Implement cobblerd policy.

My previous version had a minor bug in admin_role where it was using cobblerd_var_log_t, and cobblerd_var_lib_t instead of cobbler_var_log_t, and cobbler_var_lib_t.

Whilst i was at it, i decided the implement a cobbler_etc_t for cobbler content in /etc. This because you cannot admin a cobbler environment witouth having access to cobbler config files and i dont want to give cobbler_admin access to manage etc_t.

As a consequence if this i also removed the files_read_etc_files(cobblerd_t), as i think that cobbler only needed it to read its own files in /etc. However this is not confirmed, and it may need read access to etc_t afteral.

Also i would like to underscore my reason for using public_content_rw_t. One of the reasons is that i do not want to give cobbler access to manage httpd_sys_content_rw_t. In general i do not want to depend on apache module at all.

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <pebenito@gentoo.org>
This commit is contained in:
Dominick Grift 2010-01-05 16:26:14 +01:00 committed by Chris PeBenito
parent e526fca176
commit 1031ee6f6a
18 changed files with 546 additions and 2 deletions

View File

@ -84,6 +84,7 @@ network_port(certmaster, tcp,51235,s0)
network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
network_port(cobbler, tcp,25151,s0)
network_port(comsat, udp,512,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)

View File

@ -1502,6 +1502,24 @@ interface(`files_dontaudit_getattr_boot_dirs',`
dontaudit $1 boot_t:dir getattr;
')
########################################
## <summary>
## List the /boot directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_list_boot',`
gen_require(`
type boot_t;
')
allow $1 boot_t:dir list_dir_perms;
')
########################################
## <summary>
## Search the /boot directory.

View File

@ -756,6 +756,27 @@ interface(`apache_domtrans_rotatelogs',`
domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
')
########################################
## <summary>
## Allow the specified domain to list
## apache system content files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_list_sys_content',`
gen_require(`
type httpd_sys_content_t;
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
files_search_var($1)
')
########################################
## <summary>
## Allow the specified domain to manage

View File

@ -450,6 +450,10 @@ optional_policy(`
calamaris_read_www_files(httpd_t)
')
optional_policy(`
cobbler_search_var_lib(httpd_t)
')
optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
')

View File

@ -1,5 +1,24 @@
## <summary>Berkeley internet name domain DNS server.</summary>
########################################
## <summary>
## Execute bind server in the bind domain.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
#
interface(`bind_initrc_domtrans',`
gen_require(`
type named_initrc_exec_t;
')
init_labeled_script_domtrans($1, named_initrc_exec_t)
')
########################################
## <summary>
## Execute ndc in the ndc domain.
@ -190,6 +209,25 @@ interface(`bind_manage_config_dirs',`
manage_dirs_pattern($1, named_conf_t, named_conf_t)
')
########################################
## <summary>
## Manage BIND zone files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`bind_manage_zone',`
gen_require(`
type named_zone_t;
')
files_search_var($1)
manage_files_pattern($1, named_zone_t, named_zone_t)
')
########################################
## <summary>
## Search the BIND cache directory.

View File

@ -0,0 +1,7 @@
/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0)
/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)

View File

@ -0,0 +1,183 @@
## <summary>Cobbler installation server.</summary>
## <desc>
## <p>
## Cobbler is a Linux installation server that allows for
## rapid setup of network installation environments. It
## glues together and automates many associated Linux
## tasks so you do not have to hop between lots of various
## commands and applications when rolling out new systems,
## and, in some cases, changing existing ones.
## </p>
## </desc>
########################################
## <summary>
## Read Cobbler content in /etc
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cobbler_read_config',`
gen_require(`
type cobbler_etc_t;
')
read_files_pattern($1, cobbler_etc_t, cobbler_etc_t);
files_search_etc($1)
')
########################################
## <summary>
## Do not audit attempts to read and write
## Cobbler log files (leaked fd).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cobbler_dontaudit_rw_log',`
gen_require(`
type cobbler_var_log_t;
')
dontaudit $1 cobbler_var_log_t:file rw_file_perms;
')
########################################
## <summary>
## Read cobbler files in /var/lib
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cobbler_read_var_lib_files',`
gen_require(`
type cobbler_var_lib_t;
')
read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
')
########################################
## <summary>
## Manage cobbler files in /var/lib
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cobbler_manage_var_lib_files',`
gen_require(`
type cobbler_var_lib_t;
')
manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
')
########################################
## <summary>
## Search cobbler dirs in /var/lib
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cobbler_search_var_lib',`
gen_require(`
type cobbler_var_lib_t;
')
search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
files_search_var_lib($1)
')
########################################
## <summary>
## Execute a domain transition to run cobblerd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`cobblerd_domtrans',`
gen_require(`
type cobblerd_t, cobblerd_exec_t;
')
domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
')
########################################
## <summary>
## Execute cobblerd server in the cobblerd domain.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`cobblerd_initrc_domtrans',`
gen_require(`
type cobblerd_initrc_exec_t;
')
init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
')
########################################
## <summary>
## All of the rules required to administrate
## an cobblerd environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`cobblerd_admin',`
gen_require(`
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
type cobbler_etc_t;
')
allow $1 cobblerd_t:process { ptrace signal_perms getattr };
read_files_pattern($1, cobblerd_t, cobblerd_t)
files_search_etc($1)
admin_pattern($1, cobbler_etc_t)
files_list_var_lib($1)
admin_pattern($1, cobbler_var_lib_t)
files_search_var_log($1)
admin_pattern($1, cobbler_var_log_t)
cobblerd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 cobblerd_initrc_exec_t system_r;
allow $2 system_r;
')

View File

@ -0,0 +1,124 @@
policy_module(cobbler, 1.0.0)
########################################
#
# Cobbler personal declarations.
#
## <desc>
## <p>
## Allow Cobbler to modify public files
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(cobbler_anon_write, false)
type cobblerd_t;
type cobblerd_exec_t;
init_daemon_domain(cobblerd_t, cobblerd_exec_t)
type cobblerd_initrc_exec_t;
init_script_file(cobblerd_initrc_exec_t)
type cobbler_etc_t;
files_config_file(cobbler_etc_t)
type cobbler_var_log_t;
logging_log_file(cobbler_var_log_t)
type cobbler_var_lib_t;
files_type(cobbler_var_lib_t)
########################################
#
# Cobbler personal policy.
#
allow cobblerd_t self:capability { chown dac_override fowner sys_nice };
allow cobblerd_t self:process { getsched setsched signal };
allow cobblerd_t self:fifo_file rw_fifo_file_perms;
allow cobblerd_t self:tcp_socket create_stream_socket_perms;
read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file })
append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)
corenet_all_recvfrom_netlabel(cobblerd_t)
corenet_all_recvfrom_unlabeled(cobblerd_t)
corenet_sendrecv_cobbler_server_packets(cobblerd_t)
corenet_tcp_bind_cobbler_port(cobblerd_t)
corenet_tcp_bind_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_if(cobblerd_t)
corenet_tcp_sendrecv_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_port(cobblerd_t)
dev_read_urand(cobblerd_t)
files_read_usr_files(cobblerd_t)
files_list_boot(cobblerd_t)
files_list_tmp(cobblerd_t)
kernel_read_system_state(cobblerd_t)
miscfiles_read_localization(cobblerd_t)
miscfiles_read_public_files(cobblerd_t)
sysnet_read_config(cobblerd_t)
sysnet_rw_dhcp_config(cobblerd_t)
sysnet_write_config(cobblerd_t)
tunable_policy(`cobbler_anon_write',`
miscfiles_manage_public_files(cobblerd_t)
')
optional_policy(`
apache_list_sys_content(cobblerd_t)
')
optional_policy(`
bind_read_config(cobblerd_t)
bind_write_config(cobblerd_t)
bind_domtrans_ndc(cobblerd_t)
bind_domtrans(cobblerd_t)
bind_initrc_domtrans(cobblerd_t)
bind_manage_zone(cobblerd_t)
')
optional_policy(`
dhcpd_domtrans(cobblerd_t)
dhcpd_initrc_domtrans(cobblerd_t)
')
optional_policy(`
dnsmasq_domtrans(cobblerd_t)
dnsmasq_initrc_domtrans(cobblerd_t)
dnsmasq_write_config(cobblerd_t)
')
optional_policy(`
rpm_exec(cobblerd_t)
')
optional_policy(`
rsync_read_config(cobblerd_t)
rsync_write_config(cobblerd_t)
')
optional_policy(`
tftp_manage_tftpdir_dirs(cobblerd_t)
tftp_manage_tftpdir_files(cobblerd_t)
')

View File

@ -1,5 +1,24 @@
## <summary>Dynamic host configuration protocol (DHCP) server</summary>
########################################
## <summary>
## Transition to dhcpd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dhcpd_domtrans',`
gen_require(`
type dhcpd_t, dhcpd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, dhcpd_exec_t, dhcpd_t)
')
########################################
## <summary>
## Set the attributes of the DCHP

View File

@ -1,3 +1,4 @@
/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0)
/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)

View File

@ -134,6 +134,44 @@ interface(`dnsmasq_read_pid_files',`
read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
########################################
## <summary>
## Read dnsmasq config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed.
## </summary>
## </param>
#
interface(`dnsmasq_read_config',`
gen_require(`
type dnsmasq_etc_t;
')
read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t)
files_search_etc($1)
')
########################################
## <summary>
## Write to dnsmasq config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed.
## </summary>
## </param>
#
interface(`dnsmasq_write_config',`
gen_require(`
type dnsmasq_etc_t;
')
write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t)
files_search_etc($1)
')
########################################
## <summary>
## All of the rules required to administrate

View File

@ -13,6 +13,9 @@ init_daemon_domain(dnsmasq_t, dnsmasq_exec_t)
type dnsmasq_initrc_exec_t;
init_script_file(dnsmasq_initrc_exec_t)
type dnsmasq_etc_t;
files_config_file(dnsmasq_etc_t)
type dnsmasq_lease_t;
files_type(dnsmasq_lease_t)
@ -34,6 +37,8 @@ allow dnsmasq_t self:udp_socket create_socket_perms;
allow dnsmasq_t self:packet_socket create_socket_perms;
allow dnsmasq_t self:rawip_socket create_socket_perms;
read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
# dhcp leases
manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
@ -66,8 +71,6 @@ dev_read_urand(dnsmasq_t)
domain_use_interactive_fds(dnsmasq_t)
# allow access to dnsmasq.conf
files_read_etc_files(dnsmasq_t)
files_read_etc_runtime_files(dnsmasq_t)
fs_getattr_all_fs(dnsmasq_t)

View File

@ -1,3 +1,4 @@
/etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0)
/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)

View File

@ -103,3 +103,41 @@ interface(`rsync_exec',`
can_exec($1, rsync_exec_t)
')
########################################
## <summary>
## Read rsync config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed.
## </summary>
## </param>
#
interface(`rsync_read_config',`
gen_require(`
type rsync_etc_t;
')
read_files_pattern($1, rsync_etc_t, rsync_etc_t)
files_search_etc($1)
')
########################################
## <summary>
## Write to rsync config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed.
## </summary>
## </param>
#
interface(`rsync_write_config',`
gen_require(`
type rsync_etc_t;
')
write_files_pattern($1, rsync_etc_t, rsync_etc_t)
files_search_etc($1)
')

View File

@ -28,6 +28,9 @@ init_daemon_domain(rsync_t, rsync_exec_t)
application_executable_file(rsync_exec_t)
role system_r types rsync_t;
type rsync_etc_t;
files_config_file(rsync_etc_t)
type rsync_data_t;
files_type(rsync_data_t)
@ -57,6 +60,8 @@ allow rsync_t self:udp_socket connected_socket_perms;
allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
#end for identd
read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t)
allow rsync_t rsync_data_t:dir list_dir_perms;
read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)

View File

@ -1,5 +1,43 @@
## <summary>Trivial file transfer protocol daemon</summary>
########################################
## <summary>
## Manage tftp /var/lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`tftp_manage_tftpdir_dirs',`
gen_require(`
type tftpdir_rw_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
')
########################################
## <summary>
## Manage tftp /var/lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`tftp_manage_tftpdir_files',`
gen_require(`
type tftpdir_rw_t;
')
files_search_var_lib($1)
manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
')
########################################
## <summary>
## Read tftp content

View File

@ -74,6 +74,9 @@ ifdef(`distro_redhat',`
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
/var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
ifdef(`distro_debian',`

View File

@ -11,6 +11,8 @@
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)