FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora/Linux Management Tools

 
 
LinkBack Thread Tools
 
Old 01-08-2009, 07:38 PM
"domg472 g472"
 
Default Help perfect Cobbler SELinux policy

Below you will find instructions on how to install a bare SELinux policy for Cobbler. Feedback in the form of AVC denials would be appreciated so that we can perfect this bare policy.

The version of this policy is far from perfect but it is in my view a solid start. I have installed this policy and was able to start cobblerd in it' s proper security domain. I have not actually tried to use Cobbler. Also there is no policy yet for executable files other then /usr/bin/cobblerd.


Instructions:


mkdir ~/cobbler; cd ~/cobbler
echo """

policy_module(cobbler, 0.0.1)

# Personal declarations

type cobbler_config_t;
files_config_file(cobbler_config_t)


type cobblerd_initrc_exec_t;
init_script_file(cobblerd_initrc_exec_t)

type cobbler_exec_t;
application_executable_file(cobbler_exec_t)

type cobbler_ext_nodes_exec_t;
application_executable_file(cobbler_ext_nodes_exec _t)


type cobblerd_exec_t;
application_executable_file(cobblerd_exec_t)

type cobbler_var_lib_t;
files_type(cobbler_var_lib_t)

type cobbler_log_t;
logging_log_file(cobbler_log_t)

type cobblerd_t;

init_daemon_domain(cobblerd_t, cobblerd_exec_t)

type cobbler_port_t;
corenet_port(cobbler_port_t)

# Personal policy

allow cobblerd_t self:capability { sys_nice chown dac_override fowner };
allow cobblerd_t self:fifo_file { read write getattr };

allow cobblerd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
allow cobblerd_t selfrocess { setsched getsched };
allow cobblerd_t self:tcp_socket { getattr setopt bind create accept listen };

allow cobblerd_t self:udp_socket { read bind create };

allow cobblerd_t cobbler_config_t:dir search;
allow cobblerd_t cobbler_config_t:file { read getattr };

allow cobblerd_t cobbler_exec_t:file getattr;


manage_files_pattern(cobblerd_t, cobbler_log_t, cobbler_log_t)
logging_log_filetrans(cobblerd_t, cobbler_log_t, { file })

# files_search_var_lib(cobblerd_t)
manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)

files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { file })

corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)

corecmd_read_bin_symlinks(cobblerd_t)

corenet_all_recvfrom_unlabeled(cobblerd_t)

corenet_all_recvfrom_netlabel(cobblerd_t)

corenet_tcp_sendrecv_generic_if(cobblerd_t)
corenet_tcp_sendrecv_all_nodes(cobblerd_t)
corenet_tcp_sendrecv_all_ports(cobblerd_t)

# allow cobblerd_t cobbler_port_t:tcp_socket { name_bind; }

corenet_tcp_bind_generic_port(cobblerd_t)
corenet_tcp_bind_all_nodes(cobblerd_t)

corenet_udp_sendrecv_generic_if(cobblerd_t)
corenet_udp_sendrecv_all_nodes(cobblerd_t)
corenet_udp_sendrecv_all_ports(cobblerd_t)


# allow cobblerd_t cobbler_port_t:udp_socket { name_bind; }
corenet_udp_bind_generic_port(cobblerd_t)
corenet_udp_bind_all_nodes(cobblerd_t)

dev_read_urand(cobblerd_t)

files_list_tmp(cobblerd_t)


files_read_etc_files(cobblerd_t)

files_read_usr_symlinks(cobblerd_t)
files_search_usr(cobblerd_t)

kernel_read_system_state(cobblerd_t)

libs_use_ld_so(cobblerd_t)
libs_use_shared_libs(cobblerd_t)


miscfiles_read_localization(cobblerd_t)

# is this optional?
rpm_domtrans(cobblerd_t)

sysnet_read_config(cobblerd_t)

apache_content_template(cobbler)

optional_policy(`
******* dbus_system_bus_client_template(cobblerd, cobblerd_t)

******* dbus_connect_system_bus(cobblerd_t)
******* dbus_system_domain(cobblerd_t, cobblerd_exec_t)
')

#EOF
""" > cobbler.te;

echo """

# File contexts


/etc/cobbler(/.*)?***************************** gen_context(system_ubject_r:cobbler_config_t, s0)

/etc/rc.d/init.d/cobblerd************ --*** gen_context(system_ubject_r:cobblerd_initrc_exec _t, s0)


/usr/bin/cobbler*********************** --*** gen_context(system_ubject_r:cobbler_exec_t, s0)
/usr/bin/cobbler-ext-nodes************* --*** gen_context(system_ubject_r:cobbler_ext_nodes_ex ec_t, s0)
/usr/bin/cobblerd********************** --*** gen_context(system_ubject_r:cobblerd_exec_t, s0)


/var/lib/cobbler(/.*)?************************* gen_context(system_ubject_r:cobbler_var_lib_t, s0)

/var/log/cobbler(/.*)?************************* gen_context(system_ubject_r:cobbler_log_t, s0)

/var/www/cobbler/svc/services.py******* --*** gen_context(system_ubject_r:httpd_cobbler_script _exec_t, s0)

/var/www/cobbler/web/index.py********** --*** gen_context(system_ubject_r:httpd_cobbler_script _exec_t, s0)

""" > cobbler.fc;

make -f /usr/share/selinux/devel/Makefile
semodule -i cobbler.pp


restorecon -R -v /etc/cobbler
restorecon -R -v /etc/init.d/cobblerd
restorecon -R -v /usr/bin/cobblerd
restorecon -R -v /usr/bin/cobbler
restorecon -R -v /usr/bin/cobbler-ext-nodes
restorecon -R -v /var/lib/cobbler

restorecon -R -v /var/log/cobbler
restorecon -R -v /var/www/cobbler

semanage permissive -a cobbler_t

service cobblerd start

(start testing)

ausearch -m avc -ts today

to remove undo:


service cobblerd stop
semanage permissive -d cobbler_t
semodule -r cobbler
restorecon -R -v /etc/cobbler
restorecon -R -v /etc/init.d/cobblerd
restorecon -R -v /usr/bin/cobblerd
restorecon -R -v /usr/bin/cobbler

restorecon -R -v /usr/bin/cobbler-ext-nodes
restorecon -R -v /var/lib/cobbler
restorecon -R -v /var/log/cobbler
restorecon -R -v /var/www/cobbler

Questions and comments are welcome.
Thanks in advance for your feedback.


Dominick Grift




_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@redhat.com
https://www.redhat.com/mailman/listinfo/et-mgmt-tools
 
Old 01-08-2009, 08:15 PM
Michael DeHaan
 
Default Help perfect Cobbler SELinux policy

domg472 g472 wrote:
Below you will find instructions on how to install a bare SELinux
policy for Cobbler. Feedback in the form of AVC denials would be
appreciated so that we can perfect this bare policy.


The version of this policy is far from perfect but it is in my view a
solid start. I have installed this policy and was able to start
cobblerd in it' s proper security domain. I have not actually tried to
use Cobbler. Also there is no policy yet for executable files other
then /usr/bin/cobblerd.


Instructions:


mkdir ~/cobbler; cd ~/cobbler
echo """

policy_module(cobbler, 0.0.1)

# Personal declarations

type cobbler_config_t;
files_config_file(cobbler_config_t)

type cobblerd_initrc_exec_t;
init_script_file(cobblerd_initrc_exec_t)

type cobbler_exec_t;
application_executable_file(cobbler_exec_t)

type cobbler_ext_nodes_exec_t;
application_executable_file(cobbler_ext_nodes_exec _t)

type cobblerd_exec_t;
application_executable_file(cobblerd_exec_t)

type cobbler_var_lib_t;
files_type(cobbler_var_lib_t)

type cobbler_log_t;
logging_log_file(cobbler_log_t)

type cobblerd_t;
init_daemon_domain(cobblerd_t, cobblerd_exec_t)

type cobbler_port_t;
corenet_port(cobbler_port_t)

# Personal policy

allow cobblerd_t self:capability { sys_nice chown dac_override fowner };
allow cobblerd_t self:fifo_file { read write getattr };
allow cobblerd_t self:netlink_route_socket { write getattr read bind
create nlmsg_read };

allow cobblerd_t selfrocess { setsched getsched };
allow cobblerd_t self:tcp_socket { getattr setopt bind create accept
listen };

allow cobblerd_t self:udp_socket { read bind create };

allow cobblerd_t cobbler_config_t:dir search;
allow cobblerd_t cobbler_config_t:file { read getattr };

allow cobblerd_t cobbler_exec_t:file getattr;

manage_files_pattern(cobblerd_t, cobbler_log_t, cobbler_log_t)
logging_log_filetrans(cobblerd_t, cobbler_log_t, { file })

# files_search_var_lib(cobblerd_t)
manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { file })

corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)

corecmd_read_bin_symlinks(cobblerd_t)

corenet_all_recvfrom_unlabeled(cobblerd_t)
corenet_all_recvfrom_netlabel(cobblerd_t)

corenet_tcp_sendrecv_generic_if(cobblerd_t)
corenet_tcp_sendrecv_all_nodes(cobblerd_t)
corenet_tcp_sendrecv_all_ports(cobblerd_t)

# allow cobblerd_t cobbler_port_t:tcp_socket { name_bind; }
corenet_tcp_bind_generic_port(cobblerd_t)
corenet_tcp_bind_all_nodes(cobblerd_t)

corenet_udp_sendrecv_generic_if(cobblerd_t)
corenet_udp_sendrecv_all_nodes(cobblerd_t)
corenet_udp_sendrecv_all_ports(cobblerd_t)

# allow cobblerd_t cobbler_port_t:udp_socket { name_bind; }
corenet_udp_bind_generic_port(cobblerd_t)
corenet_udp_bind_all_nodes(cobblerd_t)

dev_read_urand(cobblerd_t)

files_list_tmp(cobblerd_t)

files_read_etc_files(cobblerd_t)

files_read_usr_symlinks(cobblerd_t)
files_search_usr(cobblerd_t)

kernel_read_system_state(cobblerd_t)

libs_use_ld_so(cobblerd_t)
libs_use_shared_libs(cobblerd_t)

miscfiles_read_localization(cobblerd_t)

# is this optional?
rpm_domtrans(cobblerd_t)

sysnet_read_config(cobblerd_t)

apache_content_template(cobbler)

optional_policy(`
dbus_system_bus_client_template(cobblerd, cobblerd_t)
dbus_connect_system_bus(cobblerd_t)
dbus_system_domain(cobblerd_t, cobblerd_exec_t)
')

#EOF
""" > cobbler.te;

echo """

# File contexts

/etc/cobbler(/.*)?
gen_context(system_ubject_r:cobbler_config_t, s0)


/etc/rc.d/init.d/cobblerd --
gen_context(system_ubject_r:cobblerd_initrc_exec _t, s0)


/usr/bin/cobbler --
gen_context(system_ubject_r:cobbler_exec_t, s0)
/usr/bin/cobbler-ext-nodes --
gen_context(system_ubject_r:cobbler_ext_nodes_ex ec_t, s0)
/usr/bin/cobblerd --
gen_context(system_ubject_r:cobblerd_exec_t, s0)


/var/lib/cobbler(/.*)?
gen_context(system_ubject_r:cobbler_var_lib_t, s0)


/var/log/cobbler(/.*)?
gen_context(system_ubject_r:cobbler_log_t, s0)


/var/www/cobbler/svc/services.py --
gen_context(system_ubject_r:httpd_cobbler_script _exec_t, s0)
/var/www/cobbler/web/index.py --
gen_context(system_ubject_r:httpd_cobbler_script _exec_t, s0)


""" > cobbler.fc;

make -f /usr/share/selinux/devel/Makefile
semodule -i cobbler.pp

restorecon -R -v /etc/cobbler
restorecon -R -v /etc/init.d/cobblerd
restorecon -R -v /usr/bin/cobblerd
restorecon -R -v /usr/bin/cobbler
restorecon -R -v /usr/bin/cobbler-ext-nodes
restorecon -R -v /var/lib/cobbler
restorecon -R -v /var/log/cobbler
restorecon -R -v /var/www/cobbler

semanage permissive -a cobbler_t

service cobblerd start

(start testing)

ausearch -m avc -ts today

to remove undo:

service cobblerd stop
semanage permissive -d cobbler_t
semodule -r cobbler
restorecon -R -v /etc/cobbler
restorecon -R -v /etc/init.d/cobblerd
restorecon -R -v /usr/bin/cobblerd
restorecon -R -v /usr/bin/cobbler
restorecon -R -v /usr/bin/cobbler-ext-nodes
restorecon -R -v /var/lib/cobbler
restorecon -R -v /var/log/cobbler
restorecon -R -v /var/www/cobbler

Questions and comments are welcome.
Thanks in advance for your feedback.

Dominick Grift



------------------------------------------------------------------------

_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@redhat.com
https://www.redhat.com/mailman/listinfo/et-mgmt-tools


Thanks Dominick!

I've uploaded this to the Wiki so people can copy/paste it.

https://fedorahosted.org/cobbler/wiki/SeLinuxPolicy

The last release had a lot of work making sure we ran everything cleanly
in SELinux again, and I think getting cobblerd to have a policy would be
a logical extension of that.


Would someone like to take a shot at refining this policy some or at
least running Cobbler with that for a while (in permissive mode) to
identify what else needs to be allowed?


I think possibly /usr/bin/cobbler-ext-nodes (used for Puppet
integration) and /usr/bin/cobbler (command line for humans) can be left
unconfined. Just thinking about things offhand cobbler needs to be
able to read and write to Apache and tftp-server content, read and write
to /var/lib/cobbler and /var/log/cobbler, and read to /etc/cobbler.


A good way to get most of this going is to install from a git checkout
("make install" for new users, or "make devinstall" for old ones who
don't want to whack their config) and then "make test" would go a long
way I'd think of covering most of it.


--Michael

_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@redhat.com
https://www.redhat.com/mailman/listinfo/et-mgmt-tools
 

Thread Tools




All times are GMT. The time now is 10:11 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org