Get CLIP RHEL7 Booting in Enforcing

[mpalmi]

The first step in addressing #4 is to get CLIP booting in Enforcing.

With the new systemd architecture, there are some significant changes to the way processes spawn.
We will need to pull in Chris PeBenito's changes to the RHEL7 updates to refpolicy (https://github.com/pebenito/refpolicy), specifically the following commits:

• pebenito/refpolicy@0872c57 -> adding to the list of permissions for the service class,
  add service class to security classes, update various init module interfaces with ifdefs for init_systemd
• pebenito/refpolicy@e56024d -> allow dynamic transition from kernel domain to init for ifdef
  init_systemd
• pebenito/refpolicy@505158a -> On Debian, systemd binaries are installed in / not /usr
• pebenito/refpolicy@c93002d -> Drop bin_t label for /lib/systemd/systemd.*
• pebenito/refpolicy@9896345 -> Merge pull request Revert "Map environment variables into XCCDF and modify aqueduct scripts... #1 from bigon/systemd
• pebenito/refpolicy@5227336 -> More systemd apps cleanup
• pebenito/refpolicy@9f1fc53 -> Run the misc initializations that systemd does in initrc_t

From there, it is a matter of typical policy development. Gather denials, write policy, wash, rinse, repeat.

---

As of 4/22, we are able to boot in Enforcing with several permissive domains:
tomhurd/clip@646f163
tomhurd/clip@498ddcd

We really only need a subset of these to be permissive, however:

• kernel_t
• initrc_t
• init_t
• syslogd_t
• lvm_t
• udev_t

The future efforts will be driven by pulling all domains out of permissive, but for the sake of getting CLIP booting in Enforcing, the following are the priority:

• Resolve kernel denials #126 - Pull kernel_t out of Permissive
• Resolve initrc_t denials #127 - Pull initrc_t out of Permissive
• Resolve init denials #118 - Pull init_t out of Permissive
• Resolve syslogd_t denials #129 - Pull syslogd_t out of Permissive
• Resolve lvm_t denials #128 - Pull lvm_t out of Permissive
• Resolve udev_t denials #130 - Pull udev_t out of Permissive

To get CLIP cleanly booting in Enforcing, the following will need to be done as well:

• Resolve insmod_t denials #132 - Pull insmod_t out of Permissive.
• Resolve local_login_t denials #131 - Pull local_login_t out of Permissive
• Resolve systemd_tmpfiles_t denials #150 - Pull systemd_tmpfiles out of Permissive

Some nice-to-haves (not necessarily needed to get CLIP booting in Enforcing):

• Resolve toor_t denials #134 - Pull toor_t out of Permissive
• Resolve ssh[d]_keygen_t denials #135 - Pull sshd_keygen_t out of Permissive

[mpalmi]

Rather than cherry-pick commits, we have updated the base refpolicy to pebenito/refpolicy@5fd2953

Further development is being done on top of this to get CLIP booting in Enforcing.

[ghost]

@mpalmi please assign a time estimate label for this issue.

[mpalmi]

We are currently able to boot in Enforcing, using several permissive domains.
The future tasks will be focused on taking these domains out of permissive.

See:
tomhurd/clip@646f163
tomhurd/clip@498ddcd

[mpalmi]

Though we're booting in Enforcing, there are still some lingering denials.
Attached are the errors that are seen on boot

Potentially related to denials seen in:
#118
#130
#164
#126
#128

[tomhurd]

The /lib/systemd/rhel-autorelabel problem is related to issue #127.

I expect the contexts that aren't valid are from rhel targeted policy and not in the clip policy.

[mpalmi]

Closing the master ticket for now, even though all subtickets are not completely resolved. Will open future tickets to fix issues found in testing.