From: Russell Coker <russell@coker.com.au>
To: selinux-refpolicy@vger.kernel.org
Cc: Matej Marusak <mmarusak@redhat.com>
Subject: [PATCH] cockpit web admin system
Date: Tue, 20 Apr 2021 19:36:43 +1000 [thread overview]
Message-ID: <YH6gq6yWUmo93KT7@xev> (raw)
I took this from the rawhide policy and adapted it to work with refpolicy.
Probably not ready for merging yet, let me know what should be changed.
Signed-off-by: Russell Coker <russell@coker.com.au>
Index: refpolicy-2.20210203/policy/modules/services/cockpit.fc
===================================================================
--- /dev/null
+++ refpolicy-2.20210203/policy/modules/services/cockpit.fc
@@ -0,0 +1,18 @@
+# cockpit stuff
+
+/usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
+/etc/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
+
+/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+/usr/libexec/cockpit-tls -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+/usr/libexec/cockpit-wsinstance-factory -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+
+/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
+/usr/libexec/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
+
+/usr/share/cockpit/motd/update-motd -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+
+/var/lib/cockpit(/.*)? gen_context(system_u:object_r:cockpit_var_lib_t,s0)
+
+/var/run/cockpit(/.*)? gen_context(system_u:object_r:cockpit_runtime_t,s0)
+/var/run/cockpit-ws(/.*)? gen_context(system_u:object_r:cockpit_runtime_t,s0)
Index: refpolicy-2.20210203/policy/modules/services/cockpit.if
===================================================================
--- /dev/null
+++ refpolicy-2.20210203/policy/modules/services/cockpit.if
@@ -0,0 +1,279 @@
+## <summary>policy for cockpit</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the cockpit domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cockpit_ws_domtrans',`
+ gen_require(`
+ type cockpit_ws_t, cockpit_ws_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cockpit_ws_exec_t, cockpit_ws_t)
+')
+
+########################################
+## <summary>
+## Execute TEMPLATE in the cockpit domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cockpit_session_domtrans',`
+ gen_require(`
+ type cockpit_session_t, cockpit_session_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cockpit_session_exec_t, cockpit_session_t)
+')
+
+########################################
+## <summary>
+## Read and write cockpit_session_t unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cockpit_rw_pipes',`
+ gen_require(`
+ type cockpit_session_t;
+ ')
+
+ allow $1 cockpit_session_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Create cockpit unix_stream_sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cockpit_manage_unix_stream_sockets',`
+ gen_require(`
+ type cockpit_ws_t;
+ ')
+
+ allow $1 cockpit_ws_t:unix_stream_socket { create_stream_socket_perms connectto };
+')
+
+########################################
+## <summary>
+## Search cockpit lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cockpit_search_lib',`
+ gen_require(`
+ type cockpit_var_lib_t;
+ ')
+
+ allow $1 cockpit_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read cockpit lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cockpit_read_lib_files',`
+ gen_require(`
+ type cockpit_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage cockpit lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cockpit_manage_lib_files',`
+ gen_require(`
+ type cockpit_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage cockpit lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cockpit_manage_lib_dirs',`
+ gen_require(`
+ type cockpit_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read cockpit pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cockpit_read_pid_files',`
+ gen_require(`
+ type cockpit_runtime_t;
+ ')
+
+ read_files_pattern($1, cockpit_runtime_t, cockpit_runtime_t)
+ read_lnk_files_pattern($1, cockpit_runtime_t, cockpit_runtime_t)
+')
+
+########################################
+## <summary>
+## Manage cockpit pid dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cockpit_manage_pid_dirs',`
+ gen_require(`
+ type cockpit_runtime_t;
+ ')
+
+ manage_dirs_pattern($1, cockpit_runtime_t, cockpit_runtime_t)
+')
+
+########################################
+## <summary>
+## Manage cockpit pid dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cockpit_manage_pid_files',`
+ gen_require(`
+ type cockpit_runtime_t;
+ ')
+
+ manage_files_pattern($1, cockpit_runtime_t, cockpit_runtime_t)
+')
+
+########################################
+## <summary>
+## Execute cockpit server in the cockpit domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cockpit_systemctl',`
+ gen_require(`
+ type cockpit_ws_t;
+ type cockpit_unit_file_t;
+ class service { start stop status reload enable disable };
+ ')
+
+ init_reload($1)
+ systemd_use_passwd_agent($1)
+ allow $1 cockpit_unit_file_t:file read_file_perms;
+ allow $1 cockpit_unit_file_t:service { start stop status reload enable disable };
+
+ ps_process_pattern($1, cockpit_ws_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an cockpit environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cockpit_admin',`
+ gen_require(`
+ type cockpit_ws_t;
+ type cockpit_session_t;
+ type cockpit_var_lib_t;
+ type cockpit_runtime_t;
+ type cockpit_unit_file_t;
+ ')
+
+ allow $1 cockpit_ws_t:process { signal_perms };
+ ps_process_pattern($1, cockpit_ws_t)
+
+ allow $1 cockpit_session_t:process { signal_perms };
+ ps_process_pattern($1, cockpit_session_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cockpit_ws_t:process ptrace;
+ allow $1 cockpit_session_t:process ptrace;
+ ')
+
+ files_search_var_lib($1)
+ admin_pattern($1, cockpit_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, cockpit_runtime_t)
+
+ cockpit_systemctl($1)
+ admin_pattern($1, cockpit_unit_file_t)
+ allow $1 cockpit_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
Index: refpolicy-2.20210203/policy/modules/services/cockpit.te
===================================================================
--- /dev/null
+++ refpolicy-2.20210203/policy/modules/services/cockpit.te
@@ -0,0 +1,176 @@
+policy_module(cockpit, 1.0.0)
+
+# https://cockpit-project.org/
+
+########################################
+#
+# Declarations
+#
+
+type cockpit_ws_t;
+type cockpit_ws_exec_t;
+init_daemon_domain(cockpit_ws_t,cockpit_ws_exec_t)
+
+type cockpit_tmp_t;
+files_tmp_file(cockpit_tmp_t)
+
+type cockpit_tmpfs_t;
+userdom_user_tmpfs_file(cockpit_tmpfs_t)
+
+type cockpit_runtime_t;
+files_runtime_file(cockpit_runtime_t)
+
+type cockpit_unit_file_t;
+init_unit_file(cockpit_unit_file_t)
+
+type cockpit_var_lib_t;
+files_type(cockpit_var_lib_t)
+
+type cockpit_session_t;
+type cockpit_session_exec_t;
+domain_type(cockpit_session_t)
+domain_entry_file(cockpit_session_t,cockpit_session_exec_t)
+
+########################################
+#
+# cockpit_ws_t local policy
+#
+
+allow cockpit_ws_t self:capability net_admin;
+allow cockpit_ws_t self:process setrlimit;
+allow cockpit_ws_t self:tcp_socket create_stream_socket_perms;
+allow cockpit_ws_t self:fifo_file rw_file_perms;
+
+kernel_read_system_state(cockpit_ws_t)
+
+# cockpit-tls can execute cockpit-ws
+can_exec(cockpit_ws_t,cockpit_ws_exec_t)
+
+# cockpit-ws can execute cockpit-session
+can_exec(cockpit_ws_t,cockpit_session_exec_t)
+
+corecmd_exec_shell(cockpit_ws_t)
+
+# cockpit-ws can read from /dev/urandom
+dev_read_urand(cockpit_ws_t) # for authkey
+dev_read_rand(cockpit_ws_t) # for libssh
+
+corenet_tcp_bind_websm_port(cockpit_ws_t)
+
+# cockpit-ws can connect to other hosts via ssh
+corenet_tcp_connect_ssh_port(cockpit_ws_t)
+
+# cockpit-ws can write to its temp files
+manage_dirs_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
+manage_files_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t)
+files_tmp_filetrans(cockpit_ws_t, cockpit_tmp_t, { dir file })
+
+manage_dirs_pattern(cockpit_ws_t, cockpit_tmpfs_t, cockpit_tmpfs_t)
+manage_files_pattern(cockpit_ws_t, cockpit_tmpfs_t, cockpit_tmpfs_t)
+fs_tmpfs_filetrans(cockpit_ws_t, cockpit_tmpfs_t, { file })
+
+manage_dirs_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t)
+manage_files_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t)
+manage_lnk_files_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t)
+manage_sock_files_pattern(cockpit_ws_t, cockpit_runtime_t, cockpit_runtime_t)
+files_runtime_filetrans(cockpit_ws_t, cockpit_runtime_t, { file dir sock_file })
+
+manage_files_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
+manage_dirs_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t)
+
+cockpit_systemctl(cockpit_ws_t)
+
+kernel_read_network_state(cockpit_ws_t)
+
+auth_use_nsswitch(cockpit_ws_t)
+
+corecmd_exec_bin(cockpit_ws_t)
+
+fs_read_efivarfs_files(cockpit_ws_t)
+
+init_read_state(cockpit_ws_t)
+init_stream_connect(cockpit_ws_t)
+
+logging_send_syslog_msg(cockpit_ws_t)
+
+miscfiles_read_localization(cockpit_ws_t)
+
+sysnet_exec_ifconfig(cockpit_ws_t)
+
+# cockpit-ws launches cockpit-session
+cockpit_session_domtrans(cockpit_ws_t)
+allow cockpit_ws_t cockpit_session_t:process signal_perms;
+
+# cockpit-session communicates back with cockpit-ws
+allow cockpit_session_t cockpit_ws_t:unix_stream_socket rw_stream_socket_perms;
+
+# cockpit-tls and cockpit-ws communicate over a Unix socket
+allow cockpit_ws_t cockpit_ws_t:unix_stream_socket { create_stream_socket_perms connectto };
+
+optional_policy(`
+ hostname_exec(cockpit_ws_t)
+')
+
+optional_policy(`
+ kerberos_use(cockpit_ws_t)
+ kerberos_etc_filetrans_keytab(cockpit_ws_t, file)
+')
+
+optional_policy(`
+ ssh_read_user_home_files(cockpit_ws_t)
+')
+
+#########################################################
+#
+# cockpit-session local policy
+#
+
+# cockpit-session changes to the actual logged in user
+allow cockpit_session_t self:capability { sys_admin dac_read_search dac_override setuid setgid sys_resource};
+allow cockpit_session_t self:process { setexec setsched signal_perms setrlimit };
+
+read_files_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t)
+list_dirs_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t)
+
+manage_dirs_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
+manage_files_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
+manage_sock_files_pattern(cockpit_session_t, cockpit_tmp_t, cockpit_tmp_t)
+files_tmp_filetrans(cockpit_session_t, cockpit_tmp_t, { dir file sock_file })
+
+manage_dirs_pattern(cockpit_session_t, cockpit_tmpfs_t, cockpit_tmpfs_t)
+manage_files_pattern(cockpit_session_t, cockpit_tmpfs_t, cockpit_tmpfs_t)
+fs_tmpfs_filetrans(cockpit_session_t, cockpit_tmpfs_t, { file })
+
+read_files_pattern(cockpit_session_t, cockpit_runtime_t, cockpit_runtime_t)
+list_dirs_pattern(cockpit_session_t, cockpit_runtime_t, cockpit_runtime_t)
+
+kernel_read_network_state(cockpit_session_t)
+
+# cockpit-session runs a full pam stack, including pam_selinux.so
+auth_login_pgm_domain(cockpit_session_t)
+# cockpit-session resseting expired passwords
+auth_manage_shadow(cockpit_session_t)
+auth_write_login_records(cockpit_session_t)
+
+corenet_tcp_bind_ssh_port(cockpit_session_t)
+corenet_tcp_connect_ssh_port(cockpit_session_t)
+
+# cockpit-session can execute cockpit-agent as the user
+userdom_spec_domtrans_all_users(cockpit_session_t)
+usermanage_read_crack_db(cockpit_session_t)
+
+#optional_policy(`
+# ssh_agent_signal(cockpit_session_t)
+#')
+
+optional_policy(`
+ sssd_dbus_chat(cockpit_session_t)
+')
+
+optional_policy(`
+ userdom_signal_all_users(cockpit_session_t)
+')
+
+optional_policy(`
+ unconfined_domtrans(cockpit_session_t)
+')
next reply other threads:[~2021-04-20 9:42 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-20 9:36 Russell Coker [this message]
[not found] ` <CAHLOwD=4oXGPniOO3yR6Gy87-iBN31ETXxeC7k+zykqFrcC7dg@mail.gmail.com>
2021-04-20 13:31 ` [PATCH] cockpit web admin system Russell Coker
2021-04-20 13:49 ` Dominick Grift
2021-04-26 12:47 ` Chris PeBenito
2021-04-26 13:22 ` Dominick Grift
2021-04-26 13:34 ` Dominick Grift
2021-04-26 14:21 ` Dominick Grift
2021-04-26 14:31 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YH6gq6yWUmo93KT7@xev \
--to=russell@coker.com.au \
--cc=mmarusak@redhat.com \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).