Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp3368705pxb; Tue, 20 Apr 2021 06:54:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwzOS6cO411T6MBa8H9DfloPwLiE4FwZc+G5AyMvuRRwJfE+yEJOxMGV1p1eOa6uG324b2U X-Received: by 2002:aa7:ce17:: with SMTP id d23mr30869550edv.47.1618926884588; Tue, 20 Apr 2021 06:54:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618926884; cv=none; d=google.com; s=arc-20160816; b=RZIwyL1EwRY/HIij9hvxY9AXb1rolVDIK+cno2/L3Qf9wSA/Ghp/dTkHUBIocWXpd0 EueiYMss+PsqFVJz6qJfBXnqXfMEY/ll0lMNsW/DXNLX4tyb1i/7ltFf0xiNdo1jKkxy BWk7kwTqIInfNHJySL/2UYLd7h7hcd9XdElUbzoy1zIA7Ec8XmdmnuDXpAYAmTHKHcep b4jdLzOe4B/yfnQ/NupMnVZsdiQIDs/OFl/IHePHlgZJDSmP9NDdMP8wEAmJxvzJ+Aqj KTDPtswNpOzxEeg+SiwDC+eaHdadHWk/mCLpN/W1OZZQctykIXOqbdTKCQH6W78vPGUj cFHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:message-id:in-reply-to :date:references:subject:cc:to:from:dkim-signature:dkim-filter; bh=h7z7i0aFAF32UA8HrmepDTeZ9Hclr5CehSmMFxWVn3c=; b=wmkwUdZtsK8ozS/dJ7KRzTfFwXADX883Ccices3zqvoqb0eqo0LhuueuSbk5vus+WX hrrMrhDFiQx2SnH3z/9JWgytvJIEgHFY9rGVbCcslW43kEcF1/fkfG4duiAGEDDGiVlk 0DVceT2aDJ3k4mMYkIFZ4Dkbe4JL2e6ZH9PGR1pj3PqQ4jrNbOBF1tRLSB7pOwA6gn1/ S2ScO3thbXlmOXb+bzr2i96yH0WK7B+lC8vr8qBpODx55CUGubRXaX+CjeaGgz+vKrEy 4QDppz5CNYPcYk2jrf8f03MAvKh2VozAn9N9YotEm+8JvtF/1wwxjGEyiAqIyIf6Jbn1 2xBA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=RLo8nrug; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id go7si15472116ejc.278.2021.04.20.06.54.38; Tue, 20 Apr 2021 06:54:44 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=RLo8nrug; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232026AbhDTNzC (ORCPT + 17 others); Tue, 20 Apr 2021 09:55:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43818 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231482AbhDTNzA (ORCPT ); Tue, 20 Apr 2021 09:55:00 -0400 X-Greylist: delayed 307 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Tue, 20 Apr 2021 06:54:28 PDT Received: from agnus.defensec.nl (agnus.defensec.nl [IPv6:2001:985:d55d::711]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id BC95BC06174A for ; Tue, 20 Apr 2021 06:54:28 -0700 (PDT) Received: from brutus (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id 41EDF2A0CF2; Tue, 20 Apr 2021 15:49:10 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl 41EDF2A0CF2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1618926551; bh=h7z7i0aFAF32UA8HrmepDTeZ9Hclr5CehSmMFxWVn3c=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=RLo8nrug6H/1wxJLShF/282ujnoTUKT1Rw9Z245X3reyxl/9nTVQybOU2JQepk96w iRpGDVkLTbGoT7hSWkgxL3b26CfYQ3wqrXItyyDHsbukYrZSFpH0N9Vk486YMRF8N1 NUu3LRHdur+XF+/BQVpJPmBgBBj4dQSXdBd3gJ1I= From: Dominick Grift To: Russell Coker Cc: selinux-refpolicy@vger.kernel.org, Matej Marusak Subject: Re: [PATCH] cockpit web admin system References: Date: Tue, 20 Apr 2021 15:49:07 +0200 In-Reply-To: (Russell Coker's message of "Tue, 20 Apr 2021 19:36:43 +1000") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Russell Coker writes: > I took this from the rawhide policy and adapted it to work with refpolicy. > > Probably not ready for merging yet, let me know what should be changed. Its been a while since I played with cockpit Theres one thing that I want to mention though, instead of login the confined users in with their login shell domain consider confining the cockpit-bridge instead and make it log users in with bridge context instead of the login shell context. Because otherwise you'll end up extending the login shell domain with permissions needed by the bridge. You can still allow the bridge to open up a shell with a transition back to the login shell domain (but then you will get into domain prefixes ie: staff_bridge_t -> shell_exec_t -> staff_t vs. user_bridge_t -> shell_exec_t -> user_t etc. > > Signed-off-by: Russell Coker > > Index: refpolicy-2.20210203/policy/modules/services/cockpit.fc > =================================================================== > --- /dev/null > +++ refpolicy-2.20210203/policy/modules/services/cockpit.fc > @@ -0,0 +1,18 @@ > +# cockpit stuff > + > +/usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) > +/etc/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) > + > +/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) > +/usr/libexec/cockpit-tls -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) > +/usr/libexec/cockpit-wsinstance-factory -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) > + > +/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) > +/usr/libexec/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) > + > +/usr/share/cockpit/motd/update-motd -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) > + > +/var/lib/cockpit(/.*)? gen_context(system_u:object_r:cockpit_var_lib_t,s0) > + > +/var/run/cockpit(/.*)? gen_context(system_u:object_r:cockpit_runtime_t,s0) > +/var/run/cockpit-ws(/.*)? gen_context(system_u:object_r:cockpit_runtime_t,s0) > Index: refpolicy-2.20210203/policy/modules/services/cockpit.if > =================================================================== > --- /dev/null > +++ refpolicy-2.20210203/policy/modules/services/cockpit.if > @@ -0,0 +1,279 @@ > +## policy for cockpit > + > +######################################## > +## > +## Execute TEMPLATE in the cockpit domin. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`cockpit_ws_domtrans',` > + gen_require(` > + type cockpit_ws_t, cockpit_ws_exec_t; > + ') > + > + corecmd_search_bin($1) > + domtrans_pattern($1, cockpit_ws_exec_t, cockpit_ws_t) > +') > + > +######################################## > +## > +## Execute TEMPLATE in the cockpit domin. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`cockpit_session_domtrans',` > + gen_require(` > + type cockpit_session_t, cockpit_session_exec_t; > + ') > + > + corecmd_search_bin($1) > + domtrans_pattern($1, cockpit_session_exec_t, cockpit_session_t) > +') > + > +######################################## > +## > +## Read and write cockpit_session_t unnamed pipes. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`cockpit_rw_pipes',` > + gen_require(` > + type cockpit_session_t; > + ') > + > + allow $1 cockpit_session_t:fifo_file rw_fifo_file_perms; > +') > + > +######################################## > +## > +## Create cockpit unix_stream_sockets. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`cockpit_manage_unix_stream_sockets',` > + gen_require(` > + type cockpit_ws_t; > + ') > + > + allow $1 cockpit_ws_t:unix_stream_socket { create_stream_socket_perms connectto }; > +') > + > +######################################## > +## > +## Search cockpit lib directories. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`cockpit_search_lib',` > + gen_require(` > + type cockpit_var_lib_t; > + ') > + > + allow $1 cockpit_var_lib_t:dir search_dir_perms; > + files_search_var_lib($1) > +') > + > +######################################## > +## > +## Read cockpit lib files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`cockpit_read_lib_files',` > + gen_require(` > + type cockpit_var_lib_t; > + ') > + > + files_search_var_lib($1) > + read_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t) > +') > + > +######################################## > +## > +## Manage cockpit lib files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`cockpit_manage_lib_files',` > + gen_require(` > + type cockpit_var_lib_t; > + ') > + > + files_search_var_lib($1) > + manage_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t) > +') > + > +######################################## > +## > +## Manage cockpit lib directories. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`cockpit_manage_lib_dirs',` > + gen_require(` > + type cockpit_var_lib_t; > + ') > + > + files_search_var_lib($1) > + manage_dirs_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t) > +') > + > +######################################## > +## > +## Read cockpit pid files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`cockpit_read_pid_files',` > + gen_require(` > + type cockpit_runtime_t; > + ') > + > + read_files_pattern($1, cockpit_runtime_t, cockpit_runtime_t) > + read_lnk_files_pattern($1, cockpit_runtime_t, cockpit_runtime_t) > +') > + > +######################################## > +## > +## Manage cockpit pid dirs. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`cockpit_manage_pid_dirs',` > + gen_require(` > + type cockpit_runtime_t; > + ') > + > + manage_dirs_pattern($1, cockpit_runtime_t, cockpit_runtime_t) > +') > + > +######################################## > +## > +## Manage cockpit pid dirs. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`cockpit_manage_pid_files',` > + gen_require(` > + type cockpit_runtime_t; > + ') > + > + manage_files_pattern($1, cockpit_runtime_t, cockpit_runtime_t) > +') > + > +######################################## > +## > +## Execute cockpit server in the cockpit domain. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`cockpit_systemctl',` > + gen_require(` > + type cockpit_ws_t; > + type cockpit_unit_file_t; > + class service { start stop status reload enable disable }; > + ') > + > + init_reload($1) > + systemd_use_passwd_agent($1) > + allow $1 cockpit_unit_file_t:file read_file_perms; > + allow $1 cockpit_unit_file_t:service { start stop status reload enable disable }; > + > + ps_process_pattern($1, cockpit_ws_t) > +') > + > + > +######################################## > +## > +## All of the rules required to administrate > +## an cockpit environment > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`cockpit_admin',` > + gen_require(` > + type cockpit_ws_t; > + type cockpit_session_t; > + type cockpit_var_lib_t; > + type cockpit_runtime_t; > + type cockpit_unit_file_t; > + ') > + > + allow $1 cockpit_ws_t:process { signal_perms }; > + ps_process_pattern($1, cockpit_ws_t) > + > + allow $1 cockpit_session_t:process { signal_perms }; > + ps_process_pattern($1, cockpit_session_t) > + > + tunable_policy(`deny_ptrace',`',` > + allow $1 cockpit_ws_t:process ptrace; > + allow $1 cockpit_session_t:process ptrace; > + ') > + > + files_search_var_lib($1) > + admin_pattern($1, cockpit_var_lib_t) > + > + files_search_pids($1) > + admin_pattern($1, cockpit_runtime_t) > + > + cockpit_systemctl($1) > + admin_pattern($1, cockpit_unit_file_t) > + allow $1 cockpit_unit_file_t:service all_service_perms; > + optional_policy(` > + systemd_passwd_agent_exec($1) > + systemd_read_fifo_file_passwd_run($1) > + ') > +') > Index: refpolicy-2.20210203/policy/modules/services/cockpit.te > =================================================================== > --- /dev/null > +++ refpolicy-2.20210203/policy/modules/services/cockpit.te > @@ -0,0 +1,176 @@ > +policy_module(cockpit, 1.0.0) > + > +# https://cockpit-project.org/ > + > +######################################## > +# > +# Declarations > +# > + > +type cockpit_ws_t; > +type cockpit_ws_exec_t; > +init_daemon_domain(cockpit_ws_t,cockpit_ws_exec_t) > + > +type cockpit_tmp_t; > +files_tmp_file(cockpit_tmp_t) > + > +type cockpit_tmpfs_t; > +userdom_user_tmpfs_file(cockpit_tmpfs_t) > + > +type cockpit_runtime_t; > +files_runtime_file(cockpit_runtime_t) > + > +type cockpit_unit_file_t; > +init_unit_file(cockpit_unit_file_t) > + > +type cockpit_var_lib_t; > +files_type(cockpit_var_lib_t) > + > +type cockpit_session_t; > +type cockpit_session_exec_t; > +domain_type(cockpit_session_t) > +domain_entry_file(cockpit_session_t,cockpit_session_exec_t) > + > +######################################## > +# > +# cockpit_ws_t local policy > +# > + > +allow cockpit_ws_t self:capability net_admin; > +allow cockpit_ws_t self:process setrlimit; > +allow cockpit_ws_t self:tcp_socket create_stream_socket_perms; > +allow cockpit_ws_t self:fifo_file rw_file_perms; > + > +kernel_read_system_state(cockpit_ws_t) > + > +# cockpit-tls can execute cockpit-ws > +can_exec(cockpit_ws_t,cockpit_ws_exec_t) > + > +# cockpit-ws can execute cockpit-session > +can_exec(cockpit_ws_t,cockpit_session_exec_t) > + > +corecmd_exec_shell(cockpit_ws_t) > + > +# cockpit-ws can read from /dev/urandom > +dev_read_urand(cockpit_ws_t) # for authkey > +dev_read_rand(cockpit_ws_t) # for libssh > + > +corenet_tcp_bind_websm_port(cockpit_ws_t) > + > +# cockpit-ws can connect to other hosts via ssh > +corenet_tcp_connect_ssh_port(cockpit_ws_t) > + > +# cockpit-ws can write to its temp files > +manage_dirs_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t) > +manage_files_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t) > +files_tmp_filetrans(cockpit_ws_t, cockpit_tmp_t, { dir file }) > + > +manage_dirs_pattern(cockpit_ws_t, cockpit_tmpfs_t, cockpit_tmpfs_t) > +manage_files_pattern(cockpit_ws_t, cockpit_tmpfs_t, cockpit_tmpfs_t) > +fs_tmpfs_filetrans(cockpit_ws_t, cockpit_tmpfs_t, { file }) > + > +manage_dirs_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t) > +manage_files_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t) > +manage_lnk_files_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t) > +manage_sock_files_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t) > +files_runtime_filetrans(cockpit_ws_t, cockpit_runtime_t, { file dir sock_file }) > + > +manage_files_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t) > +manage_dirs_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t) > + > +cockpit_systemctl(cockpit_ws_t) > + > +kernel_read_network_state(cockpit_ws_t) > + > +auth_use_nsswitch(cockpit_ws_t) > + > +corecmd_exec_bin(cockpit_ws_t) > + > +fs_read_efivarfs_files(cockpit_ws_t) > + > +init_read_state(cockpit_ws_t) > +init_stream_connect(cockpit_ws_t) > + > +logging_send_syslog_msg(cockpit_ws_t) > + > +miscfiles_read_localization(cockpit_ws_t) > + > +sysnet_exec_ifconfig(cockpit_ws_t) > + > +# cockpit-ws launches cockpit-session > +cockpit_session_domtrans(cockpit_ws_t) > +allow cockpit_ws_t cockpit_session_t:process signal_perms; > + > +# cockpit-session communicates back with cockpit-ws > +allow cockpit_session_t cockpit_ws_t:unix_stream_socket rw_stream_socket_perms; > + > +# cockpit-tls and cockpit-ws communicate over a Unix socket > +allow cockpit_ws_t cockpit_ws_t:unix_stream_socket { create_stream_socket_perms connectto }; > + > +optional_policy(` > + hostname_exec(cockpit_ws_t) > +') > + > +optional_policy(` > + kerberos_use(cockpit_ws_t) > + kerberos_etc_filetrans_keytab(cockpit_ws_t, file) > +') > + > +optional_policy(` > + ssh_read_user_home_files(cockpit_ws_t) > +') > + > +######################################################### > +# > +# cockpit-session local policy > +# > + > +# cockpit-session changes to the actual logged in user > +allow cockpit_session_t self:capability { sys_admin dac_read_search dac_override setuid setgid sys_resource}; > +allow cockpit_session_t self:process { setexec setsched signal_perms setrlimit }; > + > +read_files_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t) > +list_dirs_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t) > + > +manage_dirs_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t) > +manage_files_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t) > +manage_sock_files_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t) > +files_tmp_filetrans(cockpit_session_t, cockpit_tmp_t, { dir file sock_file }) > + > +manage_dirs_pattern(cockpit_session_t, cockpit_tmpfs_t, cockpit_tmpfs_t) > +manage_files_pattern(cockpit_session_t, cockpit_tmpfs_t, cockpit_tmpfs_t) > +fs_tmpfs_filetrans(cockpit_session_t, cockpit_tmpfs_t, { file }) > + > +read_files_pattern(cockpit_session_t, cockpit_runtime_t, cockpit_runtime_t) > +list_dirs_pattern(cockpit_session_t, cockpit_runtime_t, cockpit_runtime_t) > + > +kernel_read_network_state(cockpit_session_t) > + > +# cockpit-session runs a full pam stack, including pam_selinux.so > +auth_login_pgm_domain(cockpit_session_t) > +# cockpit-session resseting expired passwords > +auth_manage_shadow(cockpit_session_t) > +auth_write_login_records(cockpit_session_t) > + > +corenet_tcp_bind_ssh_port(cockpit_session_t) > +corenet_tcp_connect_ssh_port(cockpit_session_t) > + > +# cockpit-session can execute cockpit-agent as the user > +userdom_spec_domtrans_all_users(cockpit_session_t) > +usermanage_read_crack_db(cockpit_session_t) > + > +#optional_policy(` > +# ssh_agent_signal(cockpit_session_t) > +#') > + > +optional_policy(` > + sssd_dbus_chat(cockpit_session_t) > +') > + > +optional_policy(` > + userdom_signal_all_users(cockpit_session_t) > +') > + > +optional_policy(` > + unconfined_domtrans(cockpit_session_t) > +') > -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift