Skip to content

Commit

Permalink
Issue OwlCyberDefense#86: Get CLIP RHEL7 booting in Enforcing
Browse files Browse the repository at this point in the history
- Pull in @csmith-tresys's additional interfaces and policy
- Separate systemd-service forks into their own contexts
- Use existing policy for the following:
	contrib/readahead (systemd-readahead)
	contrib/shutdown (systemd-shutdown)
	system/fstools (systemd-fsck)
	system/hostname (systemd-hostname)
	system/logging (systemd-journald)
- Give systemd-utmp can_relabelto_binary_policy to clear up constraints
  • Loading branch information
mpalmi committed Feb 4, 2015
1 parent 6df6d99 commit a2ffde1
Show file tree
Hide file tree
Showing 26 changed files with 500 additions and 53 deletions.
28 changes: 16 additions & 12 deletions kickstart/clip-rhel7/clip-rhel7.ks
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,7 @@ perl
policycoreutils
policycoreutils-newrole
policycoreutils-python
policycoreutils-sandbox
procps
rootfiles
rpm
Expand Down Expand Up @@ -211,15 +212,15 @@ yum
#CONFIG-BUILD-PLACEHOLDER
export PATH="/sbin:/usr/sbin:/usr/bin:/bin:/usr/local/bin"
if [ x"$CONFIG_BUILD_LIVE_MEDIA" != "y" ]; then
exec >/root/clip_post_install.log 2>&1
exec >/tmp/clip_post_install.log 2>&1
# Print the log to tty7 so that the user know what's going on
/usr/bin/tail -f /root/clip_post_install.log >/dev/tty7 &
/usr/bin/tail -f /tmp/clip_post_install.log >/dev/tty7 &
TAILPID=$!
chvt 7
fi
echo "Installation timestamp: `date`" > /root/clip-info.txt
echo "#CONFIG-BUILD-PLACEHOLDER" >> /root/clip-info.txt
echo "Installation timestamp: `date`" > /tmp/clip-info.txt
echo "#CONFIG-BUILD-PLACEHOLDER" >> /tmp/clip-info.txt
# FIXME: Change the username and password.
# If a hashed password is specified it will be used
Expand All @@ -243,11 +244,14 @@ HASHED_PASSWORD='$6$314159265358$ytgatj7CAZIRFMPbEanbdi.krIJs.mS9N2JEl0jkPsCvtwC
# USERNAME and PASSWORD values defined a few lines above.
#
# Don't get lost in the 'if' statement - basically map $USERNAME to the unconfined toor_r:toor_t role if it is enabled.
echo "$CONFIG_BUILD_UNCONFINED_TOOR" > /tmp/test_var.log
if [ x"$CONFIG_BUILD_UNCONFINED_TOOR" == "xy" ]; then
/usr/sbin/semanage user -a -R toor_r -R staff_r -R sysadm_r "${USERNAME}_u"
/usr/sbin/semanage user -a -R toor_r -R staff_r -R sysadm_r "${USERNAME}_u"
else
/usr/sbin/semanage user -a -R staff_r -R sysadm_r "${USERNAME}_u" || /usr/sbin/semanage user -a -R staff_r "${USERNAME}_u"
fi
/sbin/useradd -m "$USERNAME" -G wheel -Z "${USERNAME}_u"
if [ x"$HASHED_PASSWORD" == "x" ]; then
Expand All @@ -260,13 +264,13 @@ fi
# Remove sshd and dhclient if it in a production build
if [ x"$CONFIG_BUILD_PRODUCTION" == "xy" ]; then
/bin/echo "Removing sshd and dhclient from the system"
/bin/rpm -e openssh openssh-clients openssh-server dhclient
/bin/echo "Removing sshd and dhclient from the system"
/bin/rpm -e openssh openssh-clients openssh-server dhclient
fi
# Allow pulling of logs in a debug build
if [ x"$CONFIG_BUILD_PRODUCTION" != "xy" ]; then
/bin/chmod -R 655 /var/log/audit
/bin/chmod -R 655 /var/log
fi
# Add the user to sudoers and setup an SELinux role/type transition.
Expand Down Expand Up @@ -295,8 +299,8 @@ fi
# Set permissive mode
export POLNAME=`sestatus |awk '/Loaded policy name:/ { print $4; }'`
if [ x"$CONFIG_BUILD_ENFORCING_MODE" != "xy" ]; then
echo "Setting permissive mode..."
echo -e "#THIS IS A DEBUG BUILD HENCE SELINUX IS IN PERMISSIVE MODE\nSELINUX=permissive\nSELINUXTYPE=$POLNAME\n" > /etc/selinux/config
echo "Setting permissive mode..."
echo -e "#THIS IS A DEBUG BUILD HENCE SELINUX IS IN PERMISSIVE MODE\nSELINUX=permissive\nSELINUXTYPE=$POLNAME\n" > /etc/selinux/config
echo "WARNING: This is a debug build in permissive mode. DO NOT USE IN PRODUCTION!" >> /etc/motd
# This line is used to make policy development easier. It disables the "setfiles" check used by
# semodule/semanage that prevents transactions containing invalid and dupe fc entries from rolling forward.
Expand Down Expand Up @@ -332,8 +336,8 @@ fi
#CONFIG-BUILD-PLACEHOLDER
if [ x"$CONFIG_BUILD_PRODUCTION" == "xy" ]; then
/bin/echo "Deleting anaconda-ks.cfg as this is a production build" >> /mnt/sysimage/root/clip_post_install.log
/bin/rm /mnt/sysimage/root/anaconda-ks.cfg
/bin/echo "Deleting anaconda-ks.cfg as this is a production build" >> /mnt/sysimage/root/clip_post_install.log
/bin/rm /mnt/sysimage/root/anaconda-ks.cfg
fi
%end
Binary file removed packages/clip-selinux-policy/20140512.zip
Binary file not shown.
6 changes: 4 additions & 2 deletions packages/clip-selinux-policy/clip-selinux-policy.spec
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,7 @@ fi

%define loadpolicy() \
. %{_sysconfdir}/selinux/config; \
( cd /usr/share/selinux/%1; semodule -n -b base.pp.bz2 -i %2 -s %1 2>&1 ); \
( cd /usr/share/selinux/%1; semodule -n -b base.pp.bz2 -i %2 -s %1 2>&1 | /bin/tee /tmp/load_policy.log ); \

%define relabel() \
. %{_sysconfdir}/selinux/config; \
Expand Down Expand Up @@ -246,12 +246,14 @@ Based off of reference policy refpolicy-2.20110726.tar.bz2
packages=`cat /usr/share/selinux/clip/modules.lst`
if [ $1 -eq 1 ]; then
%loadpolicy clip $packages
restorecon -R /root /var/log /var/run 2> /dev/null
restorecon -R /root /var/log /var/run
else
# semodule -n -s clip 2>/dev/null
%loadpolicy clip $packages
%relabel clip
fi

/usr/sbin/genhomedircon
touch /.autorelabel
exit 0

Expand Down
5 changes: 0 additions & 5 deletions packages/clip-selinux-policy/clip-selinux-policy/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -181,11 +181,6 @@ ifeq "$(TYPE)" "mcs"
gennetfilter += -c
endif

# enable systemd policy
ifeq "$(INIT)" "systemd"
M4PARAM += -D init_systemd
endif

# enable distribution-specific policy
ifneq ($(DISTRO),)
M4PARAM += -D distro_$(DISTRO)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ NAME = refpolicy
# for the distribution.
# redhat, gentoo, debian, suse, and rhel4 are current options.
# Fedora users should enable redhat.
#DISTRO = redhat
DISTRO = redhat

# Unknown Permissions Handling
# The behavior for handling permissions defined in the
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1007,7 +1007,7 @@ cgroup = off
#
# Chrony NTP background daemon
#
chronyd = off
chronyd = module

# Layer: services
# Module: cipe
Expand Down Expand Up @@ -1147,7 +1147,7 @@ dbskk = off
#
# Desktop messaging bus
#
dbus = off
dbus = module

# Layer: services
# Module: dcc
Expand Down Expand Up @@ -1182,7 +1182,7 @@ devicekit = off
#
# Dynamic host configuration protocol (DHCP) server
#
dhcp = off
dhcp = module

# Layer: services
# Module: dictd
Expand Down Expand Up @@ -2351,6 +2351,12 @@ hotplug = off
#
init = base

# Layer: system
# Module: systemd
#
# Policy for systemd
systemd = base

# Layer: system
# Module: ipsec
#
Expand Down Expand Up @@ -2491,3 +2497,9 @@ userdomain = base
#
xen = off

# Layer: contrib
# Module: firewalld
#
# Policy for firewalld.
firewalld = module

Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@

/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)

/usr/lib/systemd/systemd-readahead -- gen_context(system_u:object_r:readahead_exec_t,s0)

/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)

/var/run/readahead.* gen_context(system_u:object_r:readahead_var_run_t,s0)
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@

/usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)

/usr/lib/systemd/systemd-shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)

/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)

/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
Original file line number Diff line number Diff line change
Expand Up @@ -234,7 +234,6 @@ ifdef(`distro_gentoo',`
/usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/lib/systemd/systemd-random-seed -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3871,6 +3871,24 @@ interface(`dev_associate_sysfs',`
allow $1 sysfs_t:filesystem associate;
')

########################################
## <summary>
## Relabel sysfs dirs.
## </summary>
## <param name="file_type">
## <summary>
## The type of the file to be allowed access.
## </summary>
## </param>
#
interface(`dev_relabel_dir_sysfs',`
gen_require(`
type sysfs_t;
')

relabel_dirs_pattern($1, sysfs_t, sysfs_t)
')

########################################
## <summary>
## Get the attributes of sysfs directories.
Expand Down Expand Up @@ -4969,3 +4987,22 @@ interface(`dev_unconfined',`

typeattribute $1 devices_unconfined_type;
')


#######################################
## <summary>
## Relabel to usb device character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_relabelto_usb_device_chr_files',`
gen_require(`
type device_t;
')

allow $1 device_t:chr_file relabelfrom;
')
Loading

0 comments on commit a2ffde1

Please sign in to comment.