2009/1/9 Michael DeHaan mdehaan@redhat.com:
This belongs on cobbler list, so forwarding it...
I have played with this a little more and i have attempted to simplify cobbler policy.
I have remove declarations for /usr/bin/cobbler and /usr/bin/cobbler-ext-nodes for now.
I have also removed the apache content template for /var/www/cobbler. Instead i have labeled that location public_content_rw_t assuming that httpd wants to write to it. Some other domains have access to this type as well including tftpd_t
I have also reverted /etc/cobbler to a generic type for files in etc. This means that any process that is allowed to read etc content (very common requirement) will also be able to read /etc/cobbler. This includes files like /etc/cobbler/users.digest. This may not be a good idea but httpd wants access to /etc/cobbler and this solution will work without having to give httpd_t explicit access to that location, which would require modification of the httpd policy.
The source for the cobbler policy has two files at the moment. cobbler.te and cobbler.fc. These files should be placed in for example ~/cobbler, be compiled and the generated binary should be installed
contents for cobbler.te:
policy_module(cobbler, 0.0.1)
# Personal declarations
type cobblerd_initrc_exec_t; init_script_file(cobblerd_initrc_exec_t)
type cobblerd_exec_t; application_executable_file(cobblerd_exec_t)
type cobbler_var_lib_t; files_type(cobbler_var_lib_t)
type cobbler_log_t; logging_log_file(cobbler_log_t)
type cobblerd_t; init_daemon_domain(cobblerd_t, cobblerd_exec_t)
type cobbler_port_t; corenet_port(cobbler_port_t)
# Personal policy
allow cobblerd_t self:capability { sys_nice chown dac_override fowner }; allow cobblerd_t self:fifo_file { read write getattr }; allow cobblerd_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; allow cobblerd_t self:process { setsched getsched }; allow cobblerd_t self:tcp_socket { read write shutdown getattr setopt bind create accept listen }; allow cobblerd_t self:udp_socket { read bind create };
manage_files_pattern(cobblerd_t, cobbler_log_t, cobbler_log_t) logging_log_filetrans(cobblerd_t, cobbler_log_t, { file })
manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { file })
corecmd_exec_bin(cobblerd_t) corecmd_exec_shell(cobblerd_t)
corecmd_read_bin_symlinks(cobblerd_t)
corenet_all_recvfrom_unlabeled(cobblerd_t) corenet_all_recvfrom_netlabel(cobblerd_t)
corenet_tcp_sendrecv_generic_if(cobblerd_t) corenet_tcp_sendrecv_all_nodes(cobblerd_t) corenet_tcp_sendrecv_all_ports(cobblerd_t)
# 25151 -- tcp (XMLRPC port) # 25152 -- tcp (XMLRPC read-write-api port)
allow cobblerd_t cobbler_port_t:tcp_socket { name_bind name_connect }; corenet_tcp_bind_all_nodes(cobblerd_t)
corenet_udp_sendrecv_generic_if(cobblerd_t) corenet_udp_sendrecv_all_nodes(cobblerd_t) corenet_udp_sendrecv_all_ports(cobblerd_t)
# 25150 -- udp syslog listener (going away in the next release)
allow cobblerd_t cobbler_port_t:udp_socket { name_bind }; corenet_udp_bind_all_nodes(cobblerd_t)
dev_read_urand(cobblerd_t)
files_list_tmp(cobblerd_t)
files_read_etc_files(cobblerd_t)
files_read_usr_symlinks(cobblerd_t) files_search_usr(cobblerd_t)
kernel_read_system_state(cobblerd_t)
libs_use_ld_so(cobblerd_t) libs_use_shared_libs(cobblerd_t)
miscfiles_read_localization(cobblerd_t) miscfiles_read_public_files(cobblerd_t)
# It is using rpm -q --whatprovides redhat-release for distribution checks in a few places. rpm_domtrans(cobblerd_t)
sysnet_read_config(cobblerd_t)
apache_search_sys_content(cobblerd_t)
# the avahi package (if installed) might use dbus, and cobbler will try to use Avahi if installed. optional_policy(` dbus_system_bus_client_template(cobblerd, cobblerd_t) ')
#EOF
contents for cobbler.fc
# File contexts
/etc/rc.d/init.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0)
/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_log_t, s0)
/var/www/cobbler(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
#EOF
This can be compiled with: make -f /usr/share/selinux/devel/Makefile
And the resulting binary can be installed with: semodule -i cobbler.pp
After installation, the contexts of the following locations need to be restored using the restorecon -R -v command:
/etc/init.d/cobblerd /usr/bin/cobblerd /var/lib/cobbler /var/log/cobbler /var/www/cobbler
It is also recommended that you label /var/lib/tftpboot with type public_content_t or public_content_rw_t depending on your requirements:
chcon -R -t public_content_rw_t /var/lib/tftpboot
Next you should label ports owned by cobbler:
semanage port -a -t cobbler_port_t -p tcp 25151 semanage port -a -t cobbler_port_t -p tcp 25152 semanage port -a -t cobbler_port_t -p udp 25150
After this you can test cobblerd in permissive mode by executing:
semanage permissive -a cobblerd_t
Now you should be ready for a test drive.
service cobblerd start
Remember to collect AVC denials. You can do this after testing functions using:
ausearch -m avc -ts today
Once you are done and want to undo all this:
Stop the cobblerd service:
service cobblerd stop
remove the "permissive domain":
semanage permissive -d cobblerd_t
remove the port labels:
semanage port -a -t cobbler_port_t -p tcp 25151 semanage port -a -t cobbler_port_t -p tcp 25152 semanage port -a -t cobbler_port_t -p udp 25150
Uninstall the cobbler module:
semodule -r cobbler
And restore the contexts of the locations below using restorecon -R -v:
/etc/init.d/cobblerd /usr/bin/cobblerd /var/lib/cobbler /var/log/cobbler /var/www/cobbler
You may also want to restore the context for /var/lib/tftpboot if needed.
I am looking forward to your feedback.
Thanks, Dominick
cobbler@lists.fedorahosted.org