access. +## +## +## +# +interface(`openwsman_admin',` + gen_require(` + type openwsman_t; + type openwsman_unit_file_t; + ') + + allow $1 openwsman_t:process { signal_perms }; + ps_process_pattern($1, openwsman_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 openwsman_t:process ptrace; + ') + + openwsman_systemctl($1) + admin_pattern($1, openwsman_unit_file_t) + allow $1 openwsman_unit_file_t:service all_service_perms; + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') +') diff --git a/openwsman.spec b/openwsman.spec index 5a8c795..4518aad 100644 --- a/openwsman.spec +++ b/openwsman.spec @@ -1,9 +1,15 @@ # RubyGems's macros expect gem_name to exist. %global gem_name %{name} +# defining macros needed by SELinux +%global with_selinux 1 +%global selinuxtype targeted +%global moduletype contrib +%global modulename openwsman + Name: openwsman Version: 2.7.0 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Open source Implementation of WS-Management License: BSD @@ -15,6 +21,11 @@ Source1: openwsmand.8.gz Source2: openwsmand.service # script for testing presence of the certificates in ExecStartPre Source3: owsmantestcert.sh +# Source100-102: selinux policy for openwsman, extracted +# from https://github.com/fedora-selinux/selinux-policy +Source100: %{modulename}.te +Source101: %{modulename}.if +Source102: %{modulename}.fc Patch1: openwsman-2.4.0-pamsetup.patch Patch2: openwsman-2.4.12-ruby-binding-build.patch Patch3: openwsman-2.6.2-openssl-1.1-fix.patch @@ -72,6 +83,11 @@ Openwsman Client libraries. License: BSD Summary: Openwsman Server and service libraries Requires: libwsman1 = %{version}-%{release} +%if 0%{?with_selinux} +# This ensures that the *-selinux package and all it’s dependencies are not pulled +# into containers and other systems that do not use SELinux +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) +%endif %description server Openwsman Server and service libraries. @@ -121,6 +137,20 @@ Requires: rubygem-%{gem_name} = %{version}-%{release} This is a command line tool for the Windows Remote Shell protocol. You can use it to send shell commands to a remote Windows hosts. +%if 0%{?with_selinux} +# SELinux subpackage +%package selinux +Summary: openwsman SELinux policy +BuildArch: noarch +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +%{?selinux_requires} + +%description selinux +Custom SELinux policy module +%endif + %prep %setup -q @@ -164,6 +194,15 @@ export LD_LIBRARY_PATH=%{_builddir}/%{name}-%{version}/build/src/lib/ %gem_install -n ./bindings/ruby/%{name}-%{version}.gem +%if 0%{?with_selinux} +# SELinux policy (originally from selinux-policy-contrib) +# this policy module will override the production module +mkdir selinux +cp -p %{SOURCE100} %{SOURCE101} %{SOURCE102} selinux/ +make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp +bzip2 -9 %{modulename}.pp +%endif + %install cd build @@ -201,6 +240,11 @@ rm -rf %{buildroot}%{gem_instdir}/ext mkdir -p %{buildroot}%{gem_extdir_mri} cp -a ./build%{gem_extdir_mri}/{gem.build_complete,*.so} %{buildroot}%{gem_extdir_mri}/ +%if 0%{?with_selinux} +install -D -m 0644 build/%{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 +install -D -p -m 0644 build/selinux/%{modulename}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/%{name}.if +%endif + %ldconfig_scriptlets -n libwsman1 %post server @@ -217,6 +261,30 @@ rm -f /var/log/wsmand.log %ldconfig_scriptlets client +%if 0%{?with_selinux} +# SELinux contexts are saved so that only affected files can be +# relabeled after the policy module installation +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 +%selinux_relabel_post -s %{selinuxtype} + +if [ "$1" -le "1" ]; then # First install + # the service needs to be restarted for the custom label to be applied + %systemd_postun_with_restart openwsmand.service +fi + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulename} + %selinux_relabel_post -s %{selinuxtype} + # the service needs to be restarted for the custom label to be removed + %systemd_postun_with_restart openwsmand.service +fi +%endif + %files -n libwsman1 %doc AUTHORS COPYING ChangeLog README.md TODO %{_libdir}/libwsman.so.* @@ -281,7 +349,18 @@ rm -f /var/log/wsmand.log %files winrs %{_bindir}/winrs +%if 0%{?with_selinux} +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* +%{_datadir}/selinux/devel/include/%{moduletype}/%{modulename}.if +%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} +%endif + %changelog +* Tue Jun 08 2021 Vitezslav Crhonek - 2.7.0-4 +- Incorporate -selinux subpackage + See https://fedoraproject.org/wiki/SELinux/IndependentPolicy + * Fri Jun 04 2021 Python Maint - 2.7.0-3 - Rebuilt for Python 3.10 diff --git a/openwsman.te b/openwsman.te new file mode 100644 index 0000000..3bcd32c --- /dev/null +++ b/openwsman.te @@ -0,0 +1,74 @@ +policy_module(openwsman, 1.0.0) + +######################################## +# +# Declarations +# + +type openwsman_t; +type openwsman_exec_t; +init_daemon_domain(openwsman_t, openwsman_exec_t) + +type openwsman_tmp_t; +files_tmp_file(openwsman_tmp_t) + +type openwsman_tmpfs_t; +files_tmpfs_file(openwsman_tmpfs_t) + +type openwsman_log_t; +logging_log_file(openwsman_log_t) + +type openwsman_run_t; +files_pid_file(openwsman_run_t) + +type openwsman_unit_file_t; +systemd_unit_file(openwsman_unit_file_t) + +######################################## +# +# openwsman local policy +# + +allow openwsman_t self:capability setuid; + +allow openwsman_t self:process { fork }; +allow openwsman_t self:fifo_file rw_fifo_file_perms; +allow openwsman_t self:unix_stream_socket create_stream_socket_perms; +allow openwsman_t self:tcp_socket { create_socket_perms accept listen }; + +manage_files_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t) +manage_dirs_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t) +files_tmp_filetrans(openwsman_t, openwsman_tmp_t, { dir file }) + +manage_files_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t) +manage_dirs_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t) +fs_tmpfs_filetrans(openwsman_t, openwsman_tmpfs_t, { dir file }) + +manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t) +logging_log_filetrans(openwsman_t, openwsman_log_t, { file }) + +manage_files_pattern(openwsman_t, openwsman_run_t, openwsman_run_t) +files_pid_filetrans(openwsman_t, openwsman_run_t, { file }) + +auth_use_nsswitch(openwsman_t) +auth_domtrans_chkpwd(openwsman_t) + +corenet_tcp_connect_pegasus_https_port(openwsman_t) +corenet_tcp_bind_vnc_port(openwsman_t) +corenet_tcp_bind_http_port(openwsman_t) + +dev_read_urand(openwsman_t) + +logging_send_syslog_msg(openwsman_t) +logging_send_audit_msgs(openwsman_t) + +optional_policy(` + sblim_stream_connect_sfcbd(openwsman_t) + sblim_rw_semaphores_sfcbd(openwsman_t) + sblim_getattr_exec_sfcbd(openwsman_t) +') + +optional_policy(` + unconfined_domain(openwsman_t) +') + diff --git a/tests/tests-DSP.yml b/tests/tests-DSP.yml new file mode 100644 index 0000000..ec2c494 --- /dev/null +++ b/tests/tests-DSP.yml @@ -0,0 +1,37 @@ +- hosts: localhost + + roles: + - role: standard-test-beakerlib + tags: + - classic + repositories: + - repo: https://pagure.io/DSP_test.git + dest: DSP_test + version: master + + tests: + - DSP_test + environment: + # RPM package containing the policy module + TEST_RPM: openwsman-selinux + # policy module name + TEST_POLICY: openwsman + # policy sources will be extracted from corresponding .src.rpm + # policy tar filename regexp (e.g. "usbguard-selinux*.tar.gz") + # or empty string if policy sources are not inside a tar archive + POLICY_TAR: '' + # path to policy sources (in of the tar archive) -- //.(te|if|fc) + # or path in the src.rpm if there is no tar archive -- //.(te|if|fc) + # can contain wildcards (e.g. for versions etc.) + POLICY_PATH: . + + required_packages: + - policycoreutils + - selinux-policy + - selinux-policy-targeted + - setools-console + - libselinux-utils + - rpm + - tar + - git + - openwsman-server