Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp3193136pxb; Tue, 20 Apr 2021 02:43:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxe2oItoLryCnDpqxWpxObUpWkqPkM5kAhRuOXY994vEXRusy5Uf+YvLxw1gqQLGVZmQKyp X-Received: by 2002:a17:90a:4d8a:: with SMTP id m10mr3901255pjh.42.1618911780754; Tue, 20 Apr 2021 02:43:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618911780; cv=none; d=google.com; s=arc-20160816; b=ITFZoeluT220KQ2igVLkq07CPceOQwMvzW+9V3GdE7xodh6ejbI2soNO9p8MzvC+L3 fnNNr8gs2km1I3yE0BkABmowqKPGNInwg5Wi7nO3zTCnfVNwnd/xhjPOvDC8I1HbSGJ8 ZqPc7OfXvSkJ9JgcnqsskqAcawoLxGgJ6qXCvhDgiI2FTSQuHiSaWLVjmcIZSvIivzWU J4NjdR4KTvBiXSUE3LduJTIuhcHlb+e5sDh1CMTFfBjZEvzIXeornfdS4MlvwjSgEj+7 pGWd3+YGeYgvs48T+uukV1S3ArE4cuw7t7onN7PP+OJqx1UIsvSjlEkwSGZ8ud6Qa7N6 1O8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:cc:to:from:date:dkim-signature; bh=q+79H1lbWgRgy3XnmQCrtXCQ0zTavSRBm2QzoO0kP0E=; b=wmCIqs6mal6KlJN1O/XF7NdfYqvnhrrDSFYHJNIWcIEotdNBXAv5tTHKESRrfuqYCW I0UtsXmfaHFPbacy/PQqx+JPG3TP6fsybGY7bil4+paItukfp7Sl1tAm2BnPP5GqtU++ 8jzYVym/n6VbANFSIMFxxbc9mdqOye69OV5i/zoRBLkRQTQyVDQY2a8UlPzW2CJN7Q4O Xfx2ss4sjjI+Ym8M370IhFOSH1lyxHC5mMV0falZt0olgurnOatnUXi09Icmldo6iyP3 8XHBhiKXlmE2sa+LqT5bP/U7YEg/fF6LaDRQuCDYJ+GU/+zCpUCfsLpcnKURX8/Og2Ei O/mg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=mCEa14ri; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r25si21898840pgv.151.2021.04.20.02.42.55; Tue, 20 Apr 2021 02:43:00 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=mCEa14ri; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230090AbhDTJnW (ORCPT + 17 others); Tue, 20 Apr 2021 05:43:22 -0400 Received: from smtp.sws.net.au ([46.4.88.250]:53230 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229937AbhDTJnW (ORCPT ); Tue, 20 Apr 2021 05:43:22 -0400 X-Greylist: delayed 357 seconds by postgrey-1.27 at vger.kernel.org; Tue, 20 Apr 2021 05:43:21 EDT Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 32F20FB0A; Tue, 20 Apr 2021 19:36:48 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1618911408; bh=q+79H1lbWgRgy3XnmQCrtXCQ0zTavSRBm2QzoO0kP0E=; l=13867; h=Date:From:To:Cc:Subject:From; b=mCEa14riEQCBS+OrAffeJhRKFuvWJXgx2ZHZnHYw+Anjy6lRhK9HCpk/uUuBzLv0U dnL6ahZcZ5WisRkyr51ih5/7vgsCDvqeuo3/Pj6CsvUtZBosoZH6thSe33K+KJnEXF 2kQIq3OT13L8ZDBWXQdIQnRf5xFfEW+nHXDwzbSc= Received: by xev.coker.com.au (Postfix, from userid 1001) id 9038E141B60B; Tue, 20 Apr 2021 19:36:43 +1000 (AEST) Date: Tue, 20 Apr 2021 19:36:43 +1000 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Cc: Matej Marusak Subject: [PATCH] cockpit web admin system Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org I took this from the rawhide policy and adapted it to work with refpolicy. Probably not ready for merging yet, let me know what should be changed. Signed-off-by: Russell Coker Index: refpolicy-2.20210203/policy/modules/services/cockpit.fc =================================================================== --- /dev/null +++ refpolicy-2.20210203/policy/modules/services/cockpit.fc @@ -0,0 +1,18 @@ +# cockpit stuff + +/usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) +/etc/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) + +/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) +/usr/libexec/cockpit-tls -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) +/usr/libexec/cockpit-wsinstance-factory -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) + +/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) +/usr/libexec/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) + +/usr/share/cockpit/motd/update-motd -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) + +/var/lib/cockpit(/.*)? gen_context(system_u:object_r:cockpit_var_lib_t,s0) + +/var/run/cockpit(/.*)? gen_context(system_u:object_r:cockpit_runtime_t,s0) +/var/run/cockpit-ws(/.*)? gen_context(system_u:object_r:cockpit_runtime_t,s0) Index: refpolicy-2.20210203/policy/modules/services/cockpit.if =================================================================== --- /dev/null +++ refpolicy-2.20210203/policy/modules/services/cockpit.if @@ -0,0 +1,279 @@ +## policy for cockpit + +######################################## +## +## Execute TEMPLATE in the cockpit domin. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`cockpit_ws_domtrans',` + gen_require(` + type cockpit_ws_t, cockpit_ws_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, cockpit_ws_exec_t, cockpit_ws_t) +') + +######################################## +## +## Execute TEMPLATE in the cockpit domin. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`cockpit_session_domtrans',` + gen_require(` + type cockpit_session_t, cockpit_session_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, cockpit_session_exec_t, cockpit_session_t) +') + +######################################## +## +## Read and write cockpit_session_t unnamed pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`cockpit_rw_pipes',` + gen_require(` + type cockpit_session_t; + ') + + allow $1 cockpit_session_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## +## Create cockpit unix_stream_sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`cockpit_manage_unix_stream_sockets',` + gen_require(` + type cockpit_ws_t; + ') + + allow $1 cockpit_ws_t:unix_stream_socket { create_stream_socket_perms connectto }; +') + +######################################## +## +## Search cockpit lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`cockpit_search_lib',` + gen_require(` + type cockpit_var_lib_t; + ') + + allow $1 cockpit_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Read cockpit lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cockpit_read_lib_files',` + gen_require(` + type cockpit_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t) +') + +######################################## +## +## Manage cockpit lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cockpit_manage_lib_files',` + gen_require(` + type cockpit_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t) +') + +######################################## +## +## Manage cockpit lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`cockpit_manage_lib_dirs',` + gen_require(` + type cockpit_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t) +') + +######################################## +## +## Read cockpit pid files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cockpit_read_pid_files',` + gen_require(` + type cockpit_runtime_t; + ') + + read_files_pattern($1, cockpit_runtime_t, cockpit_runtime_t) + read_lnk_files_pattern($1, cockpit_runtime_t, cockpit_runtime_t) +') + +######################################## +## +## Manage cockpit pid dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`cockpit_manage_pid_dirs',` + gen_require(` + type cockpit_runtime_t; + ') + + manage_dirs_pattern($1, cockpit_runtime_t, cockpit_runtime_t) +') + +######################################## +## +## Manage cockpit pid dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`cockpit_manage_pid_files',` + gen_require(` + type cockpit_runtime_t; + ') + + manage_files_pattern($1, cockpit_runtime_t, cockpit_runtime_t) +') + +######################################## +## +## Execute cockpit server in the cockpit domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`cockpit_systemctl',` + gen_require(` + type cockpit_ws_t; + type cockpit_unit_file_t; + class service { start stop status reload enable disable }; + ') + + init_reload($1) + systemd_use_passwd_agent($1) + allow $1 cockpit_unit_file_t:file read_file_perms; + allow $1 cockpit_unit_file_t:service { start stop status reload enable disable }; + + ps_process_pattern($1, cockpit_ws_t) +') + + +######################################## +## +## All of the rules required to administrate +## an cockpit environment +## +## +## +## Domain allowed access. +## +## +## +# +interface(`cockpit_admin',` + gen_require(` + type cockpit_ws_t; + type cockpit_session_t; + type cockpit_var_lib_t; + type cockpit_runtime_t; + type cockpit_unit_file_t; + ') + + allow $1 cockpit_ws_t:process { signal_perms }; + ps_process_pattern($1, cockpit_ws_t) + + allow $1 cockpit_session_t:process { signal_perms }; + ps_process_pattern($1, cockpit_session_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 cockpit_ws_t:process ptrace; + allow $1 cockpit_session_t:process ptrace; + ') + + files_search_var_lib($1) + admin_pattern($1, cockpit_var_lib_t) + + files_search_pids($1) + admin_pattern($1, cockpit_runtime_t) + + cockpit_systemctl($1) + admin_pattern($1, cockpit_unit_file_t) + allow $1 cockpit_unit_file_t:service all_service_perms; + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') +') Index: refpolicy-2.20210203/policy/modules/services/cockpit.te =================================================================== --- /dev/null +++ refpolicy-2.20210203/policy/modules/services/cockpit.te @@ -0,0 +1,176 @@ +policy_module(cockpit, 1.0.0) + +# https://cockpit-project.org/ + +######################################## +# +# Declarations +# + +type cockpit_ws_t; +type cockpit_ws_exec_t; +init_daemon_domain(cockpit_ws_t,cockpit_ws_exec_t) + +type cockpit_tmp_t; +files_tmp_file(cockpit_tmp_t) + +type cockpit_tmpfs_t; +userdom_user_tmpfs_file(cockpit_tmpfs_t) + +type cockpit_runtime_t; +files_runtime_file(cockpit_runtime_t) + +type cockpit_unit_file_t; +init_unit_file(cockpit_unit_file_t) + +type cockpit_var_lib_t; +files_type(cockpit_var_lib_t) + +type cockpit_session_t; +type cockpit_session_exec_t; +domain_type(cockpit_session_t) +domain_entry_file(cockpit_session_t,cockpit_session_exec_t) + +######################################## +# +# cockpit_ws_t local policy +# + +allow cockpit_ws_t self:capability net_admin; +allow cockpit_ws_t self:process setrlimit; +allow cockpit_ws_t self:tcp_socket create_stream_socket_perms; +allow cockpit_ws_t self:fifo_file rw_file_perms; + +kernel_read_system_state(cockpit_ws_t) + +# cockpit-tls can execute cockpit-ws +can_exec(cockpit_ws_t,cockpit_ws_exec_t) + +# cockpit-ws can execute cockpit-session +can_exec(cockpit_ws_t,cockpit_session_exec_t) + +corecmd_exec_shell(cockpit_ws_t) + +# cockpit-ws can read from /dev/urandom +dev_read_urand(cockpit_ws_t) # for authkey +dev_read_rand(cockpit_ws_t) # for libssh + +corenet_tcp_bind_websm_port(cockpit_ws_t) + +# cockpit-ws can connect to other hosts via ssh +corenet_tcp_connect_ssh_port(cockpit_ws_t) + +# cockpit-ws can write to its temp files +manage_dirs_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t) +manage_files_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t) +files_tmp_filetrans(cockpit_ws_t, cockpit_tmp_t, { dir file }) + +manage_dirs_pattern(cockpit_ws_t, cockpit_tmpfs_t, cockpit_tmpfs_t) +manage_files_pattern(cockpit_ws_t, cockpit_tmpfs_t, cockpit_tmpfs_t) +fs_tmpfs_filetrans(cockpit_ws_t, cockpit_tmpfs_t, { file }) + +manage_dirs_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t) +manage_files_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t) +manage_lnk_files_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t) +manage_sock_files_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t) +files_runtime_filetrans(cockpit_ws_t, cockpit_runtime_t, { file dir sock_file }) + +manage_files_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t) +manage_dirs_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t) + +cockpit_systemctl(cockpit_ws_t) + +kernel_read_network_state(cockpit_ws_t) + +auth_use_nsswitch(cockpit_ws_t) + +corecmd_exec_bin(cockpit_ws_t) + +fs_read_efivarfs_files(cockpit_ws_t) + +init_read_state(cockpit_ws_t) +init_stream_connect(cockpit_ws_t) + +logging_send_syslog_msg(cockpit_ws_t) + +miscfiles_read_localization(cockpit_ws_t) + +sysnet_exec_ifconfig(cockpit_ws_t) + +# cockpit-ws launches cockpit-session +cockpit_session_domtrans(cockpit_ws_t) +allow cockpit_ws_t cockpit_session_t:process signal_perms; + +# cockpit-session communicates back with cockpit-ws +allow cockpit_session_t cockpit_ws_t:unix_stream_socket rw_stream_socket_perms; + +# cockpit-tls and cockpit-ws communicate over a Unix socket +allow cockpit_ws_t cockpit_ws_t:unix_stream_socket { create_stream_socket_perms connectto }; + +optional_policy(` + hostname_exec(cockpit_ws_t) +') + +optional_policy(` + kerberos_use(cockpit_ws_t) + kerberos_etc_filetrans_keytab(cockpit_ws_t, file) +') + +optional_policy(` + ssh_read_user_home_files(cockpit_ws_t) +') + +######################################################### +# +# cockpit-session local policy +# + +# cockpit-session changes to the actual logged in user +allow cockpit_session_t self:capability { sys_admin dac_read_search dac_override setuid setgid sys_resource}; +allow cockpit_session_t self:process { setexec setsched signal_perms setrlimit }; + +read_files_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t) +list_dirs_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t) + +manage_dirs_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t) +manage_files_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t) +manage_sock_files_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t) +files_tmp_filetrans(cockpit_session_t, cockpit_tmp_t, { dir file sock_file }) + +manage_dirs_pattern(cockpit_session_t, cockpit_tmpfs_t, cockpit_tmpfs_t) +manage_files_pattern(cockpit_session_t, cockpit_tmpfs_t, cockpit_tmpfs_t) +fs_tmpfs_filetrans(cockpit_session_t, cockpit_tmpfs_t, { file }) + +read_files_pattern(cockpit_session_t, cockpit_runtime_t, cockpit_runtime_t) +list_dirs_pattern(cockpit_session_t, cockpit_runtime_t, cockpit_runtime_t) + +kernel_read_network_state(cockpit_session_t) + +# cockpit-session runs a full pam stack, including pam_selinux.so +auth_login_pgm_domain(cockpit_session_t) +# cockpit-session resseting expired passwords +auth_manage_shadow(cockpit_session_t) +auth_write_login_records(cockpit_session_t) + +corenet_tcp_bind_ssh_port(cockpit_session_t) +corenet_tcp_connect_ssh_port(cockpit_session_t) + +# cockpit-session can execute cockpit-agent as the user +userdom_spec_domtrans_all_users(cockpit_session_t) +usermanage_read_crack_db(cockpit_session_t) + +#optional_policy(` +# ssh_agent_signal(cockpit_session_t) +#') + +optional_policy(` + sssd_dbus_chat(cockpit_session_t) +') + +optional_policy(` + userdom_signal_all_users(cockpit_session_t) +') + +optional_policy(` + unconfined_domtrans(cockpit_session_t) +')