I took this from the rawhide policy and adapted it to work with refpolicy.
Probably not ready for merging yet, let me know what should be changed.
Signed-off-by: Russell Coker <[email protected]>
Index: refpolicy-2.20210203/policy/modules/services/cockpit.fc
===================================================================
--- /dev/null
+++ refpolicy-2.20210203/policy/modules/services/cockpit.fc
@@ -0,0 +1,18 @@
+# cockpit stuff
+
+/usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
+/etc/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
+
+/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+/usr/libexec/cockpit-tls -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+/usr/libexec/cockpit-wsinstance-factory -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+
+/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
+/usr/libexec/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
+
+/usr/share/cockpit/motd/update-motd -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+
+/var/lib/cockpit(/.*)? gen_context(system_u:object_r:cockpit_var_lib_t,s0)
+
+/var/run/cockpit(/.*)? gen_context(system_u:object_r:cockpit_runtime_t,s0)
+/var/run/cockpit-ws(/.*)? gen_context(system_u:object_r:cockpit_runtime_t,s0)
Index: refpolicy-2.20210203/policy/modules/services/cockpit.if
===================================================================
--- /dev/null
+++ refpolicy-2.20210203/policy/modules/services/cockpit.if
@@ -0,0 +1,279 @@
+## <summary>policy for cockpit</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the cockpit domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cockpit_ws_domtrans',`
+ gen_require(`
+ type cockpit_ws_t, cockpit_ws_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cockpit_ws_exec_t, cockpit_ws_t)
+')
+
+########################################
+## <summary>
+## Execute TEMPLATE in the cockpit domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cockpit_session_domtrans',`
+ gen_require(`
+ type cockpit_session_t, cockpit_session_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cockpit_session_exec_t, cockpit_session_t)
+')
+
+########################################
+## <summary>
+## Read and write cockpit_session_t unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cockpit_rw_pipes',`
+ gen_require(`
+ type cockpit_session_t;
+ ')
+
+ allow $1 cockpit_session_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Create cockpit unix_stream_sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cockpit_manage_unix_stream_sockets',`
+ gen_require(`
+ type cockpit_ws_t;
+ ')
+
+ allow $1 cockpit_ws_t:unix_stream_socket { create_stream_socket_perms connectto };
+')
+
+########################################
+## <summary>
+## Search cockpit lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cockpit_search_lib',`
+ gen_require(`
+ type cockpit_var_lib_t;
+ ')
+
+ allow $1 cockpit_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read cockpit lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cockpit_read_lib_files',`
+ gen_require(`
+ type cockpit_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage cockpit lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cockpit_manage_lib_files',`
+ gen_require(`
+ type cockpit_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage cockpit lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cockpit_manage_lib_dirs',`
+ gen_require(`
+ type cockpit_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read cockpit pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cockpit_read_pid_files',`
+ gen_require(`
+ type cockpit_runtime_t;
+ ')
+
+ read_files_pattern($1, cockpit_runtime_t, cockpit_runtime_t)
+ read_lnk_files_pattern($1, cockpit_runtime_t, cockpit_runtime_t)
+')
+
+########################################
+## <summary>
+## Manage cockpit pid dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cockpit_manage_pid_dirs',`
+ gen_require(`
+ type cockpit_runtime_t;
+ ')
+
+ manage_dirs_pattern($1, cockpit_runtime_t, cockpit_runtime_t)
+')
+
+########################################
+## <summary>
+## Manage cockpit pid dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cockpit_manage_pid_files',`
+ gen_require(`
+ type cockpit_runtime_t;
+ ')
+
+ manage_files_pattern($1, cockpit_runtime_t, cockpit_runtime_t)
+')
+
+########################################
+## <summary>
+## Execute cockpit server in the cockpit domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cockpit_systemctl',`
+ gen_require(`
+ type cockpit_ws_t;
+ type cockpit_unit_file_t;
+ class service { start stop status reload enable disable };
+ ')
+
+ init_reload($1)
+ systemd_use_passwd_agent($1)
+ allow $1 cockpit_unit_file_t:file read_file_perms;
+ allow $1 cockpit_unit_file_t:service { start stop status reload enable disable };
+
+ ps_process_pattern($1, cockpit_ws_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an cockpit environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cockpit_admin',`
+ gen_require(`
+ type cockpit_ws_t;
+ type cockpit_session_t;
+ type cockpit_var_lib_t;
+ type cockpit_runtime_t;
+ type cockpit_unit_file_t;
+ ')
+
+ allow $1 cockpit_ws_t:process { signal_perms };
+ ps_process_pattern($1, cockpit_ws_t)
+
+ allow $1 cockpit_session_t:process { signal_perms };
+ ps_process_pattern($1, cockpit_session_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cockpit_ws_t:process ptrace;
+ allow $1 cockpit_session_t:process ptrace;
+ ')
+
+ files_search_var_lib($1)
+ admin_pattern($1, cockpit_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, cockpit_runtime_t)
+
+ cockpit_systemctl($1)
+ admin_pattern($1, cockpit_unit_file_t)
+ allow $1 cockpit_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
Index: refpolicy-2.20210203/policy/modules/services/cockpit.te
===================================================================
--- /dev/null
+++ refpolicy-2.20210203/policy/modules/services/cockpit.te
@@ -0,0 +1,176 @@
+policy_module(cockpit, 1.0.0)
+
+# https://cockpit-project.org/
+
+########################################
+#
+# Declarations
+#
+
+type cockpit_ws_t;
+type cockpit_ws_exec_t;
+init_daemon_domain(cockpit_ws_t,cockpit_ws_exec_t)
+
+type cockpit_tmp_t;
+files_tmp_file(cockpit_tmp_t)
+
+type cockpit_tmpfs_t;
+userdom_user_tmpfs_file(cockpit_tmpfs_t)
+
+type cockpit_runtime_t;
+files_runtime_file(cockpit_runtime_t)
+
+type cockpit_unit_file_t;
+init_unit_file(cockpit_unit_file_t)
+
+type cockpit_var_lib_t;
+files_type(cockpit_var_lib_t)
+
+type cockpit_session_t;
+type cockpit_session_exec_t;
+domain_type(cockpit_session_t)
+domain_entry_file(cockpit_session_t,cockpit_session_exec_t)
+
+########################################
+#
+# cockpit_ws_t local policy
+#
+
+allow cockpit_ws_t self:capability net_admin;
+allow cockpit_ws_t self:process setrlimit;
+allow cockpit_ws_t self:tcp_socket create_stream_socket_perms;
+allow cockpit_ws_t self:fifo_file rw_file_perms;
+
+kernel_read_system_state(cockpit_ws_t)
+
+# cockpit-tls can execute cockpit-ws
+can_exec(cockpit_ws_t,cockpit_ws_exec_t)
+
+# cockpit-ws can execute cockpit-session
+can_exec(cockpit_ws_t,cockpit_session_exec_t)
+
+corecmd_exec_shell(cockpit_ws_t)
+
+# cockpit-ws can read from /dev/urandom
+dev_read_urand(cockpit_ws_t) # for authkey
+dev_read_rand(cockpit_ws_t) # for libssh
+
+corenet_tcp_bind_websm_port(cockpit_ws_t)
+
+# cockpit-ws can connect to other hosts via ssh
+corenet_tcp_connect_ssh_port(cockpit_ws_t)
+
+# cockpit-ws can write to its temp files
+manage_dirs_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
+manage_files_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
+files_tmp_filetrans(cockpit_ws_t, cockpit_tmp_t, { dir file })
+
+manage_dirs_pattern(cockpit_ws_t, cockpit_tmpfs_t, cockpit_tmpfs_t)
+manage_files_pattern(cockpit_ws_t, cockpit_tmpfs_t, cockpit_tmpfs_t)
+fs_tmpfs_filetrans(cockpit_ws_t, cockpit_tmpfs_t, { file })
+
+manage_dirs_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t)
+manage_files_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t)
+manage_lnk_files_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t)
+manage_sock_files_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t)
+files_runtime_filetrans(cockpit_ws_t, cockpit_runtime_t, { file dir sock_file })
+
+manage_files_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
+manage_dirs_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
+
+cockpit_systemctl(cockpit_ws_t)
+
+kernel_read_network_state(cockpit_ws_t)
+
+auth_use_nsswitch(cockpit_ws_t)
+
+corecmd_exec_bin(cockpit_ws_t)
+
+fs_read_efivarfs_files(cockpit_ws_t)
+
+init_read_state(cockpit_ws_t)
+init_stream_connect(cockpit_ws_t)
+
+logging_send_syslog_msg(cockpit_ws_t)
+
+miscfiles_read_localization(cockpit_ws_t)
+
+sysnet_exec_ifconfig(cockpit_ws_t)
+
+# cockpit-ws launches cockpit-session
+cockpit_session_domtrans(cockpit_ws_t)
+allow cockpit_ws_t cockpit_session_t:process signal_perms;
+
+# cockpit-session communicates back with cockpit-ws
+allow cockpit_session_t cockpit_ws_t:unix_stream_socket rw_stream_socket_perms;
+
+# cockpit-tls and cockpit-ws communicate over a Unix socket
+allow cockpit_ws_t cockpit_ws_t:unix_stream_socket { create_stream_socket_perms connectto };
+
+optional_policy(`
+ hostname_exec(cockpit_ws_t)
+')
+
+optional_policy(`
+ kerberos_use(cockpit_ws_t)
+ kerberos_etc_filetrans_keytab(cockpit_ws_t, file)
+')
+
+optional_policy(`
+ ssh_read_user_home_files(cockpit_ws_t)
+')
+
+#########################################################
+#
+# cockpit-session local policy
+#
+
+# cockpit-session changes to the actual logged in user
+allow cockpit_session_t self:capability { sys_admin dac_read_search dac_override setuid setgid sys_resource};
+allow cockpit_session_t self:process { setexec setsched signal_perms setrlimit };
+
+read_files_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t)
+list_dirs_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t)
+
+manage_dirs_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
+manage_files_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
+manage_sock_files_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
+files_tmp_filetrans(cockpit_session_t, cockpit_tmp_t, { dir file sock_file })
+
+manage_dirs_pattern(cockpit_session_t, cockpit_tmpfs_t, cockpit_tmpfs_t)
+manage_files_pattern(cockpit_session_t, cockpit_tmpfs_t, cockpit_tmpfs_t)
+fs_tmpfs_filetrans(cockpit_session_t, cockpit_tmpfs_t, { file })
+
+read_files_pattern(cockpit_session_t, cockpit_runtime_t, cockpit_runtime_t)
+list_dirs_pattern(cockpit_session_t, cockpit_runtime_t, cockpit_runtime_t)
+
+kernel_read_network_state(cockpit_session_t)
+
+# cockpit-session runs a full pam stack, including pam_selinux.so
+auth_login_pgm_domain(cockpit_session_t)
+# cockpit-session resseting expired passwords
+auth_manage_shadow(cockpit_session_t)
+auth_write_login_records(cockpit_session_t)
+
+corenet_tcp_bind_ssh_port(cockpit_session_t)
+corenet_tcp_connect_ssh_port(cockpit_session_t)
+
+# cockpit-session can execute cockpit-agent as the user
+userdom_spec_domtrans_all_users(cockpit_session_t)
+usermanage_read_crack_db(cockpit_session_t)
+
+#optional_policy(`
+# ssh_agent_signal(cockpit_session_t)
+#')
+
+optional_policy(`
+ sssd_dbus_chat(cockpit_session_t)
+')
+
+optional_policy(`
+ userdom_signal_all_users(cockpit_session_t)
+')
+
+optional_policy(`
+ unconfined_domtrans(cockpit_session_t)
+')
On Tuesday, 20 April 2021 10:48:32 PM AEST Matej Marusak wrote:
> As a Cockpit developer I would like to mention that Cockpit will ship its
> own policy very soon - it will be the same one that is currently in rawhide
> and it is possible it will involve over time. It will be shipped with
> priority 200 to suppress policy that is shipped by default.
> We first ship it in Fedora-33 and newer as well as rhel-9 and newer. We
> have a plan to ship it in Debian as well. Other OSes may come later.
>
> This is being developed in [1].
>
> MM
>
> [1] https://github.com/cockpit-project/cockpit/pull/15707
The same policy won't work for Red Hat and for Refpolicy systems (including
Debian). Many interfaces have different names and some interfaces do
different things.
You will have to ship 2 policies if you want to support Red Hat and the rest.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Russell Coker <[email protected]> writes:
> I took this from the rawhide policy and adapted it to work with refpolicy.
>
> Probably not ready for merging yet, let me know what should be changed.
Its been a while since I played with cockpit
Theres one thing that I want to mention though, instead of login the
confined users in with their login shell domain consider confining the
cockpit-bridge instead and make it log users in with bridge context
instead of the login shell context.
Because otherwise you'll end up extending the login shell domain with
permissions needed by the bridge. You can still allow the bridge to open
up a shell with a transition back to the login shell domain (but then
you will get into domain prefixes
ie: staff_bridge_t -> shell_exec_t -> staff_t vs. user_bridge_t ->
shell_exec_t -> user_t etc.
>
> Signed-off-by: Russell Coker <[email protected]>
>
> Index: refpolicy-2.20210203/policy/modules/services/cockpit.fc
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20210203/policy/modules/services/cockpit.fc
> @@ -0,0 +1,18 @@
> +# cockpit stuff
> +
> +/usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
> +/etc/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
> +
> +/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
> +/usr/libexec/cockpit-tls -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
> +/usr/libexec/cockpit-wsinstance-factory -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
> +
> +/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
> +/usr/libexec/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
> +
> +/usr/share/cockpit/motd/update-motd -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
> +
> +/var/lib/cockpit(/.*)? gen_context(system_u:object_r:cockpit_var_lib_t,s0)
> +
> +/var/run/cockpit(/.*)? gen_context(system_u:object_r:cockpit_runtime_t,s0)
> +/var/run/cockpit-ws(/.*)? gen_context(system_u:object_r:cockpit_runtime_t,s0)
> Index: refpolicy-2.20210203/policy/modules/services/cockpit.if
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20210203/policy/modules/services/cockpit.if
> @@ -0,0 +1,279 @@
> +## <summary>policy for cockpit</summary>
> +
> +########################################
> +## <summary>
> +## Execute TEMPLATE in the cockpit domin.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`cockpit_ws_domtrans',`
> + gen_require(`
> + type cockpit_ws_t, cockpit_ws_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, cockpit_ws_exec_t, cockpit_ws_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute TEMPLATE in the cockpit domin.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`cockpit_session_domtrans',`
> + gen_require(`
> + type cockpit_session_t, cockpit_session_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, cockpit_session_exec_t, cockpit_session_t)
> +')
> +
> +########################################
> +## <summary>
> +## Read and write cockpit_session_t unnamed pipes.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`cockpit_rw_pipes',`
> + gen_require(`
> + type cockpit_session_t;
> + ')
> +
> + allow $1 cockpit_session_t:fifo_file rw_fifo_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Create cockpit unix_stream_sockets.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`cockpit_manage_unix_stream_sockets',`
> + gen_require(`
> + type cockpit_ws_t;
> + ')
> +
> + allow $1 cockpit_ws_t:unix_stream_socket { create_stream_socket_perms connectto };
> +')
> +
> +########################################
> +## <summary>
> +## Search cockpit lib directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`cockpit_search_lib',`
> + gen_require(`
> + type cockpit_var_lib_t;
> + ')
> +
> + allow $1 cockpit_var_lib_t:dir search_dir_perms;
> + files_search_var_lib($1)
> +')
> +
> +########################################
> +## <summary>
> +## Read cockpit lib files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`cockpit_read_lib_files',`
> + gen_require(`
> + type cockpit_var_lib_t;
> + ')
> +
> + files_search_var_lib($1)
> + read_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage cockpit lib files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`cockpit_manage_lib_files',`
> + gen_require(`
> + type cockpit_var_lib_t;
> + ')
> +
> + files_search_var_lib($1)
> + manage_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage cockpit lib directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`cockpit_manage_lib_dirs',`
> + gen_require(`
> + type cockpit_var_lib_t;
> + ')
> +
> + files_search_var_lib($1)
> + manage_dirs_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
> +')
> +
> +########################################
> +## <summary>
> +## Read cockpit pid files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`cockpit_read_pid_files',`
> + gen_require(`
> + type cockpit_runtime_t;
> + ')
> +
> + read_files_pattern($1, cockpit_runtime_t, cockpit_runtime_t)
> + read_lnk_files_pattern($1, cockpit_runtime_t, cockpit_runtime_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage cockpit pid dirs.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`cockpit_manage_pid_dirs',`
> + gen_require(`
> + type cockpit_runtime_t;
> + ')
> +
> + manage_dirs_pattern($1, cockpit_runtime_t, cockpit_runtime_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage cockpit pid dirs.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`cockpit_manage_pid_files',`
> + gen_require(`
> + type cockpit_runtime_t;
> + ')
> +
> + manage_files_pattern($1, cockpit_runtime_t, cockpit_runtime_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute cockpit server in the cockpit domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`cockpit_systemctl',`
> + gen_require(`
> + type cockpit_ws_t;
> + type cockpit_unit_file_t;
> + class service { start stop status reload enable disable };
> + ')
> +
> + init_reload($1)
> + systemd_use_passwd_agent($1)
> + allow $1 cockpit_unit_file_t:file read_file_perms;
> + allow $1 cockpit_unit_file_t:service { start stop status reload enable disable };
> +
> + ps_process_pattern($1, cockpit_ws_t)
> +')
> +
> +
> +########################################
> +## <summary>
> +## All of the rules required to administrate
> +## an cockpit environment
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`cockpit_admin',`
> + gen_require(`
> + type cockpit_ws_t;
> + type cockpit_session_t;
> + type cockpit_var_lib_t;
> + type cockpit_runtime_t;
> + type cockpit_unit_file_t;
> + ')
> +
> + allow $1 cockpit_ws_t:process { signal_perms };
> + ps_process_pattern($1, cockpit_ws_t)
> +
> + allow $1 cockpit_session_t:process { signal_perms };
> + ps_process_pattern($1, cockpit_session_t)
> +
> + tunable_policy(`deny_ptrace',`',`
> + allow $1 cockpit_ws_t:process ptrace;
> + allow $1 cockpit_session_t:process ptrace;
> + ')
> +
> + files_search_var_lib($1)
> + admin_pattern($1, cockpit_var_lib_t)
> +
> + files_search_pids($1)
> + admin_pattern($1, cockpit_runtime_t)
> +
> + cockpit_systemctl($1)
> + admin_pattern($1, cockpit_unit_file_t)
> + allow $1 cockpit_unit_file_t:service all_service_perms;
> + optional_policy(`
> + systemd_passwd_agent_exec($1)
> + systemd_read_fifo_file_passwd_run($1)
> + ')
> +')
> Index: refpolicy-2.20210203/policy/modules/services/cockpit.te
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20210203/policy/modules/services/cockpit.te
> @@ -0,0 +1,176 @@
> +policy_module(cockpit, 1.0.0)
> +
> +# https://cockpit-project.org/
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type cockpit_ws_t;
> +type cockpit_ws_exec_t;
> +init_daemon_domain(cockpit_ws_t,cockpit_ws_exec_t)
> +
> +type cockpit_tmp_t;
> +files_tmp_file(cockpit_tmp_t)
> +
> +type cockpit_tmpfs_t;
> +userdom_user_tmpfs_file(cockpit_tmpfs_t)
> +
> +type cockpit_runtime_t;
> +files_runtime_file(cockpit_runtime_t)
> +
> +type cockpit_unit_file_t;
> +init_unit_file(cockpit_unit_file_t)
> +
> +type cockpit_var_lib_t;
> +files_type(cockpit_var_lib_t)
> +
> +type cockpit_session_t;
> +type cockpit_session_exec_t;
> +domain_type(cockpit_session_t)
> +domain_entry_file(cockpit_session_t,cockpit_session_exec_t)
> +
> +########################################
> +#
> +# cockpit_ws_t local policy
> +#
> +
> +allow cockpit_ws_t self:capability net_admin;
> +allow cockpit_ws_t self:process setrlimit;
> +allow cockpit_ws_t self:tcp_socket create_stream_socket_perms;
> +allow cockpit_ws_t self:fifo_file rw_file_perms;
> +
> +kernel_read_system_state(cockpit_ws_t)
> +
> +# cockpit-tls can execute cockpit-ws
> +can_exec(cockpit_ws_t,cockpit_ws_exec_t)
> +
> +# cockpit-ws can execute cockpit-session
> +can_exec(cockpit_ws_t,cockpit_session_exec_t)
> +
> +corecmd_exec_shell(cockpit_ws_t)
> +
> +# cockpit-ws can read from /dev/urandom
> +dev_read_urand(cockpit_ws_t) # for authkey
> +dev_read_rand(cockpit_ws_t) # for libssh
> +
> +corenet_tcp_bind_websm_port(cockpit_ws_t)
> +
> +# cockpit-ws can connect to other hosts via ssh
> +corenet_tcp_connect_ssh_port(cockpit_ws_t)
> +
> +# cockpit-ws can write to its temp files
> +manage_dirs_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
> +manage_files_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
> +files_tmp_filetrans(cockpit_ws_t, cockpit_tmp_t, { dir file })
> +
> +manage_dirs_pattern(cockpit_ws_t, cockpit_tmpfs_t, cockpit_tmpfs_t)
> +manage_files_pattern(cockpit_ws_t, cockpit_tmpfs_t, cockpit_tmpfs_t)
> +fs_tmpfs_filetrans(cockpit_ws_t, cockpit_tmpfs_t, { file })
> +
> +manage_dirs_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t)
> +manage_files_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t)
> +manage_lnk_files_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t)
> +manage_sock_files_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t)
> +files_runtime_filetrans(cockpit_ws_t, cockpit_runtime_t, { file dir sock_file })
> +
> +manage_files_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
> +manage_dirs_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
> +
> +cockpit_systemctl(cockpit_ws_t)
> +
> +kernel_read_network_state(cockpit_ws_t)
> +
> +auth_use_nsswitch(cockpit_ws_t)
> +
> +corecmd_exec_bin(cockpit_ws_t)
> +
> +fs_read_efivarfs_files(cockpit_ws_t)
> +
> +init_read_state(cockpit_ws_t)
> +init_stream_connect(cockpit_ws_t)
> +
> +logging_send_syslog_msg(cockpit_ws_t)
> +
> +miscfiles_read_localization(cockpit_ws_t)
> +
> +sysnet_exec_ifconfig(cockpit_ws_t)
> +
> +# cockpit-ws launches cockpit-session
> +cockpit_session_domtrans(cockpit_ws_t)
> +allow cockpit_ws_t cockpit_session_t:process signal_perms;
> +
> +# cockpit-session communicates back with cockpit-ws
> +allow cockpit_session_t cockpit_ws_t:unix_stream_socket rw_stream_socket_perms;
> +
> +# cockpit-tls and cockpit-ws communicate over a Unix socket
> +allow cockpit_ws_t cockpit_ws_t:unix_stream_socket { create_stream_socket_perms connectto };
> +
> +optional_policy(`
> + hostname_exec(cockpit_ws_t)
> +')
> +
> +optional_policy(`
> + kerberos_use(cockpit_ws_t)
> + kerberos_etc_filetrans_keytab(cockpit_ws_t, file)
> +')
> +
> +optional_policy(`
> + ssh_read_user_home_files(cockpit_ws_t)
> +')
> +
> +#########################################################
> +#
> +# cockpit-session local policy
> +#
> +
> +# cockpit-session changes to the actual logged in user
> +allow cockpit_session_t self:capability { sys_admin dac_read_search dac_override setuid setgid sys_resource};
> +allow cockpit_session_t self:process { setexec setsched signal_perms setrlimit };
> +
> +read_files_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t)
> +list_dirs_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t)
> +
> +manage_dirs_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
> +manage_files_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
> +manage_sock_files_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
> +files_tmp_filetrans(cockpit_session_t, cockpit_tmp_t, { dir file sock_file })
> +
> +manage_dirs_pattern(cockpit_session_t, cockpit_tmpfs_t, cockpit_tmpfs_t)
> +manage_files_pattern(cockpit_session_t, cockpit_tmpfs_t, cockpit_tmpfs_t)
> +fs_tmpfs_filetrans(cockpit_session_t, cockpit_tmpfs_t, { file })
> +
> +read_files_pattern(cockpit_session_t, cockpit_runtime_t, cockpit_runtime_t)
> +list_dirs_pattern(cockpit_session_t, cockpit_runtime_t, cockpit_runtime_t)
> +
> +kernel_read_network_state(cockpit_session_t)
> +
> +# cockpit-session runs a full pam stack, including pam_selinux.so
> +auth_login_pgm_domain(cockpit_session_t)
> +# cockpit-session resseting expired passwords
> +auth_manage_shadow(cockpit_session_t)
> +auth_write_login_records(cockpit_session_t)
> +
> +corenet_tcp_bind_ssh_port(cockpit_session_t)
> +corenet_tcp_connect_ssh_port(cockpit_session_t)
> +
> +# cockpit-session can execute cockpit-agent as the user
> +userdom_spec_domtrans_all_users(cockpit_session_t)
> +usermanage_read_crack_db(cockpit_session_t)
> +
> +#optional_policy(`
> +# ssh_agent_signal(cockpit_session_t)
> +#')
> +
> +optional_policy(`
> + sssd_dbus_chat(cockpit_session_t)
> +')
> +
> +optional_policy(`
> + userdom_signal_all_users(cockpit_session_t)
> +')
> +
> +optional_policy(`
> + unconfined_domtrans(cockpit_session_t)
> +')
>
--
gpg --locate-keys [email protected]
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
On 4/20/21 9:49 AM, Dominick Grift wrote:
> Russell Coker <[email protected]> writes:
>
>> I took this from the rawhide policy and adapted it to work with refpolicy.
>>
>> Probably not ready for merging yet, let me know what should be changed.
>
> Its been a while since I played with cockpit
>
> Theres one thing that I want to mention though, instead of login the
> confined users in with their login shell domain consider confining the
> cockpit-bridge instead and make it log users in with bridge context
> instead of the login shell context.
Do you have an example of permissions that would be concerning?
> Because otherwise you'll end up extending the login shell domain with
> permissions needed by the bridge. You can still allow the bridge to open
> up a shell with a transition back to the login shell domain (but then
> you will get into domain prefixes
>
> ie: staff_bridge_t -> shell_exec_t -> staff_t vs. user_bridge_t ->
> shell_exec_t -> user_t etc.
Otherwise I only see some style cleanup needed. Also there is an optional block
in the admin interface for systemd calls. Systemd is required for cockpit, so
it shouldn't be optional, right?
--
Chris PeBenito
On 4/26/21 2:47 PM, Chris PeBenito wrote:
> On 4/20/21 9:49 AM, Dominick Grift wrote:
>> Russell Coker <[email protected]> writes:
>>
>>> I took this from the rawhide policy and adapted it to work with
>>> refpolicy.
>>>
>>> Probably not ready for merging yet, let me know what should be changed.
>>
>> Its been a while since I played with cockpit
>>
>> Theres one thing that I want to mention though, instead of login the
>> confined users in with their login shell domain consider confining the
>> cockpit-bridge instead and make it log users in with bridge context
>> instead of the login shell context.
>
> Do you have an example of permissions that would be concerning?
The wide direct dbus access might be concerning.
cockpit-bridge (at least when I used it) seems to chat directly with
various system services like firewalld,tuned,udisks but also various
systemd components including pid1 (although not sure if the latter are
direct or via systemctl.
There's a bunch of other access that I can't explain anymore and some of
it does not make sense. Theres network access (connects to vnc and binds
tcp sockets to ephemeral ports)
I also allowed it to mapread shadow unconditionally but that does not
make sense as shadow is mode 000 and even if the bridge would be run by
a root login it still seems to not have cap_dac_read_search access ...
https://git.defensec.nl/?p=dssp2.git;a=blob;f=policy/services/c/cockpit.cil;h=f09d5084ba0c9f1b671b26772b29eb383c40e60a;hb=HEAD#l95
Things may have changed since then as well. I just wanted to give a
heads-up, it may be nothing to worry about.
>
>
>> Because otherwise you'll end up extending the login shell domain with
>> permissions needed by the bridge. You can still allow the bridge to open
>> up a shell with a transition back to the login shell domain (but then
>> you will get into domain prefixes
>>
>> ie: staff_bridge_t -> shell_exec_t -> staff_t vs. user_bridge_t ->
>> shell_exec_t -> user_t etc.
>
>
> Otherwise I only see some style cleanup needed. Also there is an
> optional block in the admin interface for systemd calls. Systemd is
> required for cockpit, so it shouldn't be optional, right?
>
On 4/26/21 3:22 PM, Dominick Grift wrote:
>
>
> On 4/26/21 2:47 PM, Chris PeBenito wrote:
>> On 4/20/21 9:49 AM, Dominick Grift wrote:
>>> Russell Coker <[email protected]> writes:
>>>
>>>> I took this from the rawhide policy and adapted it to work with
>>>> refpolicy.
>>>>
>>>> Probably not ready for merging yet, let me know what should be changed.
>>>
>>> Its been a while since I played with cockpit
>>>
>>> Theres one thing that I want to mention though, instead of login the
>>> confined users in with their login shell domain consider confining the
>>> cockpit-bridge instead and make it log users in with bridge context
>>> instead of the login shell context.
>>
>> Do you have an example of permissions that would be concerning?
>
> The wide direct dbus access might be concerning.
>
> cockpit-bridge (at least when I used it) seems to chat directly with
> various system services like firewalld,tuned,udisks but also various
> systemd components including pid1 (although not sure if the latter are
> direct or via systemctl.
>
> There's a bunch of other access that I can't explain anymore and some of
> it does not make sense. Theres network access (connects to vnc and binds
> tcp sockets to ephemeral ports)
It is not binding sockets to ports but it is connecting. That no big
deal since refpolicy already allows that access.
It does execute gpg though. if it runs in the shell domain then it has
access to gpg data (either via the gpg command or directly) and it seems
to not need that (but it still runs gpg probably with a different $GPG_HOME)
It does not look too terrible, but things like tcp_socket/udp_socket,
dbus, and service access are things i would try not to associate with
confined shells (but refpolicy already allows quite a bit of that access
anyway)
>
> I also allowed it to mapread shadow unconditionally but that does not
> make sense as shadow is mode 000 and even if the bridge would be run by
> a root login it still seems to not have cap_dac_read_search access ...
>
> https://git.defensec.nl/?p=dssp2.git;a=blob;f=policy/services/c/cockpit.cil;h=f09d5084ba0c9f1b671b26772b29eb383c40e60a;hb=HEAD#l95
>
> Things may have changed since then as well. I just wanted to give a
> heads-up, it may be nothing to worry about.
>
>>
>>
>>> Because otherwise you'll end up extending the login shell domain with
>>> permissions needed by the bridge. You can still allow the bridge to open
>>> up a shell with a transition back to the login shell domain (but then
>>> you will get into domain prefixes
>>>
>>> ie: staff_bridge_t -> shell_exec_t -> staff_t vs. user_bridge_t ->
>>> shell_exec_t -> user_t etc.
>>
>>
>> Otherwise I only see some style cleanup needed. Also there is an
>> optional block in the admin interface for systemd calls. Systemd is
>> required for cockpit, so it shouldn't be optional, right?
>>
On 4/26/21 3:34 PM, Dominick Grift wrote:
>
>
> On 4/26/21 3:22 PM, Dominick Grift wrote:
>>
>>
>> On 4/26/21 2:47 PM, Chris PeBenito wrote:
>>> On 4/20/21 9:49 AM, Dominick Grift wrote:
>>>> Russell Coker <[email protected]> writes:
>>>>
>>>>> I took this from the rawhide policy and adapted it to work with
>>>>> refpolicy.
>>>>>
>>>>> Probably not ready for merging yet, let me know what should be changed.
>>>>
>>>> Its been a while since I played with cockpit
>>>>
>>>> Theres one thing that I want to mention though, instead of login the
>>>> confined users in with their login shell domain consider confining the
>>>> cockpit-bridge instead and make it log users in with bridge context
>>>> instead of the login shell context.
>>>
>>> Do you have an example of permissions that would be concerning?
>>
>> The wide direct dbus access might be concerning.
>>
>> cockpit-bridge (at least when I used it) seems to chat directly with
>> various system services like firewalld,tuned,udisks but also various
>> systemd components including pid1 (although not sure if the latter are
>> direct or via systemctl.
>>
>> There's a bunch of other access that I can't explain anymore and some of
>> it does not make sense. Theres network access (connects to vnc and binds
>> tcp sockets to ephemeral ports)
>
> It is not binding sockets to ports but it is connecting. That no big
> deal since refpolicy already allows that access.
>
> It does execute gpg though. if it runs in the shell domain then it has
> access to gpg data (either via the gpg command or directly) and it seems
> to not need that (but it still runs gpg probably with a different $GPG_HOME)
>
> It does not look too terrible, but things like tcp_socket/udp_socket,
> dbus, and service access are things i would try not to associate with
> confined shells (but refpolicy already allows quite a bit of that access
> anyway)
I took a little trip down memory lane:
The issue becomes with users with polkit access. pkexec is a command
that is much like sudo (its probably setuid) however it is not selinux
aware and it seems that refpolicy currently does not support it at all.
Imagine a user with polkit access log in (ie wheel, adm (or whatever
Debian uses for users with wide polkit access). The bridge for those
users will in some cases run pkexec (and sudo). Both have issues because
with sudo you either have a ROLE= in the user /etc/sudoers or you do not
if you do then sudo will try to go whether its told, if not then it will
just stick in its domain.
Since pkexec is not selinux aware you rely on automatic transitions. So
iif you say staff_t gets polkit access then you might for example say
automatically transition to sysadm_t when staff_t runs pkexec.
If you do not differentiate between bridge and login shell then bridge
will also transition to sysadm_t when it runs pkexec and end up with the
same permissions that staff_t would get when it runs pkexec.
It is kind of hard to talk about this topic without having even
considered how to deal with pkexec.
There is also a upside to that, because now we can anticipate how pkexec
might be (ab)used
>
>>
>> I also allowed it to mapread shadow unconditionally but that does not
>> make sense as shadow is mode 000 and even if the bridge would be run by
>> a root login it still seems to not have cap_dac_read_search access ...
>>
>> https://git.defensec.nl/?p=dssp2.git;a=blob;f=policy/services/c/cockpit.cil;h=f09d5084ba0c9f1b671b26772b29eb383c40e60a;hb=HEAD#l95
>>
>> Things may have changed since then as well. I just wanted to give a
>> heads-up, it may be nothing to worry about.
>>
>>>
>>>
>>>> Because otherwise you'll end up extending the login shell domain with
>>>> permissions needed by the bridge. You can still allow the bridge to open
>>>> up a shell with a transition back to the login shell domain (but then
>>>> you will get into domain prefixes
>>>>
>>>> ie: staff_bridge_t -> shell_exec_t -> staff_t vs. user_bridge_t ->
>>>> shell_exec_t -> user_t etc.
>>>
>>>
>>> Otherwise I only see some style cleanup needed. Also there is an
>>> optional block in the admin interface for systemd calls. Systemd is
>>> required for cockpit, so it shouldn't be optional, right?
>>>
On 4/26/21 4:21 PM, Dominick Grift wrote:
>
>
> On 4/26/21 3:34 PM, Dominick Grift wrote:
>>
>>
>> On 4/26/21 3:22 PM, Dominick Grift wrote:
>>>
>>>
>>> On 4/26/21 2:47 PM, Chris PeBenito wrote:
>>>> On 4/20/21 9:49 AM, Dominick Grift wrote:
>>>>> Russell Coker <[email protected]> writes:
>>>>>
>>>>>> I took this from the rawhide policy and adapted it to work with
>>>>>> refpolicy.
>>>>>>
>>>>>> Probably not ready for merging yet, let me know what should be changed.
>>>>>
>>>>> Its been a while since I played with cockpit
>>>>>
>>>>> Theres one thing that I want to mention though, instead of login the
>>>>> confined users in with their login shell domain consider confining the
>>>>> cockpit-bridge instead and make it log users in with bridge context
>>>>> instead of the login shell context.
>>>>
>>>> Do you have an example of permissions that would be concerning?
>>>
>>> The wide direct dbus access might be concerning.
>>>
>>> cockpit-bridge (at least when I used it) seems to chat directly with
>>> various system services like firewalld,tuned,udisks but also various
>>> systemd components including pid1 (although not sure if the latter are
>>> direct or via systemctl.
>>>
>>> There's a bunch of other access that I can't explain anymore and some of
>>> it does not make sense. Theres network access (connects to vnc and binds
>>> tcp sockets to ephemeral ports)
>>
>> It is not binding sockets to ports but it is connecting. That no big
>> deal since refpolicy already allows that access.
>>
>> It does execute gpg though. if it runs in the shell domain then it has
>> access to gpg data (either via the gpg command or directly) and it seems
>> to not need that (but it still runs gpg probably with a different $GPG_HOME)
>>
>> It does not look too terrible, but things like tcp_socket/udp_socket,
>> dbus, and service access are things i would try not to associate with
>> confined shells (but refpolicy already allows quite a bit of that access
>> anyway)
>
> I took a little trip down memory lane:
>
> The issue becomes with users with polkit access. pkexec is a command
> that is much like sudo (its probably setuid) however it is not selinux
> aware and it seems that refpolicy currently does not support it at all.
>
> Imagine a user with polkit access log in (ie wheel, adm (or whatever
> Debian uses for users with wide polkit access). The bridge for those
> users will in some cases run pkexec (and sudo). Both have issues because
> with sudo you either have a ROLE= in the user /etc/sudoers or you do not
> if you do then sudo will try to go whether its told, if not then it will
> just stick in its domain.
>
> Since pkexec is not selinux aware you rely on automatic transitions. So
> iif you say staff_t gets polkit access then you might for example say
> automatically transition to sysadm_t when staff_t runs pkexec.
>
> If you do not differentiate between bridge and login shell then bridge
> will also transition to sysadm_t when it runs pkexec and end up with the
> same permissions that staff_t would get when it runs pkexec.
>
> It is kind of hard to talk about this topic without having even
> considered how to deal with pkexec.
>
> There is also a upside to that, because now we can anticipate how pkexec
> might be (ab)used
Thing is though that when all is said and done bridge probably just
needs the same permissions/identifiers as the login user.
I did not realize this only until later because the bridge for my wheel
(staff_t) user would have to be able to run sudo with a transition to
staff_sudo_t, just because it needed to be able to transition to
whatever was specified in /etc/sudoers for that user (ie ROLE=sysadm_r
TYPE=sysadm_t)
So in other words. I image that refpolicy would allow staff_t to run
pkexec with a automatic transition to sysadm_t (anything else probably
wouldnt make sense?). So that then means that the bridge for those users
gets root access. because it runs with the uid of the user that has
access to polkit/pkexec and it can transition to sysadm_t automatically
upon pkexec:
ie: pkexec setenforce 0
>
>>
>>>
>>> I also allowed it to mapread shadow unconditionally but that does not
>>> make sense as shadow is mode 000 and even if the bridge would be run by
>>> a root login it still seems to not have cap_dac_read_search access ...
>>>
>>> https://git.defensec.nl/?p=dssp2.git;a=blob;f=policy/services/c/cockpit.cil;h=f09d5084ba0c9f1b671b26772b29eb383c40e60a;hb=HEAD#l95
>>>
>>> Things may have changed since then as well. I just wanted to give a
>>> heads-up, it may be nothing to worry about.
>>>
>>>>
>>>>
>>>>> Because otherwise you'll end up extending the login shell domain with
>>>>> permissions needed by the bridge. You can still allow the bridge to open
>>>>> up a shell with a transition back to the login shell domain (but then
>>>>> you will get into domain prefixes
>>>>>
>>>>> ie: staff_bridge_t -> shell_exec_t -> staff_t vs. user_bridge_t ->
>>>>> shell_exec_t -> user_t etc.
>>>>
>>>>
>>>> Otherwise I only see some style cleanup needed. Also there is an
>>>> optional block in the admin interface for systemd calls. Systemd is
>>>> required for cockpit, so it shouldn't be optional, right?
>>>>