diff options
| author |   Chris PeBenito <Christopher.PeBenito@microsoft.com> | 2023-03-30 14:33:57 +0000 |
|---|---|---|
| committer |   Kenton Groombridge <concord@gentoo.org> | 2024-03-01 12:05:30 -0500 |
| commit | 4710976df1b26637cfd9d6eeb2ad87ea7fd21f29 (patch) | |
| tree | d55743da78b6996aa7ec0452b82543afef603726 | |
| parent | systemd: Updates for systemd-locale. (diff) | |
| download | hardened-refpolicy-4710976df1b26637cfd9d6eeb2ad87ea7fd21f29.tar.gz hardened-refpolicy-4710976df1b26637cfd9d6eeb2ad87ea7fd21f29.tar.bz2 hardened-refpolicy-4710976df1b26637cfd9d6eeb2ad87ea7fd21f29.zip | |
cloudinit: Add permissions derived from sysadm.
Allow a similar amount of admin capability to cloud-init as sysadm. Also add
a tunable to allow non-security file management for fallback.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
| -rw-r--r-- | policy/modules/admin/cloudinit.if | 76 | ||||
| -rw-r--r-- | policy/modules/admin/cloudinit.te | 1028 | ||||
| -rw-r--r-- | policy/modules/admin/rpm.fc | 2 | ||||
| -rw-r--r-- | policy/modules/admin/rpm.te | 20 | ||||
| -rw-r--r-- | policy/modules/admin/usermanage.te | 14 | ||||
| -rw-r--r-- | policy/modules/services/ssh.if | 25 | ||||
| -rw-r--r-- | policy/modules/system/fstools.te | 5 | ||||
| -rw-r--r-- | policy/modules/system/init.if | 20 | ||||
| -rw-r--r-- | policy/modules/system/selinuxutil.te | 5 | ||||
| -rw-r--r-- | policy/modules/system/systemd.if | 2 | ||||
| -rw-r--r-- | policy/modules/system/systemd.te | 4 | ||||
| -rw-r--r-- | policy/modules/system/udev.te | 2 | ||||
| -rw-r--r-- | policy/modules/system/unconfined.if | 19 | ||||
| -rw-r--r-- | policy/modules/system/userdomain.if | 19 | ||||
| -rw-r--r-- | policy/support/obj_perm_sets.spt | 1 |
15 files changed, 1216 insertions, 26 deletions
diff --git a/policy/modules/admin/cloudinit.if b/policy/modules/admin/cloudinit.if index 604f56dc4..1d9d54daa 100644 --- a/policy/modules/admin/cloudinit.if +++ b/policy/modules/admin/cloudinit.if @@ -59,6 +59,25 @@ interface(`cloudinit_write_runtime_files',` ######################################## ## <summary> +## Read and write cloud-init runtime files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cloudinit_rw_runtime_files',` + gen_require(` + type cloud_init_runtime_t; + ') + + files_search_runtime($1) + rw_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t) +') + +######################################## +## <summary> ## Create cloud-init runtime files. ## </summary> ## <param name="domain"> @@ -125,3 +144,60 @@ interface(`cloudinit_getattr_state_files',` allow $1 cloud_init_state_t:lnk_file read_lnk_file_perms; allow $1 cloud_init_state_t:file getattr; ') + +######################################## +## <summary> +## Write inherited cloud-init temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cloudinit_write_inherited_tmp_files',` + gen_require(` + type cloud_init_t, cloud_init_tmp_t; + ') + + allow $1 cloud_init_t:fd use; + allow $1 cloud_init_tmp_t:file write_inherited_file_perms; +') + +######################################## +## <summary> +## Read and write cloud-init temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cloudinit_rw_tmp_files',` + gen_require(` + type cloud_init_tmp_t; + ') + + files_search_tmp($1) + rw_files_pattern($1, cloud_init_tmp_t, cloud_init_tmp_t) +') + +######################################## +## <summary> +## Create cloud-init temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cloudinit_create_tmp_files',` + gen_require(` + type cloud_init_tmp_t; + ') + + files_search_tmp($1) + create_files_pattern($1, cloud_init_tmp_t, cloud_init_tmp_t) +') diff --git a/policy/modules/admin/cloudinit.te b/policy/modules/admin/cloudinit.te index 80c17374b..0c80a32ad 100644 --- a/policy/modules/admin/cloudinit.te +++ b/policy/modules/admin/cloudinit.te @@ -9,6 +9,13 @@ gen_require(` # Declarations # +## <desc> +## <p> +## Enable support for cloud-init to manage all non-security files. +## </p> +## </desc> +gen_tunable(cloudinit_manage_non_security, false) + type cloud_init_t; type cloud_init_exec_t; init_system_domain(cloud_init_t, cloud_init_exec_t) @@ -23,18 +30,21 @@ files_mountpoint(cloud_init_runtime_t) type cloud_init_state_t; files_type(cloud_init_state_t) +type cloud_init_tmp_t; +files_tmp_file(cloud_init_tmp_t) + ######################################## # # Local policy # allow cloud_init_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid }; -dontaudit cloud_init_t self:capability { net_admin sys_tty_config }; +dontaudit cloud_init_t self:capability { net_admin sys_admin sys_tty_config }; allow cloud_init_t self:fifo_file rw_fifo_file_perms; allow cloud_init_t self:unix_dgram_socket create_socket_perms; allow cloud_init_t self:passwd passwd; -allow cloud_init_t cloud_init_log_t:file { create_file_perms append_file_perms setattr }; +allow cloud_init_t cloud_init_log_t:file { create_file_perms append_file_perms read setattr }; logging_log_filetrans(cloud_init_t, cloud_init_log_t, file) manage_files_pattern(cloud_init_t, cloud_init_runtime_t, cloud_init_runtime_t) @@ -48,12 +58,23 @@ manage_lnk_files_pattern(cloud_init_t, cloud_init_state_t, cloud_init_state_t) manage_dirs_pattern(cloud_init_t, cloud_init_state_t, cloud_init_state_t) files_var_lib_filetrans(cloud_init_t, cloud_init_state_t, { dir file lnk_file }) -auth_domtrans_chk_passwd(cloud_init_t) +manage_files_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t) +manage_lnk_files_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t) +manage_dirs_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t) +files_tmp_filetrans(cloud_init_t, cloud_init_tmp_t, { dir file lnk_file }) + +auth_run_chk_passwd(cloud_init_t, system_r) -corecmd_exec_bin(cloud_init_t) -corecmd_exec_shell(cloud_init_t) +corecmd_exec_all_executables(cloud_init_t) -corenet_dontaudit_tcp_bind_generic_node(cloud_init_t) +corenet_all_recvfrom_netlabel(cloud_init_t) +corenet_tcp_sendrecv_generic_if(cloud_init_t) +corenet_tcp_sendrecv_generic_node(cloud_init_t) +corenet_tcp_connect_all_ports(cloud_init_t) +corenet_tcp_bind_generic_node(cloud_init_t) +corenet_tcp_bind_all_unreserved_ports(cloud_init_t) +corenet_udp_bind_generic_node(cloud_init_t) +corenet_udp_bind_all_unreserved_ports(cloud_init_t) dbus_system_bus_client(cloud_init_t) @@ -61,19 +82,23 @@ dev_getattr_all_blk_files(cloud_init_t) # /sys/devices/pci0000:00/0000:00:03.0/net/eth0/address dev_read_sysfs(cloud_init_t) +domain_read_all_domains_state(cloud_init_t) +domain_obj_id_change_exemption(cloud_init_t) + files_manage_config_dirs(cloud_init_t) files_relabel_config_dirs(cloud_init_t) files_manage_config_files(cloud_init_t) files_relabel_config_files(cloud_init_t) +files_manage_mnt_dirs(cloud_init_t) fs_getattr_all_fs(cloud_init_t) fs_search_tmpfs(cloud_init_t) fs_search_cgroup_dirs(cloud_init_t) fs_read_iso9660_files(cloud_init_t) -fstools_domtrans(cloud_init_t) +fstools_run(cloud_init_t, system_r) -hostname_domtrans(cloud_init_t) +hostname_run(cloud_init_t, system_r) kernel_read_system_state(cloud_init_t) kernel_read_kernel_sysctls(cloud_init_t) @@ -85,30 +110,854 @@ logging_send_syslog_msg(cloud_init_t) miscfiles_read_localization(cloud_init_t) -mount_domtrans(cloud_init_t) +mount_run(cloud_init_t, system_r) + +selinux_set_enforce_mode(cloud_init_t) +selinux_set_all_booleans(cloud_init_t) +selinux_set_parameters(cloud_init_t) +selinux_read_policy(cloud_init_t) seutil_read_default_contexts(cloud_init_t) +seutil_run_semanage(cloud_init_t, system_r) +seutil_run_setfiles(cloud_init_t, system_r) -ssh_domtrans_keygen(cloud_init_t) +ssh_run_keygen(cloud_init_t, system_r) ssh_manage_home_files(cloud_init_t) ssh_create_home_dirs(cloud_init_t) ssh_setattr_home_dirs(cloud_init_t) # Read public keys ssh_read_server_keys(cloud_init_t) -sysnet_domtrans_ifconfig(cloud_init_t) +sysnet_run_ifconfig(cloud_init_t, system_r) term_write_console(cloud_init_t) udev_manage_rules_files(cloud_init_t) udev_read_runtime_files(cloud_init_t) -usermanage_domtrans_useradd(cloud_init_t) -usermanage_domtrans_groupadd(cloud_init_t) -usermanage_domtrans_passwd(cloud_init_t) +usermanage_run_useradd(cloud_init_t, system_r) +usermanage_run_groupadd(cloud_init_t, system_r) +usermanage_run_passwd(cloud_init_t, system_r) + +tunable_policy(`cloudinit_manage_non_security',` + files_manage_non_security_dirs(cloud_init_t) + files_manage_non_security_files(cloud_init_t) + files_relabel_non_security_dirs(cloud_init_t) + files_relabel_non_security_files(cloud_init_t) +') + +optional_policy(` + abrt_admin(cloud_init_t, system_r) +') + +optional_policy(` + accountsd_admin(cloud_init_t, system_r) +') + +optional_policy(` + acct_admin(cloud_init_t, system_r) +') + +optional_policy(` + afs_admin(cloud_init_t, system_r) +') + +optional_policy(` + aide_admin(cloud_init_t, system_r) +') + +optional_policy(` + aisexecd_admin(cloud_init_t, system_r) +') + +optional_policy(` + amanda_run_recover(cloud_init_t, system_r) +') + +optional_policy(` + amavis_admin(cloud_init_t, system_r) +') + +optional_policy(` + amtu_admin(cloud_init_t, system_r) +') + +optional_policy(` + apt_run(cloud_init_t, system_r) +') + +optional_policy(` + aptcacher_run_acngtool(cloud_init_t, system_r) +') + +optional_policy(` + arpwatch_admin(cloud_init_t, system_r) +') + +optional_policy(` + automount_admin(cloud_init_t, system_r) +') + +optional_policy(` + avahi_admin(cloud_init_t, system_r) +') + +optional_policy(` + backup_run(cloud_init_t, system_r) +') + +optional_policy(` + bacula_run_admin(cloud_init_t, system_r) + bacula_admin(cloud_init_t, system_r) +') + +optional_policy(` + bind_admin(cloud_init_t, system_r) + bind_run_ndc(cloud_init_t, system_r) +') + +optional_policy(` + bird_admin(cloud_init_t, system_r) +') + +optional_policy(` + bitlbee_admin(cloud_init_t, system_r) +') + +optional_policy(` + boinc_admin(cloud_init_t, system_r) +') + +optional_policy(` + bootloader_run(cloud_init_t, system_r) +') + +optional_policy(` + bugzilla_admin(cloud_init_t, system_r) +') + +optional_policy(` + cachefilesd_admin(cloud_init_t, system_r) +') + +optional_policy(` + calamaris_admin(cloud_init_t, system_r) +') + +optional_policy(` + canna_admin(cloud_init_t, system_r) +') + +optional_policy(` + certbot_run(cloud_init_t, system_r) +') + +optional_policy(` + certmaster_admin(cloud_init_t, system_r) +') + +optional_policy(` + certmonger_admin(cloud_init_t, system_r) +') + +optional_policy(` + certwatch_run(cloud_init_t, system_r) +') + +optional_policy(` + cfengine_admin(cloud_init_t, system_r) +') + +optional_policy(` + cgroup_admin(cloud_init_t, system_r) +') + +optional_policy(` + chkrootkit_run(cloud_init_t, system_r) +') + +optional_policy(` + chronyd_admin(cloud_init_t, system_r) +') + +optional_policy(` + clamav_admin(cloud_init_t, system_r) +') + +optional_policy(` + clock_run(cloud_init_t, system_r) +') + +optional_policy(` + cobbler_admin(cloud_init_t, system_r) +') + +optional_policy(` + collectd_admin(cloud_init_t, system_r) +') + +optional_policy(` + condor_admin(cloud_init_t, system_r) +') + +optional_policy(` + consoletype_run(cloud_init_t, system_r) +') + +optional_policy(` + container_admin(cloud_init_t, system_r) +') + +optional_policy(` + corosync_admin(cloud_init_t, system_r) +') + +optional_policy(` + couchdb_admin(cloud_init_t, system_r) +') + +optional_policy(` + cron_admin(cloud_init_t, system_r) +') + +optional_policy(` + ctdb_admin(cloud_init_t, system_r) +') + +optional_policy(` + cups_admin(cloud_init_t, system_r) +') + +optional_policy(` + cvs_admin(cloud_init_t, system_r) + cvs_exec(cloud_init_t) +') + +optional_policy(` + cyphesis_admin(cloud_init_t, system_r) +') + +optional_policy(` + cyrus_admin(cloud_init_t, system_r) +') + +optional_policy(` + dante_admin(cloud_init_t, system_r) +') + +optional_policy(` + ddclient_admin(cloud_init_t, system_r) +') + +optional_policy(` + devicekit_admin(cloud_init_t, system_r) +') + +optional_policy(` + dev_rw_xen(cloud_init_t) +') + +optional_policy(` + dhcpd_admin(cloud_init_t, system_r) +') + +optional_policy(` + dictd_admin(cloud_init_t, system_r) +') + +optional_policy(` + dirmngr_admin(cloud_init_t, system_r) +') + +optional_policy(` + distcc_admin(cloud_init_t, system_r) +') + +optional_policy(` + dkim_admin(cloud_init_t, system_r) +') + +optional_policy(` + dmidecode_run(cloud_init_t, system_r) +') + +optional_policy(` + dnsmasq_admin(cloud_init_t, system_r) +') + +optional_policy(` + dovecot_admin(cloud_init_t, system_r) +') + +optional_policy(` + dphysswapfile_admin(cloud_init_t, system_r) +') + +optional_policy(` + dpkg_run(cloud_init_t, system_r) +') + +optional_policy(` + drbd_admin(cloud_init_t, system_r) +') + +optional_policy(` + entropyd_admin(cloud_init_t, system_r) +') + +optional_policy(` + exim_admin(cloud_init_t, system_r) +') + +optional_policy(` + fail2ban_admin(cloud_init_t, system_r) +') + +optional_policy(` + fapolicyd_admin(cloud_init_t, system_r) +') + +optional_policy(` + fcoe_admin(cloud_init_t, system_r) +') + +optional_policy(` + fetchmail_admin(cloud_init_t, system_r) +') + +optional_policy(` + firewalld_admin(cloud_init_t, system_r) +') + +optional_policy(` + firstboot_run(cloud_init_t, system_r) +') + +optional_policy(` + ftp_admin(cloud_init_t, system_r) +') + +optional_policy(` + gatekeeper_admin(cloud_init_t, system_r) +') + +optional_policy(` + gdomap_admin(cloud_init_t, system_r) +') + +optional_policy(` + glance_admin(cloud_init_t, system_r) +') + +optional_policy(` + glusterfs_admin(cloud_init_t, system_r) +') + +optional_policy(` + gssproxy_admin(cloud_init_t) +') + +optional_policy(` + hostname_run(cloud_init_t, system_r) +') + +optional_policy(` + hwloc_admin(cloud_init_t) + hwloc_run_dhwd(cloud_init_t, system_r) +') + +optional_policy(` + hypervkvp_admin(cloud_init_t, system_r) +') + +optional_policy(` + i18n_input_admin(cloud_init_t, system_r) +') + +optional_policy(` + icecast_admin(cloud_init_t, system_r) +') + +optional_policy(` + ifplugd_admin(cloud_init_t, system_r) +') + +optional_policy(` + inn_admin(cloud_init_t, system_r) +') + +optional_policy(` + iodine_admin(cloud_init_t, system_r) +') + +optional_policy(` + ipsec_admin(cloud_init_t, system_r) +') + +optional_policy(` + iptables_admin(cloud_init_t, system_r) + iptables_run(cloud_init_t, system_r) +') + +optional_policy(` + irqbalance_admin(cloud_init_t, system_r) +') + +optional_policy(` + iscsi_admin(cloud_init_t, system_r) +') + +optional_policy(` + isnsd_admin(cloud_init_t, system_r) +') + +optional_policy(` + jabber_admin(cloud_init_t, system_r) +') + +optional_policy(` + kdump_admin(cloud_init_t, system_r) +') + +optional_policy(` + kerberos_admin(cloud_init_t, system_r) +') + +optional_policy(` + kerneloops_admin(cloud_init_t, system_r) +') + +optional_policy(` + keystone_admin(cloud_init_t, system_r) +') + +optional_policy(` + knot_admin(cloud_init_t, system_r) + knot_run_client(cloud_init_t, system_r) +') + +optional_policy(` + kismet_admin(cloud_init_t, system_r) +') + +optional_policy(` + ksmtuned_admin(cloud_init_t, system_r) +') + +optional_policy(` + l2tp_admin(cloud_init_t, system_r) +') + +optional_policy(` + ldap_admin(cloud_init_t, system_r) +') + +optional_policy(` + libs_run_ldconfig(cloud_init_t, system_r) +') + +optional_policy(` + lightsquid_admin(cloud_init_t, system_r) +') + +optional_policy(` + likewise_admin(cloud_init_t, system_r) +') + +optional_policy(` + lircd_admin(cloud_init_t, system_r) +') + +optional_policy(` + lldpad_admin(cloud_init_t, system_r) +') + +optional_policy(` + logrotate_run(cloud_init_t, system_r) +') + +optional_policy(` + lsmd_admin(cloud_init_t, system_r) +') + +optional_policy(` + lvm_admin(cloud_init_t, system_r) + lvm_run(cloud_init_t, system_r) +') + +optional_policy(` + mandb_admin(cloud_init_t, system_r) +') + +optional_policy(` + mcelog_admin(cloud_init_t, system_r) +') + +optional_policy(` + memcached_admin(cloud_init_t, system_r) +') + +optional_policy(` + minidlna_admin(cloud_init_t, system_r) +') + +optional_policy(` + minissdpd_admin(cloud_init_t, system_r) +') + +optional_policy(` + modutils_run(cloud_init_t, system_r) +') optional_policy(` - rpm_domtrans(cloud_init_t) + mongodb_admin(cloud_init_t, system_r) +') + +optional_policy(` + monit_admin(cloud_init_t, system_r) +') + +optional_policy(` + monop_admin(cloud_init_t, system_r) +') + +optional_policy(` + mpd_admin(cloud_init_t, system_r) +') + +optional_policy(` + mrtg_admin(cloud_init_t, system_r) +') + +optional_policy(` + munin_stream_connect(cloud_init_t) +') + +optional_policy(` + mysql_admin(cloud_init_t, system_r) + mysql_stream_connect(cloud_init_t) +') + +optional_policy(` + nagios_admin(cloud_init_t, system_r) +') + +optional_policy(` + nessus_admin(cloud_init_t, system_r) +') + +optional_policy(` + netlabel_run_mgmt(cloud_init_t, system_r) +') + +optional_policy(` + netutils_run(cloud_init_t, system_r) + netutils_run_ping(cloud_init_t, system_r) + netutils_run_traceroute(cloud_init_t, system_r) +') + +optional_policy(` + networkmanager_admin(cloud_init_t, system_r) +') + +optional_policy(` + nis_admin(cloud_init_t, system_r) +') + +optional_policy(` + nscd_admin(cloud_init_t, system_r) +') + +optional_policy(` + nsd_admin(cloud_init_t, system_r) +') + +optional_policy(` + nslcd_admin(cloud_init_t, system_r) +') + +optional_policy(` + ntop_admin(cloud_init_t, system_r) +') + +optional_policy(` + ntp_admin(cloud_init_t, system_r) + corenet_udp_bind_ntp_port(cloud_init_t) +') + +optional_policy(` + numad_admin(cloud_init_t, system_r) +') + +optional_policy(` + nut_admin(cloud_init_t, system_r) +') + +optional_policy(` + oident_admin(cloud_init_t, system_r) +') + +optional_policy(` + openct_admin(cloud_init_t, system_r) +') + +optional_policy(` + openhpi_admin(cloud_init_t, system_r) +') + +optional_policy(` + opensm_admin(cloud_init_t, system_r) +') + +optional_policy(` + openvpn_admin(cloud_init_t, system_r) +') + +optional_policy(` + openvswitch_admin(cloud_init_t, system_r) +') + +optional_policy(` + pacemaker_admin(cloud_init_t, system_r) +') + +optional_policy(` + pads_admin(cloud_init_t, system_r) +') + +optional_policy(` + pcscd_admin(cloud_init_t, system_r) +') + +optional_policy(` + pegasus_admin(cloud_init_t, system_r) +') + +optional_policy(` + perdition_admin(cloud_init_t, system_r) +') + +optional_policy(` + pingd_admin(cloud_init_t, system_r) +') + +optional_policy(` + pkcs_admin_slotd(cloud_init_t, system_r) +') + +optional_policy(` + plymouthd_admin(cloud_init_t, system_r) +') + +optional_policy(` + portage_run(cloud_init_t, system_r) + portage_run_fetch(cloud_init_t, system_r) + portage_run_gcc_config(cloud_init_t, system_r) +') + +optional_policy(` + portmap_run_helper(cloud_init_t, system_r) + portmap_admin(cloud_init_t, system_r) +') + +optional_policy(` + portreserve_admin(cloud_init_t, system_r) +') + +optional_policy(` + postfix_admin(cloud_init_t, system_r) +') + +optional_policy(` + postfixpolicyd_admin(cloud_init_t, system_r) +') + +optional_policy(` + postgrey_admin(cloud_init_t, system_r) +') + +optional_policy(` + ppp_admin(cloud_init_t, system_r) +') + +optional_policy(` + prelude_admin(cloud_init_t, system_r) +') + +optional_policy(` + privoxy_admin(cloud_init_t, system_r) +') + +optional_policy(` + psad_admin(cloud_init_t, system_r) +') + +optional_policy(` + puppet_admin(cloud_init_t, system_r) +') + +optional_policy(` + pxe_admin(cloud_init_t, system_r) +') + +optional_policy(` + pyzor_admin(cloud_init_t, system_r) +') + +optional_policy(` + qpidd_admin(cloud_init_t, system_r) +') + +optional_policy(` + quantum_admin(cloud_init_t, system_r) +') + +optional_policy(` + quota_run(cloud_init_t, system_r) + quota_admin(cloud_init_t, system_r) +') + +optional_policy(` + rabbitmq_admin(cloud_init_t, system_r) +') + +optional_policy(` + radius_admin(cloud_init_t, system_r) +') + +optional_policy(` + radvd_admin(cloud_init_t, system_r) +') + +optional_policy(` + raid_run_mdadm(system_r, cloud_init_t) + raid_admin_mdadm(cloud_init_t, system_r) +') + +optional_policy(` + redis_admin(cloud_init_t, system_r) +') + +optional_policy(` + resmgr_admin(cloud_init_t, system_r) +') + +optional_policy(` + rhsmcertd_admin(cloud_init_t, system_r) +') + +optional_policy(` + rkhunter_run(cloud_init_t, system_r) +') + +optional_policy(` + rngd_admin(cloud_init_t, system_r) +') + +optional_policy(` + rpc_admin(cloud_init_t, system_r) + rpc_domtrans_nfsd(cloud_init_t) +') + +optional_policy(` + rpcbind_admin(cloud_init_t, system_r) +') + +optional_policy(` + rpm_run(cloud_init_t, system_r) + rpm_admin(cloud_init_t, system_r) +') + +optional_policy(` + rsync_admin(cloud_init_t, system_r) +') + +optional_policy(` + rtkit_admin(cloud_init_t, system_r) +') + +optional_policy(` + rwho_admin(cloud_init_t, system_r) +') + +optional_policy(` + samba_admin(cloud_init_t, system_r, system_r) + samba_run_smbcontrol(cloud_init_t, system_r) + samba_run_smbmount(cloud_init_t, system_r) + samba_run_net(cloud_init_t, system_r) + samba_run_winbind_helper(cloud_init_t, system_r) +') + +optional_policy(` + samhain_admin(cloud_init_t, system_r) +') + +optional_policy(` + sanlock_admin(cloud_init_t, system_r) +') + +optional_policy(` + sasl_admin(cloud_init_t, system_r) +') + +optional_policy(` + sblim_admin(cloud_init_t, system_r) +') + +optional_policy(` + sensord_admin(cloud_init_t, system_r) +') + +optional_policy(` + setrans_admin(cloud_init_t, system_r) +') + +optional_policy(` + setroubleshoot_admin(cloud_init_t, system_r) +') + +optional_policy(` + shorewall_admin(cloud_init_t, system_r) +') + +optional_policy(` + slpd_admin(cloud_init_t, system_r) +') + +optional_policy(` + smartmon_admin(cloud_init_t, system_r) +') + +optional_policy(` + smokeping_admin(cloud_init_t, system_r) +') + +optional_policy(` + smstools_admin(cloud_init_t, system_r) +') + +optional_policy(` + snmp_admin(cloud_init_t, system_r) +') + +optional_policy(` + snort_admin(cloud_init_t, system_r) +') + +optional_policy(` + soundserver_admin(cloud_init_t, system_r) +') + +optional_policy(` + spamassassin_admin(cloud_init_t, system_r) +') + +optional_policy(` + sssd_admin(cloud_init_t, system_r) +') + +optional_policy(` + stapserver_admin(cloud_init_t, system_r) ') optional_policy(` @@ -126,13 +975,156 @@ optional_policy(` ') optional_policy(` + svnserve_admin(cloud_init_t, system_r) +') + +optional_policy(` + sysnet_run_ifconfig(cloud_init_t, system_r) + sysnet_run_dhcpc(cloud_init_t, system_r) +') + +optional_policy(` + sysstat_admin(cloud_init_t, system_r) +') + +optional_policy(` + init_start_system(cloud_init_t) + init_stop_system(cloud_init_t) + init_reload(cloud_init_t) init_get_system_status(cloud_init_t) - init_start_all_units(cloud_init_t) - init_stop_all_units(cloud_init_t) - init_get_all_units_status(cloud_init_t) + init_manage_all_units(cloud_init_t) + init_manage_all_unit_files(cloud_init_t) + init_relabel_all_unit_files(cloud_init_t) init_list_all_units(cloud_init_t) systemd_exec_systemctl(cloud_init_t) systemd_dbus_chat_hostnamed(cloud_init_t) systemd_dbus_chat_logind(cloud_init_t) + systemd_list_journal_dirs(cloud_init_t) + systemd_read_journal_files(cloud_init_t) +') + +optional_policy(` + tboot_run_txtstat(cloud_init_t, system_r) +') + +optional_policy(` + tcsd_admin(cloud_init_t, system_r) +') + +optional_policy(` + tftp_admin(cloud_init_t, system_r) +') + +optional_policy(` + tgtd_admin(cloud_init_t, system_r) +') + +optional_policy(` + tor_admin(cloud_init_t, system_r) +') + +optional_policy(` + transproxy_admin(cloud_init_t, system_r) +') + +optional_policy(` + tripwire_run_siggen(cloud_init_t, system_r) + tripwire_run_tripwire(cloud_init_t, system_r) + tripwire_run_twadmin(cloud_init_t, system_r) + tripwire_run_twprint(cloud_init_t, system_r) +') + +optional_policy(` + tzdata_run(cloud_init_t, system_r) +') + +optional_policy(` + udev_run_udevadm(cloud_init_t, system_r) +') + +optional_policy(` + ulogd_admin(cloud_init_t, system_r) +') + +optional_policy(` + unconfined_run(cloud_init_t, system_r) +') + +optional_policy(` + uptime_admin(cloud_init_t, system_r) +') + +optional_policy(` + uucp_admin(cloud_init_t, system_r) +') + +optional_policy(` + uuidd_admin(cloud_init_t, system_r) +') + +optional_policy(` + varnishd_admin(cloud_init_t, system_r) +') + +optional_policy(` + varnishd_admin_varnishlog(cloud_init_t, system_r) +') + +optional_policy(` + vdagent_admin(cloud_init_t, system_r) +') + +optional_policy(` + vhostmd_admin(cloud_init_t, system_r) +') + +optional_policy(` + virt_admin(cloud_init_t, system_r) + virt_stream_connect(cloud_init_t) +') + +optional_policy(` + vnstatd_admin(cloud_init_t, system_r) +') + +optional_policy(` + vpn_run(cloud_init_t, system_r) +') + +optional_policy(` + watchdog_admin(cloud_init_t, system_r) +') + +optional_policy(` + wdmd_admin(cloud_init_t, system_r) +') + +optional_policy(` + webalizer_run(cloud_init_t, system_r) +') + +optional_policy(` + wireguard_admin(cloud_init_t, system_r) + wireguard_run(cloud_init_t, system_r) +') + +optional_policy(` + vlock_run(cloud_init_t, system_r) +') + +optional_policy(` + zabbix_admin(cloud_init_t, system_r) +') + +optional_policy(` + zarafa_admin(cloud_init_t, system_r) +') + +optional_policy(` + zebra_admin(cloud_init_t, system_r) +') + +optional_policy(` + zfs_admin(cloud_init_t, system_r) ') diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc index 7dd671cb4..7efcf71de 100644 --- a/policy/modules/admin/rpm.fc +++ b/policy/modules/admin/rpm.fc @@ -52,11 +52,13 @@ ifdef(`distro_redhat',` /usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) /var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) +/var/cache/t?dnf(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) /var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/dnf(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +/var/lib/t?dnf(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index 8223fd544..2edb437ed 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -46,9 +46,19 @@ init_unit_file(rpm_unit_t) type rpm_var_lib_t; files_type(rpm_var_lib_t) +optional_policy(` + # delete locks + systemd_tmpfilesd_managed(rpm_var_lib_t) +') + type rpm_var_cache_t; files_type(rpm_var_cache_t) +optional_policy(` + # delete locks + systemd_tmpfilesd_managed(rpm_var_cache_t) +') + type rpm_script_t; type rpm_script_exec_t; domain_obj_id_change_exemption(rpm_script_t) @@ -90,6 +100,7 @@ allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms; allow rpm_t rpm_log_t:file { append_file_perms create_file_perms setattr_file_perms }; logging_log_filetrans(rpm_t, rpm_log_t, file) +allow rpm_t rpm_tmp_t:dir watch; manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir }) @@ -101,6 +112,7 @@ manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +allow rpm_t rpm_var_cache_t:dir watch; manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) files_var_filetrans(rpm_t, rpm_var_cache_t, dir) @@ -211,6 +223,8 @@ seutil_read_file_contexts(rpm_t) userdom_use_user_terminals(rpm_t) userdom_use_unpriv_users_fds(rpm_t) +userdom_watch_user_runtime_dirs(rpm_t) +userdom_user_runtime_root_filetrans_user_runtime(rpm_t, dir) ifdef(`init_systemd', ` systemd_use_logind_fds(rpm_t) @@ -335,7 +349,7 @@ term_getattr_unallocated_ttys(rpm_script_t) term_list_ptys(rpm_script_t) term_use_all_terms(rpm_script_t) -auth_dontaudit_getattr_shadow(rpm_script_t) +auth_dontaudit_read_shadow(rpm_script_t) auth_use_nsswitch(rpm_script_t) init_domtrans_script(rpm_script_t) @@ -358,6 +372,7 @@ seutil_run_setfiles(rpm_script_t, rpm_roles) seutil_run_semanage(rpm_script_t, rpm_roles) userdom_use_all_users_fds(rpm_script_t) +userdom_user_runtime_root_filetrans_user_runtime(rpm_script_t, dir) ifdef(`distro_redhat',` optional_policy(` @@ -400,11 +415,12 @@ optional_policy(` ') optional_policy(` - udev_domtrans(rpm_script_t) + udev_run_udevadm(rpm_script_t, rpm_roles) ') optional_policy(` unconfined_domtrans(rpm_script_t) + unconfined_write_inherited_pipes(rpm_script_t) optional_policy(` java_domtrans_unconfined(rpm_script_t) diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index b56e3a852..55e174cce 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -263,6 +263,10 @@ optional_policy(` ') optional_policy(` + cloudinit_write_inherited_tmp_files(groupadd_t) +') + +optional_policy(` dbus_system_bus_client(groupadd_t) ') @@ -291,7 +295,7 @@ optional_policy(` ') optional_policy(` - unconfined_use_fds(groupadd_t) + unconfined_write_inherited_pipes(groupadd_t) ') ######################################## @@ -475,7 +479,7 @@ optional_policy(` # allow useradd_t self:capability { chown dac_override fowner fsetid kill setuid sys_resource }; -dontaudit useradd_t self:capability { net_admin sys_tty_config }; +dontaudit useradd_t self:capability { net_admin sys_ptrace sys_tty_config }; dontaudit useradd_t self:cap_userns sys_ptrace; allow useradd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow useradd_t self:fd use; @@ -572,6 +576,10 @@ optional_policy(` ') optional_policy(` + cloudinit_write_inherited_tmp_files(useradd_t) +') + +optional_policy(` dbus_system_bus_client(useradd_t) ') @@ -618,5 +626,5 @@ ifdef(`distro_gentoo',` ') optional_policy(` - unconfined_use_fds(useradd_t) + unconfined_write_inherited_pipes(useradd_t) ') diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index f5477977e..dcbabf6b0 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -813,6 +813,31 @@ interface(`ssh_domtrans_keygen',` domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t) ') +###################################### +## <summary> +## Execute the ssh key generator in the ssh keygen domain, +## and allow the specified role the ssh keygen domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`ssh_run_keygen',` + gen_require(` + type ssh_keygen_t; + ') + + ssh_domtrans_keygen($1) + role $2 types ssh_keygen_t; +') + ######################################## ## <summary> ## Read ssh server keys diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te index d72272953..d5e090c28 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -201,6 +201,11 @@ optional_policy(` ') optional_policy(` + cloudinit_rw_tmp_files(fsadm_t) + cloudinit_create_tmp_files(fsadm_t) +') + +optional_policy(` container_read_device_blk_files(fsadm_t) ') diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 44e3fcc2a..3e4192eb4 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -3878,6 +3878,26 @@ interface(`init_manage_all_unit_files',` manage_lnk_files_pattern($1, systemdunit, systemdunit) ') +######################################## +## <summary> +## Relabel from and to systemd unit types. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`init_relabel_all_unit_files',` + gen_require(` + attribute systemdunit; + ') + + list_dirs_pattern($1, systemdunit, systemdunit) + read_lnk_files_pattern($1, systemdunit, systemdunit) + relabel_files_pattern($1, systemdunit, systemdunit) +') + ######################################### ## <summary> ## Associate the specified domain to be a domain whose diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index acc874b59..82130ecd0 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -220,6 +220,7 @@ optional_policy(` ') optional_policy(` + unconfined_write_inherited_pipes(load_policy_t) # leaked file descriptors unconfined_dontaudit_read_pipes(load_policy_t) ') @@ -537,6 +538,10 @@ term_use_all_terms(semanage_t) # Running genhomedircon requires this for finding all users auth_use_nsswitch(semanage_t) +# Python module compilations +libs_dontaudit_manage_lib_dirs(semanage_t) +libs_dontaudit_manage_lib_files(semanage_t) + logging_send_syslog_msg(semanage_t) miscfiles_read_localization(semanage_t) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index c54600c4f..28f0ad089 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -1338,7 +1338,7 @@ interface(`systemd_write_logind_runtime_pipes',` init_search_run($1) files_search_runtime($1) - allow $1 systemd_logind_runtime_t:fifo_file { getattr write }; + allow $1 systemd_logind_runtime_t:fifo_file write_fifo_file_perms; ') ###################################### diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 156aeb88a..6d07466e6 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -530,7 +530,7 @@ init_rename_runtime_files(systemd_generator_t) init_search_runtime(systemd_generator_t) init_setattr_runtime_files(systemd_generator_t) init_write_runtime_files(systemd_generator_t) -init_list_unit_dirs(systemd_generator_t) +init_list_all_units(systemd_generator_t) init_read_generic_units_files(systemd_generator_t) init_read_generic_units_symlinks(systemd_generator_t) init_read_script_files(systemd_generator_t) @@ -563,7 +563,7 @@ ifdef(`distro_gentoo',` optional_policy(` cloudinit_create_runtime_dirs(systemd_generator_t) - cloudinit_write_runtime_files(systemd_generator_t) + cloudinit_rw_runtime_files(systemd_generator_t) cloudinit_create_runtime_files(systemd_generator_t) cloudinit_filetrans_runtime(systemd_generator_t, dir, "cloud-init") diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 4d708f977..6e24d515f 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -455,6 +455,8 @@ kernel_dontaudit_getattr_proc(udevadm_t) kernel_read_kernel_sysctls(udevadm_t) kernel_read_system_state(udevadm_t) +selinux_use_status_page(udevadm_t) + seutil_read_file_contexts(udevadm_t) storage_getattr_fixed_disk_dev(udevadm_t) diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if index 2c01ef07d..658fc2218 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -388,6 +388,25 @@ interface(`unconfined_read_pipes',` ######################################## ## <summary> +## Read unconfined domain unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`unconfined_write_inherited_pipes',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:fd use; + allow $1 unconfined_t:fifo_file write_inherited_fifo_file_perms; +') + +######################################## +## <summary> ## Do not audit attempts to read unconfined domain unnamed pipes. ## </summary> ## <param name="domain"> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 967c78afd..aadbe34c3 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -3678,6 +3678,25 @@ interface(`userdom_manage_user_runtime_dirs',` ######################################## ## <summary> +## Watch user runtime dirs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userdom_watch_user_runtime_dirs',` + gen_require(` + type user_runtime_t; + ') + + allow $1 user_runtime_t:dir watch; + userdom_search_user_runtime_root($1) +') + +######################################## +## <summary> ## Mount a filesystem on user runtime dir ## directories. ## </summary> diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index 19368500d..6940e3563 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -199,6 +199,7 @@ define(`getattr_fifo_file_perms',`{ getattr }') define(`setattr_fifo_file_perms',`{ setattr }') define(`read_fifo_file_perms',`{ getattr open read lock ioctl }') define(`append_fifo_file_perms',`{ getattr open append lock ioctl }') +define(`write_inherited_fifo_file_perms',`{ getattr write append lock ioctl }') define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }') define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }') define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }') |