[et-mgmt-tools] Help perfect Cobbler SELinux policy

domg472 g472 domg472 at gmail.com
Thu Jan 8 20:38:18 UTC 2009


Below you will find instructions on how to install a bare SELinux policy for
Cobbler. Feedback in the form of AVC denials would be appreciated so that we
can perfect this bare policy.

The version of this policy is far from perfect but it is in my view a solid
start. I have installed this policy and was able to start cobblerd in it' s
proper security domain. I have not actually tried to use Cobbler. Also there
is no policy yet for executable files other then /usr/bin/cobblerd.

Instructions:


mkdir ~/cobbler; cd ~/cobbler
echo """

policy_module(cobbler, 0.0.1)

# Personal declarations

type cobbler_config_t;
files_config_file(cobbler_config_t)

type cobblerd_initrc_exec_t;
init_script_file(cobblerd_initrc_exec_t)

type cobbler_exec_t;
application_executable_file(cobbler_exec_t)

type cobbler_ext_nodes_exec_t;
application_executable_file(cobbler_ext_nodes_exec_t)

type cobblerd_exec_t;
application_executable_file(cobblerd_exec_t)

type cobbler_var_lib_t;
files_type(cobbler_var_lib_t)

type cobbler_log_t;
logging_log_file(cobbler_log_t)

type cobblerd_t;
init_daemon_domain(cobblerd_t, cobblerd_exec_t)

type cobbler_port_t;
corenet_port(cobbler_port_t)

# Personal policy

allow cobblerd_t self:capability { sys_nice chown dac_override fowner };
allow cobblerd_t self:fifo_file { read write getattr };
allow cobblerd_t self:netlink_route_socket { write getattr read bind create
nlmsg_read };
allow cobblerd_t self:process { setsched getsched };
allow cobblerd_t self:tcp_socket { getattr setopt bind create accept listen
};
allow cobblerd_t self:udp_socket { read bind create };

allow cobblerd_t cobbler_config_t:dir search;
allow cobblerd_t cobbler_config_t:file { read getattr };

allow cobblerd_t cobbler_exec_t:file getattr;

manage_files_pattern(cobblerd_t, cobbler_log_t, cobbler_log_t)
logging_log_filetrans(cobblerd_t, cobbler_log_t, { file })

# files_search_var_lib(cobblerd_t)
manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { file })

corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)

corecmd_read_bin_symlinks(cobblerd_t)

corenet_all_recvfrom_unlabeled(cobblerd_t)
corenet_all_recvfrom_netlabel(cobblerd_t)

corenet_tcp_sendrecv_generic_if(cobblerd_t)
corenet_tcp_sendrecv_all_nodes(cobblerd_t)
corenet_tcp_sendrecv_all_ports(cobblerd_t)

# allow cobblerd_t cobbler_port_t:tcp_socket { name_bind; }
corenet_tcp_bind_generic_port(cobblerd_t)
corenet_tcp_bind_all_nodes(cobblerd_t)

corenet_udp_sendrecv_generic_if(cobblerd_t)
corenet_udp_sendrecv_all_nodes(cobblerd_t)
corenet_udp_sendrecv_all_ports(cobblerd_t)

# allow cobblerd_t cobbler_port_t:udp_socket { name_bind; }
corenet_udp_bind_generic_port(cobblerd_t)
corenet_udp_bind_all_nodes(cobblerd_t)

dev_read_urand(cobblerd_t)

files_list_tmp(cobblerd_t)

files_read_etc_files(cobblerd_t)

files_read_usr_symlinks(cobblerd_t)
files_search_usr(cobblerd_t)

kernel_read_system_state(cobblerd_t)

libs_use_ld_so(cobblerd_t)
libs_use_shared_libs(cobblerd_t)

miscfiles_read_localization(cobblerd_t)

# is this optional?
rpm_domtrans(cobblerd_t)

sysnet_read_config(cobblerd_t)

apache_content_template(cobbler)

optional_policy(`
        dbus_system_bus_client_template(cobblerd, cobblerd_t)
        dbus_connect_system_bus(cobblerd_t)
        dbus_system_domain(cobblerd_t, cobblerd_exec_t)
')

#EOF
""" > cobbler.te;

echo """

# File contexts

/etc/cobbler(/.*)?
gen_context(system_u:object_r:cobbler_config_t, s0)

/etc/rc\.d/init\.d/cobblerd             --
gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)

/usr/bin/cobbler                        --
gen_context(system_u:object_r:cobbler_exec_t, s0)
/usr/bin/cobbler-ext-nodes              --
gen_context(system_u:object_r:cobbler_ext_nodes_exec_t, s0)
/usr/bin/cobblerd                       --
gen_context(system_u:object_r:cobblerd_exec_t, s0)

/var/lib/cobbler(/.*)?
gen_context(system_u:object_r:cobbler_var_lib_t, s0)

/var/log/cobbler(/.*)?
gen_context(system_u:object_r:cobbler_log_t, s0)

/var/www/cobbler/svc/services.py        --
gen_context(system_u:object_r:httpd_cobbler_script_exec_t, s0)
/var/www/cobbler/web/index.py           --
gen_context(system_u:object_r:httpd_cobbler_script_exec_t, s0)

""" > cobbler.fc;

make -f /usr/share/selinux/devel/Makefile
semodule -i cobbler.pp

restorecon -R -v /etc/cobbler
restorecon -R -v /etc/init.d/cobblerd
restorecon -R -v /usr/bin/cobblerd
restorecon -R -v /usr/bin/cobbler
restorecon -R -v /usr/bin/cobbler-ext-nodes
restorecon -R -v /var/lib/cobbler
restorecon -R -v /var/log/cobbler
restorecon -R -v /var/www/cobbler

semanage permissive -a cobbler_t

service cobblerd start

(start testing)

ausearch -m avc -ts today

to remove undo:

service cobblerd stop
semanage permissive -d cobbler_t
semodule -r cobbler
restorecon -R -v /etc/cobbler
restorecon -R -v /etc/init.d/cobblerd
restorecon -R -v /usr/bin/cobblerd
restorecon -R -v /usr/bin/cobbler
restorecon -R -v /usr/bin/cobbler-ext-nodes
restorecon -R -v /var/lib/cobbler
restorecon -R -v /var/log/cobbler
restorecon -R -v /var/www/cobbler

Questions and comments are welcome.
Thanks in advance for your feedback.

Dominick Grift
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/et-mgmt-tools/attachments/20090108/7470f747/attachment.htm>


More information about the et-mgmt-tools mailing list