mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-13 07:56:57 +02:00
Code Issues Packages Projects Releases Wiki Activity

coreos/user-patches: add selinux-base

Browse Source 
* add selinux patches (icmp-bind, relabel and kernel permissions)
* ship our own config file

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
This commit is contained in:
Mathieu Tortuyaux 2023-06-13 17:13:46 +02:00
parent 3de5229a3c
commit ac520d6588
No known key found for this signature in database
GPG Key ID: AC5CCFB52545D9B8
4 changed files with 102 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sdk_container/src/third_party/coreos-overlay/coreos/config/env/sec-policy/selinux-base vendored Normal file
View File

@ -0,0 +1,2 @@
PKG_INSTALL_MASK+=" /etc/selinux/config"
INSTALL_MASK+=" /etc/selinux/config"

16
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/0001-policy-modules-kernel-all-more-actions-for-kernel.patch vendored Normal file
View File

@ -0,0 +1,16 @@
diff --git refpolicy/policy/modules/kernel/kernel.te refpolicy/policy/modules/kernel/kernel.te
index 56dbd5af5..b5cf0e3c0 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -363,6 +363,11 @@ files_list_home(kernel_t)
files_read_usr_files(kernel_t)
mcs_process_set_categories(kernel_t)
+mcs_killall(kernel_t)
+mcs_file_read_all(kernel_t)
+mcs_file_write_all(kernel_t)
+mcs_ptrace_all(kernel_t)
+allow kernel_t self:user_namespace create;
mls_process_read_all_levels(kernel_t)
mls_process_write_all_levels(kernel_t)

44
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/files-relabel.patch vendored Normal file
View File

@ -0,0 +1,44 @@
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 495cbe2f4..a5605f866 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -7892,3 +7892,39 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
+
+########################################
+## <summary>
+## Relabel all files on the filesystem, except
+## policy_config_t and exceptions.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="exception_types" optional="true">
+## <summary>
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_all_non_policy_files',`
+ gen_require(`
+ attribute file_type;
+ type policy_config_t;
+ ')
+
+ allow $1 { file_type -policy_config_t $2 }:dir list_dir_perms;
+ relabel_dirs_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
+ relabel_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
+ relabel_lnk_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
+ relabel_fifo_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
+ relabel_sock_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
+ # this is only relabelfrom since there should be no
+ # device nodes with file types.
+ relabelfrom_blk_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
+ relabelfrom_chr_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
+')

40
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/icmp-bind.patch vendored Normal file
View File

@ -0,0 +1,40 @@
diff -u -r refpolicy/policy/modules/kernel/corenetwork.if.in refpolicy2/policy/modules/kernel/corenetwork.if.in
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in 2022-01-12 16:59:47.572670384 -0000
+++ b/refpolicy2/policy/modules/kernel/corenetwork.if.in 2022-01-12 17:01:54.974858982 -0000
@@ -879,6 +879,24 @@
########################################
## <summary>
+## Bind ICMP sockets to generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_icmp_bind_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:icmp_socket node_bind;
+')
+
+########################################
+## <summary>
## Bind TCP sockets to generic nodes.
## </summary>
## <desc>
diff -u -r refpolicy/policy/modules/kernel/corenetwork.te.in refpolicy2/policy/modules/kernel/corenetwork.te.in
--- a/refpolicy/policy/modules/kernel/corenetwork.te.in 2022-01-12 16:59:47.573670362 -0000
+++ b/refpolicy2/policy/modules/kernel/corenetwork.te.in 2022-01-12 17:03:12.754142616 -0000
@@ -373,7 +373,7 @@
# Bind to any network address.
allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket sctp_socket } name_bind;
-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
+allow corenet_unconfined_type node_type:{ icmp_socket tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
# Infiniband
corenet_ib_access_all_pkeys(corenet_unconfined_type)