Issue OwlCyberDefense#86: Get CLIP RHEL7 booting in Enforcing

- Pull in @csmith-tresys's additional interfaces and policy
- Separate systemd-service forks into their own contexts
- Use existing policy for the following:
	contrib/readahead (systemd-readahead)
	contrib/shutdown (systemd-shutdown)
	system/fstools (systemd-fsck)
	system/hostname (systemd-hostname)
	system/logging (systemd-journald)
- Add some file_contexts.subs_dist mappings
- Label some unlabeled files
- Make semanage_t an init_system_domain, so initrc_t can transition to semanage
and run genhomedircon.
- Begin labeling unit files

packages/clip-selinux-policy/clip-selinux-policy.spec

@@ -128,7 +128,7 @@ fi
 
 %define loadpolicy() \
 . %{_sysconfdir}/selinux/config; \
-( cd /usr/share/selinux/%1; semodule -n -b base.pp.bz2 -i %2 -s %1 2>&1 ); \
+( cd /usr/share/selinux/%1; semodule -n -b base.pp.bz2 -i %2 -s %1 2>&1 | /bin/tee /tmp/load_policy.log ); \
 
 %define relabel() \
 . %{_sysconfdir}/selinux/config; \
@@ -246,12 +246,13 @@ Based off of reference policy refpolicy-2.20110726.tar.bz2
 packages=`cat /usr/share/selinux/clip/modules.lst`
 if [ $1 -eq 1 ]; then
    %loadpolicy clip $packages
-   restorecon -R /root /var/log /var/run 2> /dev/null
+   restorecon -R /root /var/log /var/run
 else
 #   semodule -n -s clip 2>/dev/null
    %loadpolicy clip $packages
    %relabel clip
 fi
+
 touch /.autorelabel
 exit 0
 

packages/clip-selinux-policy/clip-selinux-policy/Makefile

@@ -181,11 +181,6 @@ ifeq "$(TYPE)" "mcs"
 	gennetfilter += -c
 endif
 
-# enable systemd policy
-ifeq "$(INIT)" "systemd"
-        M4PARAM += -D init_systemd
-endif
-
 # enable distribution-specific policy
 ifneq ($(DISTRO),)
 	M4PARAM += -D distro_$(DISTRO)

packages/clip-selinux-policy/clip-selinux-policy/build.conf

@@ -27,7 +27,7 @@ NAME = refpolicy
 # for the distribution.
 # redhat, gentoo, debian, suse, and rhel4 are current options.
 # Fedora users should enable redhat.
-#DISTRO = redhat
+DISTRO = redhat
 
 # Unknown Permissions Handling
 # The behavior for handling permissions defined in the

packages/clip-selinux-policy/clip-selinux-policy/config/file_contexts.subs_dist

@@ -9,6 +9,7 @@
 # example, but aliasing.
 # 
 /etc/init.d /etc/rc.d/init.d
+/etc/systemd/system /usr/lib/systemd/system
 /lib/systemd /usr/lib/systemd
 /lib32 /lib
 /lib64 /lib
@@ -20,3 +21,5 @@
 /usr/local/lib64 /usr/lib
 /usr/local/lib /usr/lib
 /var/run/lock /var/lock
+/usr/bin /bin
+/usr/sbin /sbin

packages/clip-selinux-policy/clip-selinux-policy/policy/modules.conf

@@ -1007,7 +1007,7 @@ cgroup = off
 #
 # Chrony NTP background daemon
 # 
-chronyd = off
+chronyd = module
 
 # Layer: services
 # Module: cipe
@@ -1147,7 +1147,7 @@ dbskk = off
 #
 # Desktop messaging bus
 # 
-dbus = off
+dbus = module
 
 # Layer: services
 # Module: dcc
@@ -1182,7 +1182,7 @@ devicekit = off
 #
 # Dynamic host configuration protocol (DHCP) server
 # 
-dhcp = off
+dhcp = module
 
 # Layer: services
 # Module: dictd
@@ -2351,6 +2351,12 @@ hotplug = off
 # 
 init = base
 
+# Layer: system
+# Module: systemd
+# 
+# Policy for systemd
+systemd = base
+
 # Layer: system
 # Module: ipsec
 #
@@ -2491,3 +2497,9 @@ userdomain = base
 # 
 xen = off
 
+# Layer: contrib
+# Module: firewalld
+#
+# Policy for firewalld.
+firewalld = module
+

packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/chronyd.fc

@@ -2,6 +2,8 @@
 
 /etc/rc\.d/init\.d/chronyd	--	gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
 
+/sbin/chronyd	--	gen_context(system_u:object_r:chronyd_exec_t,s0)
+
 /usr/sbin/chronyd	--	gen_context(system_u:object_r:chronyd_exec_t,s0)
 
 /var/lib/chrony(/.*)?	gen_context(system_u:object_r:chronyd_var_lib_t,s0)

packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/chronyd.te

@@ -33,11 +33,17 @@ files_pid_file(chronyd_var_run_t)
 #
 
 allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
+#uncomment this if it works after testing in enforcing
+#dontaudit chronyd_t self:capability fsetid;
 allow chronyd_t self:process { getcap setcap setrlimit signal };
 allow chronyd_t self:shm create_shm_perms;
 allow chronyd_t self:fifo_file rw_fifo_file_perms;
 
 allow chronyd_t chronyd_keys_t:file read_file_perms;
+# allow chronyd to create key if not present
+allow chronyd_t chronyd_keys_t:file append_file_perms;
+# allow chronyd to change perms to not be world readable
+allow chronyd_t chronyd_keys_t:file setattr_file_perms;
 
 manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
 manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
@@ -61,6 +67,10 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
 
 kernel_read_system_state(chronyd_t)
 kernel_read_network_state(chronyd_t)
+kernel_read_crypto_sysctls(chronyd_t)
+
+dev_read_rand(chronyd_t)
+dev_read_urand(chronyd_t)
 
 corenet_all_recvfrom_unlabeled(chronyd_t)
 corenet_all_recvfrom_netlabel(chronyd_t)

packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/cron.fc

@@ -1,8 +1,13 @@
+/bin/(f)?crontab	--	gen_context(system_u:object_r:crontab_exec_t,s0)
+
 /etc/rc\.d/init\.d/(anacron|atd)	--	gen_context(system_u:object_r:crond_initrc_exec_t,s0)
 
 /etc/cron\.d(/.*)?	gen_context(system_u:object_r:system_cron_spool_t,s0)
 /etc/crontab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
 
+/sbin/anacron	--	gen_context(system_u:object_r:anacron_exec_t,s0)
+/sbin/cron(d)?	--	gen_context(system_u:object_r:crond_exec_t,s0)
+
 /usr/bin/at	--	gen_context(system_u:object_r:crontab_exec_t,s0)
 /usr/bin/(f)?crontab	--	gen_context(system_u:object_r:crontab_exec_t,s0)
 

packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/dhcp.fc

@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/dhcpd(6)?	--	gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
 
+/sbin/dhcpd.*	--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
+
 /usr/sbin/dhcpd.*	--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
 
 /var/lib/dhcpd(/.*)?	gen_context(system_u:object_r:dhcpd_state_t,s0)

packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/firewalld.fc

@@ -2,7 +2,9 @@
 
 /etc/firewalld(/.*)?	gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
 
-/usr/sbin/firewalld	--	gen_context(system_u:object_r:firewalld_exec_t,s0)
+/sbin/firewalld	--	gen_context(system_u:object_r:firewalld_exec_t,s0)
+
+/usr/sbin/firewalld	    --	gen_context(system_u:object_r:firewalld_exec_t,s0)
 
 /var/log/firewalld.*	--	gen_context(system_u:object_r:firewalld_var_log_t,s0)
 

packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/readahead.fc

@@ -2,6 +2,8 @@
 
 /usr/sbin/readahead.*	--	gen_context(system_u:object_r:readahead_exec_t,s0)
 
+/usr/lib/systemd/systemd-readahead -- gen_context(system_u:object_r:readahead_exec_t,s0)
+
 /var/lib/readahead(/.*)?	gen_context(system_u:object_r:readahead_var_lib_t,s0)
 
 /var/run/readahead.*	gen_context(system_u:object_r:readahead_var_run_t,s0)

packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/shutdown.fc

@@ -6,6 +6,8 @@
 
 /usr/lib/upstart/shutdown	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
 
+/usr/lib/systemd/systemd-shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
 /usr/sbin/shutdown	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
 
 /var/run/shutdown\.pid	--	gen_context(system_u:object_r:shutdown_var_run_t,s0)

packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/corecommands.fc

@@ -234,7 +234,6 @@ ifdef(`distro_gentoo',`
 /usr/lib/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sftp-server		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sudo/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
-/usr/lib/systemd/systemd-random-seed -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/tumbler-1/tumblerd	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/vte/gnome-pty-helper	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)

packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/devices.if

@@ -3871,6 +3871,24 @@ interface(`dev_associate_sysfs',`
 	allow $1 sysfs_t:filesystem associate;
 ')
 
+########################################
+## <summary>
+##	Relabel sysfs dirs.
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	The type of the file to be allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_relabel_dir_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	relabel_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of sysfs directories.
@@ -4969,3 +4987,22 @@ interface(`dev_unconfined',`
 
 	typeattribute $1 devices_unconfined_type;
 ')
+
+
+#######################################
+## <summary>
+##      Relabel to usb device character device files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_relabelto_usb_device_chr_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:chr_file relabelfrom;
+')