Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp3193136pxb;
        Tue, 20 Apr 2021 02:43:00 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxe2oItoLryCnDpqxWpxObUpWkqPkM5kAhRuOXY994vEXRusy5Uf+YvLxw1gqQLGVZmQKyp
X-Received: by 2002:a17:90a:4d8a:: with SMTP id m10mr3901255pjh.42.1618911780754;
        Tue, 20 Apr 2021 02:43:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1618911780; cv=none;
        d=google.com; s=arc-20160816;
        b=ITFZoeluT220KQ2igVLkq07CPceOQwMvzW+9V3GdE7xodh6ejbI2soNO9p8MzvC+L3
         fnNNr8gs2km1I3yE0BkABmowqKPGNInwg5Wi7nO3zTCnfVNwnd/xhjPOvDC8I1HbSGJ8
         ZqPc7OfXvSkJ9JgcnqsskqAcawoLxGgJ6qXCvhDgiI2FTSQuHiSaWLVjmcIZSvIivzWU
         J4NjdR4KTvBiXSUE3LduJTIuhcHlb+e5sDh1CMTFfBjZEvzIXeornfdS4MlvwjSgEj+7
         pGWd3+YGeYgvs48T+uukV1S3ArE4cuw7t7onN7PP+OJqx1UIsvSjlEkwSGZ8ud6Qa7N6
         1O8w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-disposition:mime-version:message-id
         :subject:cc:to:from:date:dkim-signature;
        bh=q+79H1lbWgRgy3XnmQCrtXCQ0zTavSRBm2QzoO0kP0E=;
        b=wmCIqs6mal6KlJN1O/XF7NdfYqvnhrrDSFYHJNIWcIEotdNBXAv5tTHKESRrfuqYCW
         I0UtsXmfaHFPbacy/PQqx+JPG3TP6fsybGY7bil4+paItukfp7Sl1tAm2BnPP5GqtU++
         8jzYVym/n6VbANFSIMFxxbc9mdqOye69OV5i/zoRBLkRQTQyVDQY2a8UlPzW2CJN7Q4O
         Xfx2ss4sjjI+Ym8M370IhFOSH1lyxHC5mMV0falZt0olgurnOatnUXi09Icmldo6iyP3
         8XHBhiKXlmE2sa+LqT5bP/U7YEg/fF6LaDRQuCDYJ+GU/+zCpUCfsLpcnKURX8/Og2Ei
         O/mg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=mCEa14ri;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id r25si21898840pgv.151.2021.04.20.02.42.55;
        Tue, 20 Apr 2021 02:43:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=mCEa14ri;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230090AbhDTJnW (ORCPT <rfc822;mikie.simpson@gmail.com>
        + 17 others); Tue, 20 Apr 2021 05:43:22 -0400
Received: from smtp.sws.net.au ([46.4.88.250]:53230 "EHLO smtp.sws.net.au"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S229937AbhDTJnW (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Tue, 20 Apr 2021 05:43:22 -0400
X-Greylist: delayed 357 seconds by postgrey-1.27 at vger.kernel.org; Tue, 20 Apr 2021 05:43:21 EDT
Received: from xev.coker.com.au (localhost [127.0.0.1])
        by smtp.sws.net.au (Postfix) with ESMTP id 32F20FB0A;
        Tue, 20 Apr 2021 19:36:48 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
        s=2008; t=1618911408;
        bh=q+79H1lbWgRgy3XnmQCrtXCQ0zTavSRBm2QzoO0kP0E=; l=13867;
        h=Date:From:To:Cc:Subject:From;
        b=mCEa14riEQCBS+OrAffeJhRKFuvWJXgx2ZHZnHYw+Anjy6lRhK9HCpk/uUuBzLv0U
         dnL6ahZcZ5WisRkyr51ih5/7vgsCDvqeuo3/Pj6CsvUtZBosoZH6thSe33K+KJnEXF
         2kQIq3OT13L8ZDBWXQdIQnRf5xFfEW+nHXDwzbSc=
Received: by xev.coker.com.au (Postfix, from userid 1001)
        id 9038E141B60B; Tue, 20 Apr 2021 19:36:43 +1000 (AEST)
Date:   Tue, 20 Apr 2021 19:36:43 +1000
From:   Russell Coker <russell@coker.com.au>
To:     selinux-refpolicy@vger.kernel.org
Cc:     Matej Marusak <mmarusak@redhat.com>
Subject: [PATCH] cockpit web admin system
Message-ID: <YH6gq6yWUmo93KT7@xev>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

I took this from the rawhide policy and adapted it to work with refpolicy.

Probably not ready for merging yet, let me know what should be changed.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20210203/policy/modules/services/cockpit.fc
===================================================================
--- /dev/null
+++ refpolicy-2.20210203/policy/modules/services/cockpit.fc
@@ -0,0 +1,18 @@
+# cockpit stuff
+
+/usr/lib/systemd/system/cockpit.*		--	gen_context(system_u:object_r:cockpit_unit_file_t,s0)
+/etc/systemd/system/cockpit.*	--	gen_context(system_u:object_r:cockpit_unit_file_t,s0)
+
+/usr/libexec/cockpit-ws		--	gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+/usr/libexec/cockpit-tls	--	gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+/usr/libexec/cockpit-wsinstance-factory	--	gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+
+/usr/libexec/cockpit-session	--	gen_context(system_u:object_r:cockpit_session_exec_t,s0)
+/usr/libexec/cockpit-ssh	--	gen_context(system_u:object_r:cockpit_session_exec_t,s0)
+
+/usr/share/cockpit/motd/update-motd    -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+
+/var/lib/cockpit(/.*)?      gen_context(system_u:object_r:cockpit_var_lib_t,s0)
+
+/var/run/cockpit(/.*)?   gen_context(system_u:object_r:cockpit_runtime_t,s0)
+/var/run/cockpit-ws(/.*)?   gen_context(system_u:object_r:cockpit_runtime_t,s0)
Index: refpolicy-2.20210203/policy/modules/services/cockpit.if
===================================================================
--- /dev/null
+++ refpolicy-2.20210203/policy/modules/services/cockpit.if
@@ -0,0 +1,279 @@
+## <summary>policy for cockpit</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the cockpit domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cockpit_ws_domtrans',`
+	gen_require(`
+		type cockpit_ws_t, cockpit_ws_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, cockpit_ws_exec_t, cockpit_ws_t)
+')
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the cockpit domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cockpit_session_domtrans',`
+	gen_require(`
+		type cockpit_session_t, cockpit_session_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, cockpit_session_exec_t, cockpit_session_t)
+')
+
+########################################
+## <summary>
+##	Read and write cockpit_session_t unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cockpit_rw_pipes',`
+	gen_require(`
+		type cockpit_session_t;
+	')
+
+	allow $1 cockpit_session_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Create cockpit unix_stream_sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cockpit_manage_unix_stream_sockets',`
+	gen_require(`
+		type cockpit_ws_t;
+	')
+
+	allow $1 cockpit_ws_t:unix_stream_socket { create_stream_socket_perms connectto };
+')
+
+########################################
+## <summary>
+##	Search cockpit lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cockpit_search_lib',`
+	gen_require(`
+		type cockpit_var_lib_t;
+	')
+
+	allow $1 cockpit_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read cockpit lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cockpit_read_lib_files',`
+	gen_require(`
+		type cockpit_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage cockpit lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cockpit_manage_lib_files',`
+	gen_require(`
+		type cockpit_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage cockpit lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cockpit_manage_lib_dirs',`
+	gen_require(`
+		type cockpit_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read cockpit pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cockpit_read_pid_files',`
+	gen_require(`
+		type cockpit_runtime_t;
+	')
+
+	read_files_pattern($1, cockpit_runtime_t, cockpit_runtime_t)
+	read_lnk_files_pattern($1, cockpit_runtime_t, cockpit_runtime_t)
+')
+
+########################################
+## <summary>
+##	Manage cockpit pid dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cockpit_manage_pid_dirs',`
+	gen_require(`
+		type cockpit_runtime_t;
+	')
+
+	manage_dirs_pattern($1, cockpit_runtime_t, cockpit_runtime_t)
+')
+
+########################################
+## <summary>
+##	Manage cockpit pid dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cockpit_manage_pid_files',`
+	gen_require(`
+		type cockpit_runtime_t;
+	')
+
+	manage_files_pattern($1, cockpit_runtime_t, cockpit_runtime_t)
+')
+
+########################################
+## <summary>
+##	Execute cockpit server in the cockpit domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`cockpit_systemctl',`
+	gen_require(`
+		type cockpit_ws_t;
+		type cockpit_unit_file_t;
+		class service { start stop status reload enable disable };
+	')
+
+	init_reload($1)
+        systemd_use_passwd_agent($1)
+	allow $1 cockpit_unit_file_t:file read_file_perms;
+	allow $1 cockpit_unit_file_t:service { start stop status reload enable disable };
+
+	ps_process_pattern($1, cockpit_ws_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an cockpit environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`cockpit_admin',`
+	gen_require(`
+		type cockpit_ws_t;
+		type cockpit_session_t;
+		type cockpit_var_lib_t;
+		type cockpit_runtime_t;
+		type cockpit_unit_file_t;
+	')
+
+	allow $1 cockpit_ws_t:process { signal_perms };
+	ps_process_pattern($1, cockpit_ws_t)
+
+	allow $1 cockpit_session_t:process { signal_perms };
+	ps_process_pattern($1, cockpit_session_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 cockpit_ws_t:process ptrace;
+		allow $1 cockpit_session_t:process ptrace;
+	')
+
+	files_search_var_lib($1)
+	admin_pattern($1, cockpit_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, cockpit_runtime_t)
+
+	cockpit_systemctl($1)
+	admin_pattern($1, cockpit_unit_file_t)
+	allow $1 cockpit_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
Index: refpolicy-2.20210203/policy/modules/services/cockpit.te
===================================================================
--- /dev/null
+++ refpolicy-2.20210203/policy/modules/services/cockpit.te
@@ -0,0 +1,176 @@
+policy_module(cockpit, 1.0.0)
+
+# https://cockpit-project.org/
+
+########################################
+#
+# Declarations
+#
+
+type cockpit_ws_t;
+type cockpit_ws_exec_t;
+init_daemon_domain(cockpit_ws_t,cockpit_ws_exec_t)
+
+type cockpit_tmp_t;
+files_tmp_file(cockpit_tmp_t)
+
+type cockpit_tmpfs_t;
+userdom_user_tmpfs_file(cockpit_tmpfs_t)
+
+type cockpit_runtime_t;
+files_runtime_file(cockpit_runtime_t)
+
+type cockpit_unit_file_t;
+init_unit_file(cockpit_unit_file_t)
+
+type cockpit_var_lib_t;
+files_type(cockpit_var_lib_t)
+
+type cockpit_session_t;
+type cockpit_session_exec_t;
+domain_type(cockpit_session_t)
+domain_entry_file(cockpit_session_t,cockpit_session_exec_t)
+
+########################################
+#
+# cockpit_ws_t local policy
+#
+
+allow cockpit_ws_t self:capability net_admin;
+allow cockpit_ws_t self:process setrlimit;
+allow cockpit_ws_t self:tcp_socket create_stream_socket_perms;
+allow cockpit_ws_t self:fifo_file rw_file_perms;
+
+kernel_read_system_state(cockpit_ws_t)
+
+# cockpit-tls can execute cockpit-ws
+can_exec(cockpit_ws_t,cockpit_ws_exec_t)
+
+# cockpit-ws can execute cockpit-session
+can_exec(cockpit_ws_t,cockpit_session_exec_t)
+
+corecmd_exec_shell(cockpit_ws_t)
+
+# cockpit-ws can read from /dev/urandom
+dev_read_urand(cockpit_ws_t) # for authkey
+dev_read_rand(cockpit_ws_t)  # for libssh
+
+corenet_tcp_bind_websm_port(cockpit_ws_t)
+
+# cockpit-ws can connect to other hosts via ssh
+corenet_tcp_connect_ssh_port(cockpit_ws_t)
+
+# cockpit-ws can write to its temp files
+manage_dirs_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
+manage_files_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
+files_tmp_filetrans(cockpit_ws_t, cockpit_tmp_t, { dir file })
+
+manage_dirs_pattern(cockpit_ws_t, cockpit_tmpfs_t, cockpit_tmpfs_t)
+manage_files_pattern(cockpit_ws_t, cockpit_tmpfs_t, cockpit_tmpfs_t)
+fs_tmpfs_filetrans(cockpit_ws_t, cockpit_tmpfs_t, { file })
+
+manage_dirs_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t)
+manage_files_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t)
+manage_lnk_files_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t)
+manage_sock_files_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t)
+files_runtime_filetrans(cockpit_ws_t, cockpit_runtime_t, { file dir sock_file })
+
+manage_files_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
+manage_dirs_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
+
+cockpit_systemctl(cockpit_ws_t)
+
+kernel_read_network_state(cockpit_ws_t)
+
+auth_use_nsswitch(cockpit_ws_t)
+
+corecmd_exec_bin(cockpit_ws_t)
+
+fs_read_efivarfs_files(cockpit_ws_t)
+
+init_read_state(cockpit_ws_t)
+init_stream_connect(cockpit_ws_t)
+
+logging_send_syslog_msg(cockpit_ws_t)
+
+miscfiles_read_localization(cockpit_ws_t)
+
+sysnet_exec_ifconfig(cockpit_ws_t)
+
+# cockpit-ws launches cockpit-session
+cockpit_session_domtrans(cockpit_ws_t)
+allow cockpit_ws_t cockpit_session_t:process signal_perms;
+
+# cockpit-session communicates back with cockpit-ws
+allow cockpit_session_t cockpit_ws_t:unix_stream_socket rw_stream_socket_perms;
+
+# cockpit-tls and cockpit-ws communicate over a Unix socket
+allow cockpit_ws_t cockpit_ws_t:unix_stream_socket { create_stream_socket_perms connectto };
+
+optional_policy(`
+    hostname_exec(cockpit_ws_t)
+')
+
+optional_policy(`
+    kerberos_use(cockpit_ws_t)
+    kerberos_etc_filetrans_keytab(cockpit_ws_t, file)
+')
+
+optional_policy(`
+	ssh_read_user_home_files(cockpit_ws_t)
+')
+
+#########################################################
+#
+#  cockpit-session local policy
+#
+
+# cockpit-session changes to the actual logged in user
+allow cockpit_session_t self:capability { sys_admin dac_read_search dac_override setuid setgid sys_resource};
+allow cockpit_session_t self:process { setexec setsched signal_perms setrlimit };
+
+read_files_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t)
+list_dirs_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t)
+
+manage_dirs_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
+manage_files_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
+manage_sock_files_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
+files_tmp_filetrans(cockpit_session_t, cockpit_tmp_t, { dir file sock_file })
+
+manage_dirs_pattern(cockpit_session_t, cockpit_tmpfs_t, cockpit_tmpfs_t)
+manage_files_pattern(cockpit_session_t, cockpit_tmpfs_t, cockpit_tmpfs_t)
+fs_tmpfs_filetrans(cockpit_session_t, cockpit_tmpfs_t, { file })
+
+read_files_pattern(cockpit_session_t, cockpit_runtime_t, cockpit_runtime_t)
+list_dirs_pattern(cockpit_session_t, cockpit_runtime_t, cockpit_runtime_t)
+
+kernel_read_network_state(cockpit_session_t)
+
+# cockpit-session runs a full pam stack, including pam_selinux.so
+auth_login_pgm_domain(cockpit_session_t)
+# cockpit-session resseting expired passwords
+auth_manage_shadow(cockpit_session_t)
+auth_write_login_records(cockpit_session_t)
+
+corenet_tcp_bind_ssh_port(cockpit_session_t)
+corenet_tcp_connect_ssh_port(cockpit_session_t)
+
+# cockpit-session can execute cockpit-agent as the user
+userdom_spec_domtrans_all_users(cockpit_session_t)
+usermanage_read_crack_db(cockpit_session_t)
+
+#optional_policy(`
+#    ssh_agent_signal(cockpit_session_t)
+#')
+
+optional_policy(`
+    sssd_dbus_chat(cockpit_session_t)
+')
+
+optional_policy(`
+    userdom_signal_all_users(cockpit_session_t)
+')
+
+optional_policy(`
+	unconfined_domtrans(cockpit_session_t)
+')