Issue OwlCyberDefense#86: Get CLIP RHEL7 booting in Enforcing

- Pull in @csmith-tresys's additional interfaces and policy - Separate systemd-service forks into their own contexts - Use existing policy for the following: contrib/readahead (systemd-readahead) contrib/shutdown (systemd-shutdown) system/fstools (systemd-fsck) system/hostname (systemd-hostname) system/logging (systemd-journald) - Give systemd-utmp can_relabelto_binary_policy to clear up constraints
mpalmi · Feb 2, 2015 · aa2643d · aa2643d
1 parent 6df6d99
commit aa2643d
Show file tree

Hide file tree

Showing 25 changed files with 559 additions and 52 deletions.
diff --git a/kickstart/clip-rhel7/clip-rhel7.ks b/kickstart/clip-rhel7/clip-rhel7.ks
@@ -211,15 +211,15 @@ yum
 #CONFIG-BUILD-PLACEHOLDER
 export PATH="/sbin:/usr/sbin:/usr/bin:/bin:/usr/local/bin"
 if [ x"$CONFIG_BUILD_LIVE_MEDIA" != "y" ]; then
-	exec >/root/clip_post_install.log 2>&1
+	exec >/tmp/clip_post_install.log 2>&1
 	# Print the log to tty7 so that the user know what's going on
-	/usr/bin/tail -f /root/clip_post_install.log >/dev/tty7 &
+	/usr/bin/tail -f /tmp/clip_post_install.log >/dev/tty7 &
 	TAILPID=$!
 	chvt 7
 fi
 
-echo "Installation timestamp: `date`" > /root/clip-info.txt
-echo "#CONFIG-BUILD-PLACEHOLDER" >> /root/clip-info.txt
+echo "Installation timestamp: `date`" > /tmp/clip-info.txt
+echo "#CONFIG-BUILD-PLACEHOLDER" >> /tmp/clip-info.txt
 
 # FIXME: Change the username and password.
 #        If a hashed password is specified it will be used
@@ -243,11 +243,14 @@ HASHED_PASSWORD='$6$314159265358$ytgatj7CAZIRFMPbEanbdi.krIJs.mS9N2JEl0jkPsCvtwC
 #       USERNAME and PASSWORD values defined a few lines above.
 #
 # Don't get lost in the 'if' statement - basically map $USERNAME to the unconfined toor_r:toor_t role if it is enabled.  
+echo "$CONFIG_BUILD_UNCONFINED_TOOR" > /tmp/test_var.log
+
 if [ x"$CONFIG_BUILD_UNCONFINED_TOOR" == "xy" ]; then
-	/usr/sbin/semanage user -a -R toor_r -R staff_r -R sysadm_r "${USERNAME}_u" 
+	/usr/sbin/semanage user -a -R toor_r -R staff_r -R sysadm_r "${USERNAME}_u"
 else
 	/usr/sbin/semanage user -a -R staff_r -R sysadm_r "${USERNAME}_u" || /usr/sbin/semanage user -a -R staff_r "${USERNAME}_u"
 fi
+
 /sbin/useradd -m "$USERNAME" -G wheel -Z "${USERNAME}_u"
 
 if [ x"$HASHED_PASSWORD" == "x" ]; then
@@ -260,13 +263,13 @@ fi
 
 # Remove sshd and dhclient if it in a production build
 if [ x"$CONFIG_BUILD_PRODUCTION" == "xy" ]; then
-    /bin/echo "Removing sshd and dhclient from the system"
-    /bin/rpm -e openssh openssh-clients openssh-server dhclient
+	/bin/echo "Removing sshd and dhclient from the system"
+	/bin/rpm -e openssh openssh-clients openssh-server dhclient
 fi
 
 # Allow pulling of logs in a debug build
 if [ x"$CONFIG_BUILD_PRODUCTION" != "xy" ]; then
-   /bin/chmod -R 655 /var/log/audit
+	/bin/chmod -R 655 /var/log
 fi
 
 # Add the user to sudoers and setup an SELinux role/type transition.
@@ -295,8 +298,8 @@ fi
 # Set permissive mode
 export POLNAME=`sestatus |awk '/Loaded policy name:/ { print $4; }'`
 if [ x"$CONFIG_BUILD_ENFORCING_MODE" != "xy" ]; then
-    echo "Setting permissive mode..."
-    echo -e "#THIS IS A DEBUG BUILD HENCE SELINUX IS IN PERMISSIVE MODE\nSELINUX=permissive\nSELINUXTYPE=$POLNAME\n" > /etc/selinux/config
+	echo "Setting permissive mode..."
+	echo -e "#THIS IS A DEBUG BUILD HENCE SELINUX IS IN PERMISSIVE MODE\nSELINUX=permissive\nSELINUXTYPE=$POLNAME\n" > /etc/selinux/config
 	echo "WARNING: This is a debug build in permissive mode.  DO NOT USE IN PRODUCTION!" >> /etc/motd
 	# This line is used to make policy development easier.  It disables the "setfiles" check used by 
 	# semodule/semanage that prevents transactions containing invalid and dupe fc entries from rolling forward.
@@ -332,8 +335,8 @@ fi
 #CONFIG-BUILD-PLACEHOLDER
 
 if [ x"$CONFIG_BUILD_PRODUCTION" == "xy" ]; then
-    /bin/echo "Deleting anaconda-ks.cfg as this is a production build" >> /mnt/sysimage/root/clip_post_install.log
-    /bin/rm /mnt/sysimage/root/anaconda-ks.cfg
+	/bin/echo "Deleting anaconda-ks.cfg as this is a production build" >> /mnt/sysimage/root/clip_post_install.log
+	/bin/rm /mnt/sysimage/root/anaconda-ks.cfg
 fi
 
 %end
diff --git a/packages/clip-selinux-policy/20140512.zip b/packages/clip-selinux-policy/20140512.zip
diff --git a/packages/clip-selinux-policy/clip-selinux-policy.spec b/packages/clip-selinux-policy/clip-selinux-policy.spec
@@ -128,7 +128,7 @@ fi
 
 %define loadpolicy() \
 . %{_sysconfdir}/selinux/config; \
-( cd /usr/share/selinux/%1; semodule -n -b base.pp.bz2 -i %2 -s %1 2>&1 ); \
+( cd /usr/share/selinux/%1; semodule -n -b base.pp.bz2 -i %2 -s %1 2>&1 );
 
 %define relabel() \
 . %{_sysconfdir}/selinux/config; \
@@ -246,12 +246,14 @@ Based off of reference policy refpolicy-2.20110726.tar.bz2
 packages=`cat /usr/share/selinux/clip/modules.lst`
 if [ $1 -eq 1 ]; then
    %loadpolicy clip $packages
-   restorecon -R /root /var/log /var/run 2> /dev/null
+   restorecon -R /root /var/log /var/run
 else
 #   semodule -n -s clip 2>/dev/null
    %loadpolicy clip $packages
    %relabel clip
 fi
+
+/usr/sbin/genhomedircon
 touch /.autorelabel
 exit 0
 

diff --git a/packages/clip-selinux-policy/clip-selinux-policy/Makefile b/packages/clip-selinux-policy/clip-selinux-policy/Makefile
@@ -181,11 +181,6 @@ ifeq "$(TYPE)" "mcs"
 	gennetfilter += -c
 endif
 
-# enable systemd policy
-ifeq "$(INIT)" "systemd"
-        M4PARAM += -D init_systemd
-endif
-
 # enable distribution-specific policy
 ifneq ($(DISTRO),)
 	M4PARAM += -D distro_$(DISTRO)

diff --git a/packages/clip-selinux-policy/clip-selinux-policy/build.conf b/packages/clip-selinux-policy/clip-selinux-policy/build.conf
@@ -27,7 +27,7 @@ NAME = refpolicy
 # for the distribution.
 # redhat, gentoo, debian, suse, and rhel4 are current options.
 # Fedora users should enable redhat.
-#DISTRO = redhat
+DISTRO = redhat
 
 # Unknown Permissions Handling
 # The behavior for handling permissions defined in the

diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules.conf b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules.conf
@@ -1007,7 +1007,7 @@ cgroup = off
 #
 # Chrony NTP background daemon
 # 
-chronyd = off
+chronyd = module
 
 # Layer: services
 # Module: cipe
@@ -1147,7 +1147,7 @@ dbskk = off
 #
 # Desktop messaging bus
 # 
-dbus = off
+dbus = module
 
 # Layer: services
 # Module: dcc
@@ -1182,7 +1182,7 @@ devicekit = off
 #
 # Dynamic host configuration protocol (DHCP) server
 # 
-dhcp = off
+dhcp = module
 
 # Layer: services
 # Module: dictd
@@ -2491,3 +2491,14 @@ userdomain = base
 # 
 xen = off
 
+# Layer: contrib
+# Module: firewalld
+#
+# Policy for firewalld.
+firewalld = module
+
+# Layer: system
+# Module: systemd
+# 
+# Policy for systemd
+systemd = base
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/readahead.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/readahead.fc
@@ -2,6 +2,8 @@
 
 /usr/sbin/readahead.*	--	gen_context(system_u:object_r:readahead_exec_t,s0)
 
+/usr/lib/systemd/systemd-readahead -- gen_context(system_u:object_r:readahead_exec_t,s0)
+
 /var/lib/readahead(/.*)?	gen_context(system_u:object_r:readahead_var_lib_t,s0)
 
 /var/run/readahead.*	gen_context(system_u:object_r:readahead_var_run_t,s0)
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/shutdown.fc b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/contrib/shutdown.fc
@@ -6,6 +6,8 @@
 
 /usr/lib/upstart/shutdown	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
 
+/usr/lib/systemd/systemd-shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
 /usr/sbin/shutdown	--	gen_context(system_u:object_r:shutdown_exec_t,s0)
 
 /var/run/shutdown\.pid	--	gen_context(system_u:object_r:shutdown_var_run_t,s0)
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/devices.if b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/devices.if
@@ -3871,6 +3871,24 @@ interface(`dev_associate_sysfs',`
 	allow $1 sysfs_t:filesystem associate;
 ')
 
+########################################
+## <summary>
+##	Relabel sysfs dirs.
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	The type of the file to be allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_relabel_dir_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	relabel_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of sysfs directories.
@@ -4969,3 +4987,22 @@ interface(`dev_unconfined',`
 
 	typeattribute $1 devices_unconfined_type;
 ')
+
+
+#######################################
+## <summary>
+##      Relabel to usb device character device files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_relabelto_usb_device_chr_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:chr_file relabelfrom;
+')
diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/files.if b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/kernel/files.if
@@ -3203,6 +3203,24 @@ interface(`files_etc_filetrans_etc_runtime',`
 	filetrans_pattern($1, etc_t, etc_runtime_t, $2, $3)
 ')
 
+########################################
+## <summary>
+##	Status permissions on etc service object
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_service_status_etc',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:service status;
+')
+
 ########################################
 ## <summary>
 ##	Getattr of directories on new filesystems
@@ -6390,6 +6408,7 @@ interface(`files_delete_all_pid_dirs',`
 	delete_dirs_pattern($1, pidfile, pidfile)
 ')
 
+
 ########################################
 ## <summary>
 ##	Create, read, write and delete all
@@ -6697,3 +6716,114 @@ interface(`files_unconfined',`
        auth_relabelto_shadow($1)
        auth_rw_shadow($1)
 ')
+
+#######################################
+## <summary>
+##      Execute library
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow access
+##      </summary>
+## </param>
+#
+interface(`files_exec_no_trans_lib',`
+	gen_require(`
+		attribute lib_t;
+	')
+
+	allow $1 lib_t:file execute_no_trans;
+')
+
+########################################
+## <summary>
+##	Status permissions on lib service object
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_service_status_lib',`
+	gen_require(`
+		type lib_t;
+	')
+
+	allow $1 lib_t:service status;
+')
+
+#######################################
+## <summary>
+##      Allow domain to write var_lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_write_var_lib_files',`
+	gen_require(`
+		type var_lib_t;
+	')
+
+	allow $1 var_lib_t:file write;
+')
+
+#######################################
+## <summary>
+##     manage generic sock files
+##     in the /var/run directory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_manage_generic_pids_sock_files',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	manage_sock_files_pattern($1,var_run_t,var_run_t)
+')
+
+
+######################################
+## <summary>
+##      Relabel pid files.
+## </summary>
+## <param name="file_type">
+##      <summary>
+##      The type of the domain to be allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_relabel_pid_files',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	relabel_files_pattern($1, var_run_t, var_run_t)
+')
+
+######################################
+## <summary>
+##      Relabel pid dirs.
+## </summary>
+## <param name="file_type">
+##      <summary>
+##      The type of the domain to be allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_relabel_pid_dirs',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	relabel_dirs_pattern($1, var_run_t, var_run_t)
+')
+