[Fwd: Re: [et-mgmt-tools] Help perfect Cobbler SELinux policy]

I have also removed the apache content template for /var/www/cobbler. Instead i have labeled that location public_content_rw_t assuming that httpd wants to write to it. Some other domains have access to this type as well including tftpd_t

I have also reverted /etc/cobbler to a generic type for files in etc. This means that any process that is allowed to read etc content (very common requirement) will also be able to read /etc/cobbler. This includes files like /etc/cobbler/users.digest. This may not be a good idea but httpd wants access to /etc/cobbler and this solution will work without having to give httpd_t explicit access to that location, which would require modification of the httpd policy.

The source for the cobbler policy has two files at the moment. cobbler.te and cobbler.fc. These files should be placed in for example ~/cobbler, be compiled and the generated binary should be installed

contents for cobbler.te:

policy_module(cobbler, 0.0.1)

# Personal declarations

type cobblerd_initrc_exec_t; init_script_file(cobblerd_initrc_exec_t)

type cobblerd_exec_t; application_executable_file(cobblerd_exec_t)

type cobbler_var_lib_t; files_type(cobbler_var_lib_t)

type cobbler_log_t; logging_log_file(cobbler_log_t)

type cobblerd_t; init_daemon_domain(cobblerd_t, cobblerd_exec_t)

type cobbler_port_t; corenet_port(cobbler_port_t)

# Personal policy

allow cobblerd_t self:capability { sys_nice chown dac_override fowner }; allow cobblerd_t self:fifo_file { read write getattr }; allow cobblerd_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; allow cobblerd_t self:process { setsched getsched }; allow cobblerd_t self:tcp_socket { read write shutdown getattr setopt bind create accept listen }; allow cobblerd_t self:udp_socket { read bind create };

manage_files_pattern(cobblerd_t, cobbler_log_t, cobbler_log_t) logging_log_filetrans(cobblerd_t, cobbler_log_t, { file })

manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { file })

corecmd_exec_bin(cobblerd_t) corecmd_exec_shell(cobblerd_t)

corecmd_read_bin_symlinks(cobblerd_t)

corenet_all_recvfrom_unlabeled(cobblerd_t) corenet_all_recvfrom_netlabel(cobblerd_t)

corenet_tcp_sendrecv_generic_if(cobblerd_t) corenet_tcp_sendrecv_all_nodes(cobblerd_t) corenet_tcp_sendrecv_all_ports(cobblerd_t)

# 25151 -- tcp (XMLRPC port) # 25152 -- tcp (XMLRPC read-write-api port)

allow cobblerd_t cobbler_port_t:tcp_socket { name_bind name_connect }; corenet_tcp_bind_all_nodes(cobblerd_t)

corenet_udp_sendrecv_generic_if(cobblerd_t) corenet_udp_sendrecv_all_nodes(cobblerd_t) corenet_udp_sendrecv_all_ports(cobblerd_t)

# 25150 -- udp syslog listener (going away in the next release)

allow cobblerd_t cobbler_port_t:udp_socket { name_bind }; corenet_udp_bind_all_nodes(cobblerd_t)

dev_read_urand(cobblerd_t)

files_list_tmp(cobblerd_t)

files_read_etc_files(cobblerd_t)

files_read_usr_symlinks(cobblerd_t) files_search_usr(cobblerd_t)

kernel_read_system_state(cobblerd_t)

libs_use_ld_so(cobblerd_t) libs_use_shared_libs(cobblerd_t)

miscfiles_read_localization(cobblerd_t) miscfiles_read_public_files(cobblerd_t)

# It is using rpm -q --whatprovides redhat-release for distribution checks in a few places. rpm_domtrans(cobblerd_t)

sysnet_read_config(cobblerd_t)

apache_search_sys_content(cobblerd_t)

# the avahi package (if installed) might use dbus, and cobbler will try to use Avahi if installed. optional_policy(` dbus_system_bus_client_template(cobblerd, cobblerd_t) ')

#EOF

contents for cobbler.fc

# File contexts

/etc/rc.d/init.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)

/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0)

/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)

/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_log_t, s0)

/var/www/cobbler(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)

#EOF

This can be compiled with: make -f /usr/share/selinux/devel/Makefile

And the resulting binary can be installed with: semodule -i cobbler.pp

After installation, the contexts of the following locations need to be restored using the restorecon -R -v command:

/etc/init.d/cobblerd /usr/bin/cobblerd /var/lib/cobbler /var/log/cobbler /var/www/cobbler

It is also recommended that you label /var/lib/tftpboot with type public_content_t or public_content_rw_t depending on your requirements:

chcon -R -t public_content_rw_t /var/lib/tftpboot

Next you should label ports owned by cobbler:

semanage port -a -t cobbler_port_t -p tcp 25151 semanage port -a -t cobbler_port_t -p tcp 25152 semanage port -a -t cobbler_port_t -p udp 25150

After this you can test cobblerd in permissive mode by executing:

semanage permissive -a cobblerd_t

Now you should be ready for a test drive.

service cobblerd start

Remember to collect AVC denials. You can do this after testing functions using:

ausearch -m avc -ts today

Once you are done and want to undo all this:

Stop the cobblerd service:

service cobblerd stop

remove the "permissive domain":

semanage permissive -d cobblerd_t

remove the port labels:

semanage port -a -t cobbler_port_t -p tcp 25151 semanage port -a -t cobbler_port_t -p tcp 25152 semanage port -a -t cobbler_port_t -p udp 25150

Uninstall the cobbler module:

semodule -r cobbler

And restore the contexts of the locations below using restorecon -R -v:

/etc/init.d/cobblerd /usr/bin/cobblerd /var/lib/cobbler /var/log/cobbler /var/www/cobbler

You may also want to restore the context for /var/lib/tftpboot if needed.

I am looking forward to your feedback.

Thanks, Dominick

5650

Age (days ago)

5650

Last active (days ago)

cobbler@lists.fedorahosted.org

1 comments

2 participants

tags (0)

participants (2)

Dominick Grift
Michael DeHaan