From 04cc0450125e3c9e989c3e769a25ba2f1f336060 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mar 21 2020 05:31:22 +0000 Subject: Integrate ipa_custodia policy ipa-custodia is an internal service for IPA. The upstream SELinux policy has a separate module for ipa_custodia. Fold the current policy from Fedora rawhide into ipa's SELinux policy. Related: https://pagure.io/freeipa/issue/6891 Signed-off-by: Christian Heimes Reviewed-By: Alexander Bokovoy --- diff --git a/selinux/ipa.fc b/selinux/ipa.fc index 375be99..2d71893 100644 --- a/selinux/ipa.fc +++ b/selinux/ipa.fc @@ -24,3 +24,11 @@ /var/log/ipareplica-conncheck.log.* -- gen_context(system_u:object_r:ipa_log_t,s0) /var/run/ipa(/.*)? gen_context(system_u:object_r:ipa_var_run_t,s0) + +/usr/libexec/ipa/ipa-custodia -- gen_context(system_u:object_r:ipa_custodia_exec_t,s0) +/usr/libexec/ipa/custodia/ipa-custodia-dmldap -- gen_context(system_u:object_r:ipa_custodia_dmldap_exec_t,s0) +/usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat -- gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0) +/usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat-wrapped -- gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0) +/usr/libexec/ipa/custodia/ipa-custodia-ra-agent -- gen_context(system_u:object_r:ipa_custodia_ra_agent_exec_t,s0) + +/var/log/ipa-custodia.audit.log(/.*)? -- gen_context(system_u:object_r:ipa_custodia_log_t,s0) diff --git a/selinux/ipa.if b/selinux/ipa.if index 72a6b78..44c0a93 100644 --- a/selinux/ipa.if +++ b/selinux/ipa.if @@ -308,3 +308,60 @@ interface(`ipa_read_tmp',` read_files_pattern($1, ipa_tmp_t, ipa_tmp_t) ') + +######################################## +## +## Execute ipa_custodia_exec_t in the ipa_custodia domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`ipa_custodia_domtrans',` + gen_require(` + type ipa_custodia_t, ipa_custodia_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ipa_custodia_exec_t, ipa_custodia_t) +') + +###################################### +## +## Execute ipa_custodia in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`ipa_custodia_exec',` + gen_require(` + type ipa_custodia_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, ipa_custodia_exec_t) +') + +##################################### +## +## Connect to ipa_custodia with a unix +## domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`ipa_custodia_stream_connect',` + gen_require(` + type ipa_custodia_t; + ') + + allow $1 ipa_custodia_t:unix_stream_socket { connectto }; +') diff --git a/selinux/ipa.te b/selinux/ipa.te index d8753ff..257e6f8 100644 --- a/selinux/ipa.te +++ b/selinux/ipa.te @@ -53,6 +53,25 @@ miscfiles_cert_type(ipa_cert_t) type ipa_tmp_t; files_tmp_file(ipa_tmp_t) +type ipa_custodia_t; +type ipa_custodia_exec_t; +init_daemon_domain(ipa_custodia_t, ipa_custodia_exec_t) + +type ipa_custodia_dmldap_exec_t; +init_script_file(ipa_custodia_dmldap_exec_t) + +type ipa_custodia_pki_tomcat_exec_t; +init_script_file(ipa_custodia_pki_tomcat_exec_t) + +type ipa_custodia_ra_agent_exec_t; +init_script_file(ipa_custodia_ra_agent_exec_t) + +type ipa_custodia_log_t; +logging_log_file(ipa_custodia_log_t) + +type ipa_custodia_tmp_t; +files_tmp_file(ipa_custodia_tmp_t) + ######################################## # # ipa_otpd local policy @@ -286,3 +305,78 @@ optional_policy(` optional_policy(` ldap_stream_connect(ipa_ods_exporter_t) ') + +######################################## +# +# ipa_custodia local policy +# +allow ipa_custodia_t self:capability { setgid setuid }; +allow ipa_custodia_t self:fifo_file rw_fifo_file_perms; +allow ipa_custodia_t self:netlink_route_socket { create_socket_perms nlmsg_read }; +allow ipa_custodia_t self:unix_stream_socket create_stream_socket_perms; +allow ipa_custodia_t self:unix_dgram_socket create_socket_perms; +allow ipa_custodia_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(ipa_custodia_t,ipa_custodia_log_t,ipa_custodia_log_t) +manage_files_pattern(ipa_custodia_t, ipa_custodia_log_t, ipa_custodia_log_t) +logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file }) + +manage_dirs_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t) +manage_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t) +files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file }) + +kernel_dgram_send(ipa_custodia_t) + +auth_read_passwd(ipa_custodia_t) + +can_exec(ipa_custodia_t, ipa_custodia_dmldap_exec_t) +can_exec(ipa_custodia_t, ipa_custodia_pki_tomcat_exec_t) +can_exec(ipa_custodia_t, ipa_custodia_ra_agent_exec_t) + +corecmd_exec_bin(ipa_custodia_t) +corecmd_mmap_bin_files(ipa_custodia_t) + +domain_use_interactive_fds(ipa_custodia_t) + +files_mmap_usr_files(ipa_custodia_t) + +fs_getattr_xattr_fs(ipa_custodia_t) + +files_read_etc_files(ipa_custodia_t) + +libs_exec_ldconfig(ipa_custodia_t) +libs_ldconfig_exec_entry_type(ipa_custodia_t) + +miscfiles_read_generic_certs(ipa_custodia_t) +miscfiles_read_localization(ipa_custodia_t) + +sysnet_read_config(ipa_custodia_t) + +optional_policy(` + apache_search_config(ipa_custodia_t) + apache_systemctl(ipa_custodia_t) + apache_manage_pid_files(ipa_custodia_t) +') + +optional_policy(` + dirsrv_manage_var_run(ipa_custodia_t) + dirsrv_stream_connect(ipa_custodia_t) +') + +optional_policy(` + ipa_read_lib(ipa_custodia_t) + ipa_search_lib(ipa_custodia_t) +') + +optional_policy(` + pki_manage_tomcat_etc_rw(ipa_custodia_t) + pki_read_tomcat_cert(ipa_custodia_t) + pki_rw_tomcat_cert(ipa_custodia_t) +') + +optional_policy(` + sssd_read_public_files(ipa_custodia_t) + sssd_run_stream_connect(ipa_custodia_t) + sssd_search_lib(ipa_custodia_t) + sssd_stream_connect(ipa_custodia_t) +')