-
Notifications
You must be signed in to change notification settings - Fork 0
/
SMHI.te
208 lines (168 loc) · 6.54 KB
/
SMHI.te
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
# SMHIs SELinux policy for all our applications, thats why the policy is quite liberal
# Wed Aug 10 2016 Victor Näslund <[email protected]>
# Tested with our shibboleth, added minor things to make it work 100%
# Also better comments, small style improvments
#
# Tue Aug 9 2016 Victor Näslund <[email protected]>
# Can now be used in testing
#
# Tue Aug 2 2016 Victor Näslund <[email protected]>
# Initial version, not done
policy_module(SMHI, 1.0.0)
# Import types we do not define but will use in our policy
require {
# Network related stuff
type ping_exec_t;
type http_port_t;
type http_cache_port_t;
type unreserved_port_t;
type hi_reserved_port_t;
type reserved_port_t;
type ephemeral_port_t;
type ssh_port_t;
type ldap_port_t;
type ftp_port_t;
# NFS stuff
type autofs_t;
type nfs_t;
# Others
type sudo_exec_t;
type proc_t;
type tmp_t;
type syslogd_t;
type sysfs_t;
type proc_net_t;
# Requirements for modification of exisisting SELinux policies here
type lmtp_port_t;
type collectd_t;
type nrpe_t;
}
########################################
#
# Declarations
#
########################################
# The domain which our apps will run as
type SMHI_t;
# The context that is allowed to transition to our SMHI_t context
type SMHI_exec_t;
# Define the context our apps files will have under /local_disk
type SMHI_storage_t;
########################################
#
# SMHI local policy
#
########################################
# Make SMHI_t a domain
domain_type(SMHI_t)
# Allow procces started using files with SMHI_exec_t context entry into the SMHI_t domain
domain_entry_file(SMHI_t, SMHI_exec_t)
# Transition from the init (systemd) domain into the SMHI_t domain if the started program has the filecontext SMHI_exec_t
init_daemon_domain(SMHI_t, SMHI_exec_t)
# Identify SMHI_storage_t as a filecontext
files_type(SMHI_storage_t)
# Allow sending logging to syslog
logging_send_syslog_msg(SMHI_t)
# Allow reading localization
miscfiles_read_localization(SMHI_t)
# Allow read /etc /var /usr files
files_read_etc_files(SMHI_t)
files_read_var_files(SMHI_t)
files_read_usr_files(SMHI_t)
# Allow read from /dev/urandom and /dev/random
dev_read_rand(SMHI_t)
dev_read_urand(SMHI_t)
# All read and exec for pipes, sockets, shell (bash, sh, ...) and "standard" bin (ls, python ...) files
corecmd_read_bin_pipes(SMHI_t)
corecmd_read_bin_sockets(SMHI_t)
corecmd_exec_shell(SMHI_t)
corecmd_exec_bin(SMHI_t)
# Allow DNS
auth_use_nsswitch(SMHI_t)
# Allow execute on ping
netutils_exec_ping(SMHI_t)
# Allow transition to the ping domain so we can use ping
netutils_domtrans_ping(SMHI_t)
##### Allow statements #####
#
# They are written as:
# allow <domain_that_need_the_acess> <type_to_be_accessed> : <How/what_in_the_type_to_be_used> <permissions>;
# Example: allow SMHI_t nfs_t :file read;
# You can define several types/permissions as by using brackets like this { type1 type2 ... }
# The rule will then be applied for all those types/permissions
#
##### Allow statements #####
# Allow readonly access to proc_t context files, needed to execute files
allow SMHI_t proc_t:file { read_file_perms };
# Allow sending signals and execute in our memory
allow SMHI_t self:process { signal_perms execmem };
# Allow read and exec sudo
allow SMHI_t sudo_exec_t:file { exec_file_perms };
# Allow syslog to read SMHI_storage_t files
allow syslogd_t SMHI_storage_t:dir { manage_dir_perms };
allow syslogd_t SMHI_storage_t:file { manage_file_perms };
allow syslogd_t SMHI_storage_t:lnk_file { manage_lnk_file_perms };
# Allow SMHI_t to read sysfs_t files
allow SMHI_t { sysfs_t proc_net_t } :dir { list_dir_perms };
allow SMHI_t { sysfs_t proc_net_t } :file { read_file_perms };
allow SMHI_t { sysfs_t proc_net_t } :lnk_file { read_lnk_file_perms };
# Allow read and write to files and folders with the context SMHI_storage_t nfs_t autofs_t
allow SMHI_t { SMHI_storage_t nfs_t tmp_t autofs_t } :dir { manage_dir_perms };
allow SMHI_t { SMHI_storage_t nfs_t tmp_t autofs_t } :file { manage_file_perms };
allow SMHI_t { SMHI_storage_t nfs_t tmp_t autofs_t } :lnk_file { manage_lnk_file_perms };
allow SMHI_t { SMHI_storage_t nfs_t tmp_t autofs_t } :fifo_file { manage_fifo_file_perms };
allow SMHI_t { SMHI_storage_t nfs_t tmp_t autofs_t } :sock_file { manage_sock_file_perms };
# Allow connections and port bindings over tcp
allow SMHI_t {
# Allow connections and portbindings to standard over tcp
http_port_t
ssh_port_t
ldap_port_t
ftp_port_t
http_cache_port_t
# Allow connections and portbindings to "unused" (non standard) over tcp
ephemeral_port_t
reserved_port_t
hi_reserved_port_t
unreserved_port_t
} :tcp_socket { name_bind name_connect };
# Allow connections and portbindings over udp
allow SMHI_t {
# Allow connections and bindings to standard ports over udp
http_port_t
ssh_port_t
ldap_port_t
ftp_port_t
http_cache_port_t
# Allow connections and portbindings to "unused" (non standard) over udp
ephemeral_port_t
reserved_port_t
hi_reserved_port_t
unreserved_port_t
} :udp_socket { name_bind };
# Allow create and use sockets
# allow SMHI_t self:rawip_socket { connected_stream_socket_perms }; # Probably dont need rawip sockets
allow SMHI_t self : { tcp_socket udp_socket } { connected_stream_socket_perms };
########################################
#
# Modification of exisiting SELinux policies so they work at SMHI
#
########################################
# Allow collectd to connect to lmtp port
allow collectd_t lmtp_port_t:tcp_socket { name_connect };
# The oolean nagios_run_sudo since its needed for our nrpe, enable by running:
# sudo semanage boolean -m --on nagios_run_sudo
# Allow nrpe to read nfs and nscd_var_run_t
allow nrpe_t nfs_t:dir { list_dir_perms };
allow nrpe_t nfs_t:file { read_file_perms };
allow nrpe_t nfs_t:lnk_file { read_lnk_file_perms };
### Incase you need help ###
# https://github.com/TresysTechnology/refpolicy/blob/master/policy/modules/services/ssh.te
# https://github.com/TresysTechnology/refpolicy/blob/master/policy/support/obj_perm_sets.spt
# http://equivocation.org/node/27
# http://oss.tresys.com/docs/refpolicy/api/system_init.html
# http://danwalsh.livejournal.com/23944.html
# https://matt.bionicmessage.net/selinux-policy-macros.html
# http://selinuxproject.org/page/ObjectClassesPerms
# http://selinuxproject.org/page/TypeRules#typebounds_Rule
# https://wiki.gentoo.org/wiki/SELinux/Tutorials/Creating_a_daemon_domain