From 1031ee6f6aec6147448b3db422be6a28bbf2ebb8 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Tue, 5 Jan 2010 16:26:14 +0100 Subject: [PATCH] Implement cobblerd policy. My previous version had a minor bug in admin_role where it was using cobblerd_var_log_t, and cobblerd_var_lib_t instead of cobbler_var_log_t, and cobbler_var_lib_t. Whilst i was at it, i decided the implement a cobbler_etc_t for cobbler content in /etc. This because you cannot admin a cobbler environment witouth having access to cobbler config files and i dont want to give cobbler_admin access to manage etc_t. As a consequence if this i also removed the files_read_etc_files(cobblerd_t), as i think that cobbler only needed it to read its own files in /etc. However this is not confirmed, and it may need read access to etc_t afteral. Also i would like to underscore my reason for using public_content_rw_t. One of the reasons is that i do not want to give cobbler access to manage httpd_sys_content_rw_t. In general i do not want to depend on apache module at all. Signed-off-by: Dominick Grift Signed-off-by: Chris PeBenito --- policy/modules/kernel/corenetwork.te.in | 1 + policy/modules/kernel/files.if | 18 +++ policy/modules/services/apache.if | 21 +++ policy/modules/services/apache.te | 4 + policy/modules/services/bind.if | 38 +++++ policy/modules/services/cobbler.fc | 7 + policy/modules/services/cobbler.if | 183 ++++++++++++++++++++++++ policy/modules/services/cobbler.te | 124 ++++++++++++++++ policy/modules/services/dhcp.if | 19 +++ policy/modules/services/dnsmasq.fc | 1 + policy/modules/services/dnsmasq.if | 38 +++++ policy/modules/services/dnsmasq.te | 7 +- policy/modules/services/rsync.fc | 1 + policy/modules/services/rsync.if | 38 +++++ policy/modules/services/rsync.te | 5 + policy/modules/services/tftp.if | 38 +++++ policy/modules/system/miscfiles.fc | 3 + policy/modules/system/sysnetwork.fc | 2 + 18 files changed, 546 insertions(+), 2 deletions(-) create mode 100644 policy/modules/services/cobbler.fc create mode 100644 policy/modules/services/cobbler.if create mode 100644 policy/modules/services/cobbler.te diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 4e759812..fcf72fab 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -84,6 +84,7 @@ network_port(certmaster, tcp,51235,s0) network_port(clamd, tcp,3310,s0) network_port(clockspeed, udp,4041,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0) +network_port(cobbler, tcp,25151,s0) network_port(comsat, udp,512,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index f5b78805..f853bf52 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1502,6 +1502,24 @@ interface(`files_dontaudit_getattr_boot_dirs',` dontaudit $1 boot_t:dir getattr; ') +######################################## +## +## List the /boot directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_list_boot',` + gen_require(` + type boot_t; + ') + + allow $1 boot_t:dir list_dir_perms; +') + ######################################## ## ## Search the /boot directory. diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if index a898dd8d..c1139e4c 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -756,6 +756,27 @@ interface(`apache_domtrans_rotatelogs',` domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) ') +######################################## +## +## Allow the specified domain to list +## apache system content files. +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_list_sys_content',` + gen_require(` + type httpd_sys_content_t; + ') + + list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) + read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) + files_search_var($1) +') + ######################################## ## ## Allow the specified domain to manage diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index eb3ccae6..02a2f7d4 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -450,6 +450,10 @@ optional_policy(` calamaris_read_www_files(httpd_t) ') +optional_policy(` + cobbler_search_var_lib(httpd_t) +') + optional_policy(` cron_system_entry(httpd_t, httpd_exec_t) ') diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if index 0bc01893..aef64b7a 100644 --- a/policy/modules/services/bind.if +++ b/policy/modules/services/bind.if @@ -1,5 +1,24 @@ ## Berkeley internet name domain DNS server. +######################################## +## +## Execute bind server in the bind domain. +## +## +## +## The type of the process performing this action. +## +## +# +# +interface(`bind_initrc_domtrans',` + gen_require(` + type named_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, named_initrc_exec_t) +') + ######################################## ## ## Execute ndc in the ndc domain. @@ -190,6 +209,25 @@ interface(`bind_manage_config_dirs',` manage_dirs_pattern($1, named_conf_t, named_conf_t) ') +######################################## +## +## Manage BIND zone files. +## +## +## +## Domain allowed access. +## +## +# +interface(`bind_manage_zone',` + gen_require(` + type named_zone_t; + ') + + files_search_var($1) + manage_files_pattern($1, named_zone_t, named_zone_t) +') + ######################################## ## ## Search the BIND cache directory. diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc new file mode 100644 index 00000000..0a811f6e --- /dev/null +++ b/policy/modules/services/cobbler.fc @@ -0,0 +1,7 @@ +/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0) +/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0) + +/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0) + +/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0) +/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0) diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if new file mode 100644 index 00000000..433099f5 --- /dev/null +++ b/policy/modules/services/cobbler.if @@ -0,0 +1,183 @@ +## Cobbler installation server. +## +##

+## Cobbler is a Linux installation server that allows for +## rapid setup of network installation environments. It +## glues together and automates many associated Linux +## tasks so you do not have to hop between lots of various +## commands and applications when rolling out new systems, +## and, in some cases, changing existing ones. +##

+## + +######################################## +## +## Read Cobbler content in /etc +## +## +## +## Domain allowed access. +## +## +# +interface(`cobbler_read_config',` + gen_require(` + type cobbler_etc_t; + ') + + read_files_pattern($1, cobbler_etc_t, cobbler_etc_t); + files_search_etc($1) +') + +######################################## +## +## Do not audit attempts to read and write +## Cobbler log files (leaked fd). +## +## +## +## Domain allowed access. +## +## +# +interface(`cobbler_dontaudit_rw_log',` + gen_require(` + type cobbler_var_log_t; + ') + + dontaudit $1 cobbler_var_log_t:file rw_file_perms; +') + +######################################## +## +## Read cobbler files in /var/lib +## +## +## +## Domain allowed access. +## +## +# +interface(`cobbler_read_var_lib_files',` + gen_require(` + type cobbler_var_lib_t; + ') + + read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + files_search_var_lib($1) +') + +######################################## +## +## Manage cobbler files in /var/lib +## +## +## +## Domain allowed access. +## +## +# +interface(`cobbler_manage_var_lib_files',` + gen_require(` + type cobbler_var_lib_t; + ') + + manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + files_search_var_lib($1) +') + +######################################## +## +## Search cobbler dirs in /var/lib +## +## +## +## Domain allowed access. +## +## +# +interface(`cobbler_search_var_lib',` + gen_require(` + type cobbler_var_lib_t; + ') + + search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + files_search_var_lib($1) +') + +######################################## +## +## Execute a domain transition to run cobblerd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`cobblerd_domtrans',` + gen_require(` + type cobblerd_t, cobblerd_exec_t; + ') + + domtrans_pattern($1, cobblerd_exec_t, cobblerd_t) +') + +######################################## +## +## Execute cobblerd server in the cobblerd domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`cobblerd_initrc_domtrans',` + gen_require(` + type cobblerd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, cobblerd_initrc_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an cobblerd environment +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`cobblerd_admin',` + gen_require(` + type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; + type cobbler_etc_t; + ') + + allow $1 cobblerd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, cobblerd_t, cobblerd_t) + + files_search_etc($1) + admin_pattern($1, cobbler_etc_t) + + files_list_var_lib($1) + admin_pattern($1, cobbler_var_lib_t) + + files_search_var_log($1) + admin_pattern($1, cobbler_var_log_t) + + cobblerd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 cobblerd_initrc_exec_t system_r; + allow $2 system_r; +') diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te new file mode 100644 index 00000000..7e5c614f --- /dev/null +++ b/policy/modules/services/cobbler.te @@ -0,0 +1,124 @@ + +policy_module(cobbler, 1.0.0) + +######################################## +# +# Cobbler personal declarations. +# + +## +##

+## Allow Cobbler to modify public files +## used for public file transfer services. +##

+## +gen_tunable(cobbler_anon_write, false) + +type cobblerd_t; +type cobblerd_exec_t; +init_daemon_domain(cobblerd_t, cobblerd_exec_t) + +type cobblerd_initrc_exec_t; +init_script_file(cobblerd_initrc_exec_t) + +type cobbler_etc_t; +files_config_file(cobbler_etc_t) + +type cobbler_var_log_t; +logging_log_file(cobbler_var_log_t) + +type cobbler_var_lib_t; +files_type(cobbler_var_lib_t) + +######################################## +# +# Cobbler personal policy. +# + +allow cobblerd_t self:capability { chown dac_override fowner sys_nice }; +allow cobblerd_t self:process { getsched setsched signal }; +allow cobblerd_t self:fifo_file rw_fifo_file_perms; +allow cobblerd_t self:tcp_socket create_stream_socket_perms; + +read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t) + +manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) +manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) +files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file }) + +append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) +create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) +read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) +setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) +logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) + +corecmd_exec_bin(cobblerd_t) +corecmd_exec_shell(cobblerd_t) + +corenet_all_recvfrom_netlabel(cobblerd_t) +corenet_all_recvfrom_unlabeled(cobblerd_t) +corenet_sendrecv_cobbler_server_packets(cobblerd_t) +corenet_tcp_bind_cobbler_port(cobblerd_t) +corenet_tcp_bind_generic_node(cobblerd_t) +corenet_tcp_sendrecv_generic_if(cobblerd_t) +corenet_tcp_sendrecv_generic_node(cobblerd_t) +corenet_tcp_sendrecv_generic_port(cobblerd_t) + +dev_read_urand(cobblerd_t) + +files_read_usr_files(cobblerd_t) + +files_list_boot(cobblerd_t) + +files_list_tmp(cobblerd_t) + +kernel_read_system_state(cobblerd_t) + +miscfiles_read_localization(cobblerd_t) +miscfiles_read_public_files(cobblerd_t) + +sysnet_read_config(cobblerd_t) +sysnet_rw_dhcp_config(cobblerd_t) +sysnet_write_config(cobblerd_t) + +tunable_policy(`cobbler_anon_write',` + miscfiles_manage_public_files(cobblerd_t) +') + +optional_policy(` + apache_list_sys_content(cobblerd_t) +') + +optional_policy(` + bind_read_config(cobblerd_t) + bind_write_config(cobblerd_t) + bind_domtrans_ndc(cobblerd_t) + bind_domtrans(cobblerd_t) + bind_initrc_domtrans(cobblerd_t) + bind_manage_zone(cobblerd_t) +') + +optional_policy(` + dhcpd_domtrans(cobblerd_t) + dhcpd_initrc_domtrans(cobblerd_t) +') + +optional_policy(` + dnsmasq_domtrans(cobblerd_t) + dnsmasq_initrc_domtrans(cobblerd_t) + dnsmasq_write_config(cobblerd_t) +') + +optional_policy(` + rpm_exec(cobblerd_t) +') + +optional_policy(` + rsync_read_config(cobblerd_t) + rsync_write_config(cobblerd_t) +') + +optional_policy(` + tftp_manage_tftpdir_dirs(cobblerd_t) + tftp_manage_tftpdir_files(cobblerd_t) +') diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if index 51316b4d..8e4d1be0 100644 --- a/policy/modules/services/dhcp.if +++ b/policy/modules/services/dhcp.if @@ -1,5 +1,24 @@ ## Dynamic host configuration protocol (DHCP) server +######################################## +## +## Transition to dhcpd. +## +## +## +## Domain allowed access. +## +## +# +interface(`dhcpd_domtrans',` + gen_require(` + type dhcpd_t, dhcpd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dhcpd_exec_t, dhcpd_t) +') + ######################################## ## ## Set the attributes of the DCHP diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc index a328ceab..89e2e662 100644 --- a/policy/modules/services/dnsmasq.fc +++ b/policy/modules/services/dnsmasq.fc @@ -1,3 +1,4 @@ +/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0) /etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0) /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if index 28c0734d..09e1efd7 100644 --- a/policy/modules/services/dnsmasq.if +++ b/policy/modules/services/dnsmasq.if @@ -134,6 +134,44 @@ interface(`dnsmasq_read_pid_files',` read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) ') +######################################## +## +## Read dnsmasq config files. +## +## +## +## Domain allowed. +## +## +# +interface(`dnsmasq_read_config',` + gen_require(` + type dnsmasq_etc_t; + ') + + read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) + files_search_etc($1) +') + +######################################## +## +## Write to dnsmasq config files. +## +## +## +## Domain allowed. +## +## +# +interface(`dnsmasq_write_config',` + gen_require(` + type dnsmasq_etc_t; + ') + + write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) + files_search_etc($1) +') + ######################################## ## ## All of the rules required to administrate diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te index a4e478e6..edcf106a 100644 --- a/policy/modules/services/dnsmasq.te +++ b/policy/modules/services/dnsmasq.te @@ -13,6 +13,9 @@ init_daemon_domain(dnsmasq_t, dnsmasq_exec_t) type dnsmasq_initrc_exec_t; init_script_file(dnsmasq_initrc_exec_t) +type dnsmasq_etc_t; +files_config_file(dnsmasq_etc_t) + type dnsmasq_lease_t; files_type(dnsmasq_lease_t) @@ -34,6 +37,8 @@ allow dnsmasq_t self:udp_socket create_socket_perms; allow dnsmasq_t self:packet_socket create_socket_perms; allow dnsmasq_t self:rawip_socket create_socket_perms; +read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t) + # dhcp leases manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t) files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) @@ -66,8 +71,6 @@ dev_read_urand(dnsmasq_t) domain_use_interactive_fds(dnsmasq_t) -# allow access to dnsmasq.conf -files_read_etc_files(dnsmasq_t) files_read_etc_runtime_files(dnsmasq_t) fs_getattr_all_fs(dnsmasq_t) diff --git a/policy/modules/services/rsync.fc b/policy/modules/services/rsync.fc index 299f7a44..479615be 100644 --- a/policy/modules/services/rsync.fc +++ b/policy/modules/services/rsync.fc @@ -1,3 +1,4 @@ +/etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0) /usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if index 74181969..7dc8495b 100644 --- a/policy/modules/services/rsync.if +++ b/policy/modules/services/rsync.if @@ -103,3 +103,41 @@ interface(`rsync_exec',` can_exec($1, rsync_exec_t) ') + +######################################## +## +## Read rsync config files. +## +## +## +## Domain allowed. +## +## +# +interface(`rsync_read_config',` + gen_require(` + type rsync_etc_t; + ') + + read_files_pattern($1, rsync_etc_t, rsync_etc_t) + files_search_etc($1) +') + +######################################## +## +## Write to rsync config files. +## +## +## +## Domain allowed. +## +## +# +interface(`rsync_write_config',` + gen_require(` + type rsync_etc_t; + ') + + write_files_pattern($1, rsync_etc_t, rsync_etc_t) + files_search_etc($1) +') diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te index 97a60869..ee78a18f 100644 --- a/policy/modules/services/rsync.te +++ b/policy/modules/services/rsync.te @@ -28,6 +28,9 @@ init_daemon_domain(rsync_t, rsync_exec_t) application_executable_file(rsync_exec_t) role system_r types rsync_t; +type rsync_etc_t; +files_config_file(rsync_etc_t) + type rsync_data_t; files_type(rsync_data_t) @@ -57,6 +60,8 @@ allow rsync_t self:udp_socket connected_socket_perms; allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; #end for identd +read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t) + allow rsync_t rsync_data_t:dir list_dir_perms; read_files_pattern(rsync_t, rsync_data_t, rsync_data_t) read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if index 65d53fcc..230c5a65 100644 --- a/policy/modules/services/tftp.if +++ b/policy/modules/services/tftp.if @@ -1,5 +1,43 @@ ## Trivial file transfer protocol daemon +######################################## +## +## Manage tftp /var/lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`tftp_manage_tftpdir_dirs',` + gen_require(` + type tftpdir_rw_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) +') + +######################################## +## +## Manage tftp /var/lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`tftp_manage_tftpdir_files',` + gen_require(` + type tftpdir_rw_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) +') + ######################################## ## ## Read tftp content diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc index 6557a8e1..3051ca73 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -74,6 +74,9 @@ ifdef(`distro_redhat',` /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) /var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0) +/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) +/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) + /var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) ifdef(`distro_debian',` diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc index 5a4f5764..0e77e217 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc @@ -11,6 +11,8 @@ /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) +/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) +/etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0) /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)