mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-17 18:06:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

sec-policy/selinux-base: Apply Flatcar modifications

Browse Source 
- run sshd (and child) as unconfined_t
  - add init.patch to allow execute_no_trans,map and exec from init to
    unconfined
  - add AVC patch for local login and journald
  - add python[lxml] to BDEPEND (not pulled through policycoreutils
    any more due to our changes there)
This commit is contained in:
Krzesimir Nowak 2021-12-15 20:00:22 +01:00
parent 3fe352040a
commit 3227e5614c
7 changed files with 111 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch vendored Normal file
View File

@ -0,0 +1,24 @@
From 607ff9b67848aafd1bdefa6eda7ade0fd7161d04 Mon Sep 17 00:00:00 2001
From: Mathieu Tortuyaux <mathieu@kinvolk.io>
Date: Fri, 4 Jun 2021 13:17:44 +0200
Subject: [PATCH] policy/modules/kernel: all more actions for kernel
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
---
policy/modules/kernel/kernel.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git refpolicy/policy/modules/kernel/kernel.te refpolicy/policy/modules/kernel/kernel.te
--- refpolicy/policy/modules/kernel/kernel.te
+++ refpolicy/policy/modules/kernel/kernel.te
@@ -351,6 +351,10 @@ files_list_home(kernel_t)
files_read_usr_files(kernel_t)
mcs_process_set_categories(kernel_t)
+mcs_killall(kernel_t)
+mcs_file_read_all(kernel_t)
+mcs_file_write_all(kernel_t)
+mcs_ptrace_all(kernel_t)
mls_process_read_all_levels(kernel_t)
mls_process_write_all_levels(kernel_t)

27
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch vendored Normal file
View File

@ -0,0 +1,27 @@
--- refpolicy/policy/mcs
+++ refpolicy/policy/mcs
@@ -1,4 +1,6 @@
ifdef(`enable_mcs',`
+
+default_range dir_file_class_set target low-high;
#
# Define sensitivities
#
@@ -99,14 +101,14 @@ mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
mlsconstrain file { create relabelto }
- (( h1 dom h2 ) and ( l2 eq h2 ));
+ ((( h1 dom h2 ) and ( l2 eq h2 )) or (t1 == mcswriteall));
# new file labels must be dominated by the relabeling subject clearance
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
- ( h1 dom h2 );
+ (( h1 dom h2 ) or (t1 == mcswriteall));
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
- (( h1 dom h2 ) and ( l2 eq h2 ));
+ ((( h1 dom h2 ) and ( l2 eq h2 ) or (t1 == mcswriteall)));
mlsconstrain process { transition dyntransition }
(( h1 dom h2 ) or ( t1 == mcssetcats ));

1
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/booleans vendored
View File

@ -1 +0,0 @@
allow_execmem = true

2
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config vendored
View File

@ -12,4 +12,4 @@ SELINUX=permissive
# mls - Full SELinux protection with Multi-Level Security # mls - Full SELinux protection with Multi-Level Security
# mcs - Full SELinux protection with Multi-Category Security # mcs - Full SELinux protection with Multi-Category Security
# (mls, but only one sensitivity level) # (mls, but only one sensitivity level)
SELINUXTYPE=strict SELINUXTYPE=mcs

10
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts vendored Normal file
View File

@ -0,0 +1,10 @@
# This file is used to configure the per-instance contexts of rkt and other
# applications that use libvirt for lxc container support.
#
# See:
# https://coreos.com/rkt/docs/latest/selinux.html
# https://selinuxproject.org/page/PolicyConfigurationFiles#contexts.2Flxc_contexts_File
process = "system_u:system_r:svirt_lxc_net_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"
file = "system_u:object_r:svirt_lxc_file_t:s0"

4
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf vendored Normal file
View File

@ -0,0 +1,4 @@
#Type Path Mode UID GID Age Argument
d /etc/selinux/ - - - - -
L /etc/selinux/config - - - - ../../usr/lib/selinux/config
L /etc/selinux/mcs - - - - ../../usr/lib/selinux/mcs

51
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild vendored
View File

@ -3,6 +3,10 @@
EAPI="7" EAPI="7"
# flatcar changes
TMPFILES_OPTIONAL=1
inherit systemd tmpfiles
if [[ ${PV} == 9999* ]]; then if [[ ${PV} == 9999* ]]; then
EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}" EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}"
EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}" EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}"
@ -23,11 +27,23 @@ HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
LICENSE="GPL-2" LICENSE="GPL-2"
SLOT="0" SLOT="0"
RDEPEND=">=sys-apps/policycoreutils-2.8" # flatcar changes
DEPEND="${RDEPEND}" RDEPEND=">=sys-apps/policycoreutils-2.8
BDEPEND="
>=sys-apps/checkpolicy-2.8 >=sys-apps/checkpolicy-2.8
sys-devel/m4" "
DEPEND="${RDEPEND}"
# flatcar: BDEPEND on python3[xml] - normally pulled in through policycoreutils
# but we made that dep conditional on USE=python
BDEPEND="sys-devel/m4
>=dev-lang/python-3[xml]
"
# flatcar changes
PATCHES=(
"${FILESDIR}"/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
"${FILESDIR}"/0001-policy-ms-MCS-restricts-relabelfrom.patch
)
S=${WORKDIR}/ S=${WORKDIR}/
@ -37,6 +53,8 @@ src_prepare() {
eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch" eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch"
fi fi
# flatcar changes
eapply -p0 "${PATCHES[@]}"
eapply_user eapply_user
cd "${S}/refpolicy" || die cd "${S}/refpolicy" || die
@ -78,6 +96,10 @@ src_configure() {
sed -i -e "/= module/d" "${S}/${i}/policy/modules.conf" || die sed -i -e "/= module/d" "${S}/${i}/policy/modules.conf" || die
# flatcar changes: it's required to run polkit without segfault
# we need to pass this argument now before the compilation of the policy
sed -i "s/allow_execmem = false/allow_execmem = true/" "${S}/${i}/policy/booleans.conf" || die
sed -i -e '/^QUIET/s/n/y/' -e "/^NAME/s/refpolicy/$i/" \ sed -i -e '/^QUIET/s/n/y/' -e "/^NAME/s/refpolicy/$i/" \
"${S}/${i}/build.conf" || die "build.conf setup failed." "${S}/${i}/build.conf" || die "build.conf setup failed."
@ -107,7 +129,9 @@ src_compile() {
for i in ${POLICY_TYPES}; do for i in ${POLICY_TYPES}; do
cd "${S}/${i}" || die cd "${S}/${i}" || die
emake base # flatcar changes
emake base BINDIR="${ROOT}/usr/bin" NAME=$i SHAREDIR="${ROOT%/}"/usr/share/selinux \
LD_LIBRARY_PATH="${ROOT}/usr/lib64:${LD_LIBRARY_PATH}" -C "${S}"/${i}
if use doc; then if use doc; then
emake html emake html
fi fi
@ -140,14 +164,29 @@ src_install() {
done done
# flatcar changes
dotmpfiles "${FILESDIR}/tmpfiles.d/selinux-base.conf"
systemd-tmpfiles --root="${D}" --create selinux-base.conf
docinto / docinto /
dodoc doc/Makefile.example doc/example.{te,fc,if} dodoc doc/Makefile.example doc/example.{te,fc,if}
doman man/man8/*.8; doman man/man8/*.8;
insinto /etc/selinux # flatcar changes
insinto /usr/lib/selinux
doins "${FILESDIR}/config" doins "${FILESDIR}/config"
insinto /etc/selinux/mcs/contexts
doins "${FILESDIR}/lxc_contexts"
# flatcar changes
mkdir -p "${D}/usr/lib/selinux"
for i in ${POLICY_TYPES}; do
mv "${D}/etc/selinux/${i}" "${D}/usr/lib/selinux"
dosym "../../usr/lib/selinux/${i}" "/etc/selinux/${i}"
done
insinto /usr/share/portage/config/sets insinto /usr/share/portage/config/sets
doins "${FILESDIR}/selinux.conf" doins "${FILESDIR}/selinux.conf"
} }