mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-18 10:27:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

sec-policy/selinux-base-policy: flatcar changes

Browse Source 
- run sshd (and child) as unconfined_t
- add init.patch to allow execute_no_trans,map and
exec from init to unconfined
- add AVC patch for local login and journald

Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
This commit is contained in:
Mathieu Tortuyaux 2021-06-29 17:58:05 +02:00
parent d819e2afa4
commit 4d6ff7cfca
5 changed files with 56 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/init.patch vendored Normal file
View File

@ -0,0 +1,11 @@
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index dbd39cf8f..563559ca7 100644
--- refpolicy/policy/modules/system/init.te
+++ refpolicy/policy/modules/system/init.te
@@ -1503,3 +1503,6 @@ optional_policy(`
userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
userdom_dontaudit_write_user_tmp_files(systemprocess)
')
+
+require { type unconfined_t; }
+allow init_t unconfined_t:file exec_file_perms;

13
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/locallogin.patch vendored Normal file
View File

@ -0,0 +1,13 @@
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 109980e79..d5c4a5d95 100644
--- refpolicy/policy/modules/system/locallogin.te
+++ refpolicy/policy/modules/system/locallogin.te
@@ -34,7 +34,7 @@ role system_r types sulogin_t;
allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
dontaudit local_login_t self:capability net_admin;
-allow local_login_t self:process { getcap setcap setexec setrlimit setsched };
+allow local_login_t self:process { setpgid getcap setcap setexec setrlimit setsched };
allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_fifo_file_perms;
allow local_login_t self:sock_file read_sock_file_perms;

18
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/logging.patch vendored Normal file
View File

@ -0,0 +1,18 @@
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 7d713540d..d6cbc654d 100644
--- refpolicy/policy/modules/system/logging.te
+++ refpolicy/policy/modules/system/logging.te
@@ -516,11 +516,13 @@ userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
userdom_dontaudit_search_user_home_dirs(syslogd_t)
ifdef(`init_systemd',`
+ require { type kernel_t; }
# for systemd-journal
allow syslogd_t self:netlink_audit_socket connected_socket_perms;
allow syslogd_t self:capability2 audit_read;
allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write };
+ allow syslogd_t kernel_t:netlink_audit_socket getattr;
# remove /run/log/journal when switching to permanent storage
allow syslogd_t var_log_t:dir rmdir;

8
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/mcs-sshd.patch → sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/sshd.patch vendored
View File

@ -1,5 +1,5 @@
diff --git refpolicy/policy/modules/services/ssh.fc refpolicy/policy/modules/services/ssh.fc diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 4ac3e733..ef8c9297 100644 index 60060c35c..8d9f5b7a6 100644
--- refpolicy/policy/modules/services/ssh.fc --- refpolicy/policy/modules/services/ssh.fc
+++ refpolicy/policy/modules/services/ssh.fc +++ refpolicy/policy/modules/services/ssh.fc
@@ -6,7 +6,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) @@ -6,7 +6,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
@ -18,5 +18,5 @@ index 4ac3e733..ef8c9297 100644
-/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) -/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
+/usr/sbin/sshd -- gen_context(system_u:object_r:unconfined_t,s0) +/usr/sbin/sshd -- gen_context(system_u:object_r:unconfined_t,s0)
/run/sshd(/.*)? gen_context(system_u:object_r:sshd_var_run_t,s0) /run/sshd(/.*)? gen_context(system_u:object_r:sshd_runtime_t,s0)
/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) /run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_runtime_t,s0)

10
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r2.ebuild vendored
View File

@ -32,6 +32,15 @@ LICENSE="GPL-2"
SLOT="0" SLOT="0"
S="${WORKDIR}/" S="${WORKDIR}/"
# flatcar changes: apply a couple of
# patches on the current policies
PATCHES=(
"${FILESDIR}/sshd.patch"
"${FILESDIR}/init.patch"
"${FILESDIR}/locallogin.patch"
"${FILESDIR}/logging.patch"
)
# Code entirely copied from selinux-eclass (cannot inherit due to dependency on # Code entirely copied from selinux-eclass (cannot inherit due to dependency on
# itself), when reworked reinclude it. Only postinstall (where -b base.pp is # itself), when reworked reinclude it. Only postinstall (where -b base.pp is
# added) needs to remain then. # added) needs to remain then.
@ -52,6 +61,7 @@ src_prepare() {
eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch" eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch"
fi fi
eapply -p0 "${PATCHES[@]}"
eapply_user eapply_user
# Collect only those files needed for this particular module # Collect only those files needed for this particular module