Re: [et-mgmt-tools] Help perfect Cobbler SELinux policy

[Michael DeHaan <mdehaan redhat com>]

domg472 g472 wrote:
> Below you will find instructions on how to install a bare SELinux 
> policy for Cobbler. Feedback in the form of AVC denials would be 
> appreciated so that we can perfect this bare policy.
>
> The version of this policy is far from perfect but it is in my view a 
> solid start. I have installed this policy and was able to start 
> cobblerd in it' s proper security domain. I have not actually tried to 
> use Cobbler. Also there is no policy yet for executable files other 
> then /usr/bin/cobblerd.
>
> Instructions:
>
>
> mkdir ~/cobbler; cd ~/cobbler
> echo """
>
> policy_module(cobbler, 0.0.1)
>
> # Personal declarations
>
> type cobbler_config_t;
> files_config_file(cobbler_config_t)
>
> type cobblerd_initrc_exec_t;
> init_script_file(cobblerd_initrc_exec_t)
>
> type cobbler_exec_t;
> application_executable_file(cobbler_exec_t)
>
> type cobbler_ext_nodes_exec_t;
> application_executable_file(cobbler_ext_nodes_exec_t)
>
> type cobblerd_exec_t;
> application_executable_file(cobblerd_exec_t)
>
> type cobbler_var_lib_t;
> files_type(cobbler_var_lib_t)
>
> type cobbler_log_t;
> logging_log_file(cobbler_log_t)
>
> type cobblerd_t;
> init_daemon_domain(cobblerd_t, cobblerd_exec_t)
>
> type cobbler_port_t;
> corenet_port(cobbler_port_t)
>
> # Personal policy
>
> allow cobblerd_t self:capability { sys_nice chown dac_override fowner };
> allow cobblerd_t self:fifo_file { read write getattr };
> allow cobblerd_t self:netlink_route_socket { write getattr read bind 
> create nlmsg_read };
> allow cobblerd_t self:process { setsched getsched };
> allow cobblerd_t self:tcp_socket { getattr setopt bind create accept 
> listen };
> allow cobblerd_t self:udp_socket { read bind create };
>
> allow cobblerd_t cobbler_config_t:dir search;
> allow cobblerd_t cobbler_config_t:file { read getattr };
>
> allow cobblerd_t cobbler_exec_t:file getattr;
>
> manage_files_pattern(cobblerd_t, cobbler_log_t, cobbler_log_t)
> logging_log_filetrans(cobblerd_t, cobbler_log_t, { file })
>
> # files_search_var_lib(cobblerd_t)
> manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
> files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { file })
>
> corecmd_exec_bin(cobblerd_t)
> corecmd_exec_shell(cobblerd_t)
>
> corecmd_read_bin_symlinks(cobblerd_t)
>
> corenet_all_recvfrom_unlabeled(cobblerd_t)
> corenet_all_recvfrom_netlabel(cobblerd_t)
>
> corenet_tcp_sendrecv_generic_if(cobblerd_t)
> corenet_tcp_sendrecv_all_nodes(cobblerd_t)
> corenet_tcp_sendrecv_all_ports(cobblerd_t)
>
> # allow cobblerd_t cobbler_port_t:tcp_socket { name_bind; }
> corenet_tcp_bind_generic_port(cobblerd_t)
> corenet_tcp_bind_all_nodes(cobblerd_t)
>
> corenet_udp_sendrecv_generic_if(cobblerd_t)
> corenet_udp_sendrecv_all_nodes(cobblerd_t)
> corenet_udp_sendrecv_all_ports(cobblerd_t)
>
> # allow cobblerd_t cobbler_port_t:udp_socket { name_bind; }
> corenet_udp_bind_generic_port(cobblerd_t)
> corenet_udp_bind_all_nodes(cobblerd_t)
>
> dev_read_urand(cobblerd_t)
>
> files_list_tmp(cobblerd_t)
>
> files_read_etc_files(cobblerd_t)
>
> files_read_usr_symlinks(cobblerd_t)
> files_search_usr(cobblerd_t)
>
> kernel_read_system_state(cobblerd_t)
>
> libs_use_ld_so(cobblerd_t)
> libs_use_shared_libs(cobblerd_t)
>
> miscfiles_read_localization(cobblerd_t)
>
> # is this optional?
> rpm_domtrans(cobblerd_t)
>
> sysnet_read_config(cobblerd_t)
>
> apache_content_template(cobbler)
>
> optional_policy(`
>         dbus_system_bus_client_template(cobblerd, cobblerd_t)
>         dbus_connect_system_bus(cobblerd_t)
>         dbus_system_domain(cobblerd_t, cobblerd_exec_t)
> ')
>
> #EOF
> """ > cobbler.te;
>
> echo """
>
> # File contexts
>
> /etc/cobbler(/.*)?                              
> gen_context(system_u:object_r:cobbler_config_t, s0)
>
> /etc/rc\.d/init\.d/cobblerd             --    
> gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
>
> /usr/bin/cobbler                        --    
> gen_context(system_u:object_r:cobbler_exec_t, s0)
> /usr/bin/cobbler-ext-nodes              --    
> gen_context(system_u:object_r:cobbler_ext_nodes_exec_t, s0)
> /usr/bin/cobblerd                       --    
> gen_context(system_u:object_r:cobblerd_exec_t, s0)
>
> /var/lib/cobbler(/.*)?                          
> gen_context(system_u:object_r:cobbler_var_lib_t, s0)
>
> /var/log/cobbler(/.*)?                          
> gen_context(system_u:object_r:cobbler_log_t, s0)
>
> /var/www/cobbler/svc/services.py        --    
> gen_context(system_u:object_r:httpd_cobbler_script_exec_t, s0)
> /var/www/cobbler/web/index.py           --    
> gen_context(system_u:object_r:httpd_cobbler_script_exec_t, s0)
>
> """ > cobbler.fc;
>
> make -f /usr/share/selinux/devel/Makefile
> semodule -i cobbler.pp
>
> restorecon -R -v /etc/cobbler
> restorecon -R -v /etc/init.d/cobblerd
> restorecon -R -v /usr/bin/cobblerd
> restorecon -R -v /usr/bin/cobbler
> restorecon -R -v /usr/bin/cobbler-ext-nodes
> restorecon -R -v /var/lib/cobbler
> restorecon -R -v /var/log/cobbler
> restorecon -R -v /var/www/cobbler
>
> semanage permissive -a cobbler_t
>
> service cobblerd start
>
> (start testing)
>
> ausearch -m avc -ts today
>
> to remove undo:
>
> service cobblerd stop
> semanage permissive -d cobbler_t
> semodule -r cobbler
> restorecon -R -v /etc/cobbler
> restorecon -R -v /etc/init.d/cobblerd
> restorecon -R -v /usr/bin/cobblerd
> restorecon -R -v /usr/bin/cobbler
> restorecon -R -v /usr/bin/cobbler-ext-nodes
> restorecon -R -v /var/lib/cobbler
> restorecon -R -v /var/log/cobbler
> restorecon -R -v /var/www/cobbler
>
> Questions and comments are welcome.
> Thanks in advance for your feedback.
>
> Dominick Grift
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> et-mgmt-tools mailing list
> et-mgmt-tools redhat com
> https://www.redhat.com/mailman/listinfo/et-mgmt-tools

Thanks Dominick!

I've uploaded this to the Wiki so people can copy/paste it.

https://fedorahosted.org/cobbler/wiki/SeLinuxPolicy

The last release had a lot of work making sure we ran everything cleanly 
in SELinux again, and I think getting cobblerd to have a policy would be 
a logical extension of that.

Would someone like to take a shot at refining this policy some or at 
least running Cobbler with that for a while (in permissive mode) to 
identify what else needs to be allowed?

I think possibly /usr/bin/cobbler-ext-nodes (used for Puppet 
integration) and /usr/bin/cobbler (command line for humans) can be left 
unconfined.   Just thinking about things offhand cobbler needs to be 
able to read and write to Apache and tftp-server content, read and write 
to /var/lib/cobbler and /var/log/cobbler, and read to /etc/cobbler.

A good way to get most of this going is to install from a git checkout 
("make install" for new users, or "make devinstall" for old ones who 
don't want to whack their config) and then "make test" would go a long 
way I'd think of covering most of it.

--Michael