Skip to content

Commit

Permalink
Issue OwlCyberDefense#86: Get CLIP RHEL7 booting in Enforcing
Browse files Browse the repository at this point in the history
- Pull in @csmith-tresys's additional interfaces and policy
- Separate systemd-service forks into their own contexts
- Use existing policy for the following:
	contrib/readahead (systemd-readahead)
	contrib/shutdown (systemd-shutdown)
	system/fstools (systemd-fsck)
	system/hostname (systemd-hostname)
	system/logging (systemd-journald)
- Add some file_contexts.subs_dist mappings
- Label some unlabeled files
- Make semanage_t an init_system_domain, so initrc_t can transition to semanage
and run genhomedircon.
- Begin labeling unit files
  • Loading branch information
mpalmi committed Feb 13, 2015
1 parent 021fda6 commit 5c8194f
Show file tree
Hide file tree
Showing 35 changed files with 615 additions and 60 deletions.
28 changes: 16 additions & 12 deletions kickstart/clip-rhel7/clip-rhel7.ks
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,7 @@ perl
policycoreutils
policycoreutils-newrole
policycoreutils-python
policycoreutils-sandbox
procps
rootfiles
rpm
Expand Down Expand Up @@ -211,15 +212,15 @@ yum
#CONFIG-BUILD-PLACEHOLDER
export PATH="/sbin:/usr/sbin:/usr/bin:/bin:/usr/local/bin"
if [ x"$CONFIG_BUILD_LIVE_MEDIA" != "y" ]; then
exec >/root/clip_post_install.log 2>&1
exec >/tmp/clip_post_install.log 2>&1
# Print the log to tty7 so that the user know what's going on
/usr/bin/tail -f /root/clip_post_install.log >/dev/tty7 &
/usr/bin/tail -f /tmp/clip_post_install.log >/dev/tty7 &
TAILPID=$!
chvt 7
fi
echo "Installation timestamp: `date`" > /root/clip-info.txt
echo "#CONFIG-BUILD-PLACEHOLDER" >> /root/clip-info.txt
echo "Installation timestamp: `date`" > /tmp/clip-info.txt
echo "#CONFIG-BUILD-PLACEHOLDER" >> /tmp/clip-info.txt
# FIXME: Change the username and password.
# If a hashed password is specified it will be used
Expand All @@ -243,11 +244,14 @@ HASHED_PASSWORD='$6$314159265358$ytgatj7CAZIRFMPbEanbdi.krIJs.mS9N2JEl0jkPsCvtwC
# USERNAME and PASSWORD values defined a few lines above.
#
# Don't get lost in the 'if' statement - basically map $USERNAME to the unconfined toor_r:toor_t role if it is enabled.
echo "$CONFIG_BUILD_UNCONFINED_TOOR" > /tmp/test_var.log
if [ x"$CONFIG_BUILD_UNCONFINED_TOOR" == "xy" ]; then
/usr/sbin/semanage user -a -R toor_r -R staff_r -R sysadm_r "${USERNAME}_u"
/usr/sbin/semanage user -a -R toor_r -R staff_r -R sysadm_r "${USERNAME}_u"
else
/usr/sbin/semanage user -a -R staff_r -R sysadm_r "${USERNAME}_u" || /usr/sbin/semanage user -a -R staff_r "${USERNAME}_u"
fi
/sbin/useradd -m "$USERNAME" -G wheel -Z "${USERNAME}_u"
if [ x"$HASHED_PASSWORD" == "x" ]; then
Expand All @@ -260,13 +264,13 @@ fi
# Remove sshd and dhclient if it in a production build
if [ x"$CONFIG_BUILD_PRODUCTION" == "xy" ]; then
/bin/echo "Removing sshd and dhclient from the system"
/bin/rpm -e openssh openssh-clients openssh-server dhclient
/bin/echo "Removing sshd and dhclient from the system"
/bin/rpm -e openssh openssh-clients openssh-server dhclient
fi
# Allow pulling of logs in a debug build
if [ x"$CONFIG_BUILD_PRODUCTION" != "xy" ]; then
/bin/chmod -R 655 /var/log/audit
/bin/chmod -R 655 /var/log
fi
# Add the user to sudoers and setup an SELinux role/type transition.
Expand Down Expand Up @@ -295,8 +299,8 @@ fi
# Set permissive mode
export POLNAME=`sestatus |awk '/Loaded policy name:/ { print $4; }'`
if [ x"$CONFIG_BUILD_ENFORCING_MODE" != "xy" ]; then
echo "Setting permissive mode..."
echo -e "#THIS IS A DEBUG BUILD HENCE SELINUX IS IN PERMISSIVE MODE\nSELINUX=permissive\nSELINUXTYPE=$POLNAME\n" > /etc/selinux/config
echo "Setting permissive mode..."
echo -e "#THIS IS A DEBUG BUILD HENCE SELINUX IS IN PERMISSIVE MODE\nSELINUX=permissive\nSELINUXTYPE=$POLNAME\n" > /etc/selinux/config
echo "WARNING: This is a debug build in permissive mode. DO NOT USE IN PRODUCTION!" >> /etc/motd
# This line is used to make policy development easier. It disables the "setfiles" check used by
# semodule/semanage that prevents transactions containing invalid and dupe fc entries from rolling forward.
Expand Down Expand Up @@ -332,8 +336,8 @@ fi
#CONFIG-BUILD-PLACEHOLDER
if [ x"$CONFIG_BUILD_PRODUCTION" == "xy" ]; then
/bin/echo "Deleting anaconda-ks.cfg as this is a production build" >> /mnt/sysimage/root/clip_post_install.log
/bin/rm /mnt/sysimage/root/anaconda-ks.cfg
/bin/echo "Deleting anaconda-ks.cfg as this is a production build" >> /mnt/sysimage/root/clip_post_install.log
/bin/rm /mnt/sysimage/root/anaconda-ks.cfg
fi
%end
Binary file removed packages/clip-selinux-policy/20140512.zip
Binary file not shown.
5 changes: 3 additions & 2 deletions packages/clip-selinux-policy/clip-selinux-policy.spec
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,7 @@ fi

%define loadpolicy() \
. %{_sysconfdir}/selinux/config; \
( cd /usr/share/selinux/%1; semodule -n -b base.pp.bz2 -i %2 -s %1 2>&1 ); \
( cd /usr/share/selinux/%1; semodule -n -b base.pp.bz2 -i %2 -s %1 2>&1 | /bin/tee /tmp/load_policy.log ); \

%define relabel() \
. %{_sysconfdir}/selinux/config; \
Expand Down Expand Up @@ -246,12 +246,13 @@ Based off of reference policy refpolicy-2.20110726.tar.bz2
packages=`cat /usr/share/selinux/clip/modules.lst`
if [ $1 -eq 1 ]; then
%loadpolicy clip $packages
restorecon -R /root /var/log /var/run 2> /dev/null
restorecon -R /root /var/log /var/run
else
# semodule -n -s clip 2>/dev/null
%loadpolicy clip $packages
%relabel clip
fi

touch /.autorelabel
exit 0

Expand Down
5 changes: 0 additions & 5 deletions packages/clip-selinux-policy/clip-selinux-policy/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -181,11 +181,6 @@ ifeq "$(TYPE)" "mcs"
gennetfilter += -c
endif

# enable systemd policy
ifeq "$(INIT)" "systemd"
M4PARAM += -D init_systemd
endif

# enable distribution-specific policy
ifneq ($(DISTRO),)
M4PARAM += -D distro_$(DISTRO)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ NAME = refpolicy
# for the distribution.
# redhat, gentoo, debian, suse, and rhel4 are current options.
# Fedora users should enable redhat.
#DISTRO = redhat
DISTRO = redhat

# Unknown Permissions Handling
# The behavior for handling permissions defined in the
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
# example, but aliasing.
#
/etc/init.d /etc/rc.d/init.d
/etc/systemd/system /usr/lib/systemd/system
/lib/systemd /usr/lib/systemd
/lib32 /lib
/lib64 /lib
Expand All @@ -20,3 +21,5 @@
/usr/local/lib64 /usr/lib
/usr/local/lib /usr/lib
/var/run/lock /var/lock
/usr/bin /bin
/usr/sbin /sbin
Original file line number Diff line number Diff line change
Expand Up @@ -1007,7 +1007,7 @@ cgroup = off
#
# Chrony NTP background daemon
#
chronyd = off
chronyd = module

# Layer: services
# Module: cipe
Expand Down Expand Up @@ -1147,7 +1147,7 @@ dbskk = off
#
# Desktop messaging bus
#
dbus = off
dbus = module

# Layer: services
# Module: dcc
Expand Down Expand Up @@ -1182,7 +1182,7 @@ devicekit = off
#
# Dynamic host configuration protocol (DHCP) server
#
dhcp = off
dhcp = module

# Layer: services
# Module: dictd
Expand Down Expand Up @@ -2351,6 +2351,12 @@ hotplug = off
#
init = base

# Layer: system
# Module: systemd
#
# Policy for systemd
systemd = base

# Layer: system
# Module: ipsec
#
Expand Down Expand Up @@ -2491,3 +2497,9 @@ userdomain = base
#
xen = off

# Layer: contrib
# Module: firewalld
#
# Policy for firewalld.
firewalld = module

Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@

/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)

/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)

/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)

/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,17 @@ files_pid_file(chronyd_var_run_t)
#

allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
#uncomment this if it works after testing in enforcing
#dontaudit chronyd_t self:capability fsetid;
allow chronyd_t self:process { getcap setcap setrlimit signal };
allow chronyd_t self:shm create_shm_perms;
allow chronyd_t self:fifo_file rw_fifo_file_perms;

allow chronyd_t chronyd_keys_t:file read_file_perms;
# allow chronyd to create key if not present
allow chronyd_t chronyd_keys_t:file append_file_perms;
# allow chronyd to change perms to not be world readable
allow chronyd_t chronyd_keys_t:file setattr_file_perms;

manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
Expand All @@ -61,6 +67,10 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })

kernel_read_system_state(chronyd_t)
kernel_read_network_state(chronyd_t)
kernel_read_crypto_sysctls(chronyd_t)

dev_read_rand(chronyd_t)
dev_read_urand(chronyd_t)

corenet_all_recvfrom_unlabeled(chronyd_t)
corenet_all_recvfrom_netlabel(chronyd_t)
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)

/etc/rc\.d/init\.d/(anacron|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)

/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)

/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)

/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)

Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)

/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)

/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)

/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@

/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)

/usr/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0)
/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0)

/usr/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0)

/var/log/firewalld.* -- gen_context(system_u:object_r:firewalld_var_log_t,s0)

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@

/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)

/usr/lib/systemd/systemd-readahead -- gen_context(system_u:object_r:readahead_exec_t,s0)

/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)

/var/run/readahead.* gen_context(system_u:object_r:readahead_var_run_t,s0)
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@

/usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)

/usr/lib/systemd/systemd-shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)

/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)

/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
Original file line number Diff line number Diff line change
Expand Up @@ -234,7 +234,6 @@ ifdef(`distro_gentoo',`
/usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/lib/systemd/systemd-random-seed -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3871,6 +3871,24 @@ interface(`dev_associate_sysfs',`
allow $1 sysfs_t:filesystem associate;
')

########################################
## <summary>
## Relabel sysfs dirs.
## </summary>
## <param name="file_type">
## <summary>
## The type of the file to be allowed access.
## </summary>
## </param>
#
interface(`dev_relabel_dir_sysfs',`
gen_require(`
type sysfs_t;
')

relabel_dirs_pattern($1, sysfs_t, sysfs_t)
')

########################################
## <summary>
## Get the attributes of sysfs directories.
Expand Down Expand Up @@ -4969,3 +4987,22 @@ interface(`dev_unconfined',`

typeattribute $1 devices_unconfined_type;
')


#######################################
## <summary>
## Relabel to usb device character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_relabelto_usb_device_chr_files',`
gen_require(`
type device_t;
')

allow $1 device_t:chr_file relabelfrom;
')
Loading

0 comments on commit 5c8194f

Please sign in to comment.