Create SELinux class, implement xCAT SELinux policies

Signed-off-by: Lucas Gracioso <[email protected]>
viniciusferrao · Jun 26, 2024 · 228e865 · 228e865
1 parent dd97326
commit 228e865
Show file tree

Hide file tree

Showing 9 changed files with 241 additions and 0 deletions.
diff --git a/include/cloysterhpc/functions.h b/include/cloysterhpc/functions.h
@@ -70,6 +70,8 @@ void backupFile(std::string_view filename);
 void changeValueInConfigurationFile(
     const std::string&, const std::string&, std::string_view);
 void addStringToFile(std::string_view filename, std::string_view string);
+void setFilePermissions(
+    const std::string& filename, mode_t mode = S_IRUSR | S_IWUSR);
 
 } /* namespace cloyster */
 

diff --git a/include/cloysterhpc/selinux/selinux.h b/include/cloysterhpc/selinux/selinux.h
@@ -0,0 +1,22 @@
+/*
+ * Created by Lucas Gracioso <[email protected]>
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#ifndef CLOYSTERHPC_SELINUX_H_
+#define CLOYSTERHPC_SELINUX_H_
+
+#include "cloysterhpc/cluster.h"
+#include <cloysterhpc/selinux/xCAT/xcatpolicies.h>
+
+class SELinux {
+private:
+    void configurexCATPolicies();
+    void configurexCATPolicyFile();
+    void configurexCATgenimagePolicyFile();
+    void configurexCATrsyncPolicyFile();
+public:
+    void configureProvisioner(Cluster::Provisioner provisioner);
+};
+
+#endif // CLOYSTERHPC_SELINUX_H_
diff --git a/include/cloysterhpc/selinux/xCAT/xCAT-genimage-ldconfig-rw-tmpdir.te b/include/cloysterhpc/selinux/xCAT/xCAT-genimage-ldconfig-rw-tmpdir.te
@@ -0,0 +1,16 @@
+module xCAT-genimage-ldconfig-rw-tmpdir 1.0;
+
+require {
+    type initrc_tmp_t;
+    type ldconfig_t;
+    class lnk_file { create getattr unlink };
+    class file { create rename setattr };
+    class dir { add_name read remove_name write };
+}
+
+#============= ldconfig_t ==============
+
+allow ldconfig_t initrc_tmp_t:dir { add_name read remove_name write };
+allow ldconfig_t initrc_tmp_t:file { create rename setattr };
+allow ldconfig_t initrc_tmp_t:lnk_file create;
+allow ldconfig_t initrc_tmp_t:lnk_file { getattr unlink };
diff --git a/include/cloysterhpc/selinux/xCAT/xCAT-httpd-read-tftpdir.te b/include/cloysterhpc/selinux/xCAT/xCAT-httpd-read-tftpdir.te
@@ -0,0 +1,12 @@
+module xCAT-httpd-read-tftpdir 1.0;
+
+require {
+    type httpd_t;
+    type tftpdir_t;
+    class dir read;
+    class file { getattr open read };
+}
+
+#============= httpd_t ==============
+allow httpd_t tftpdir_t:dir read;
+allow httpd_t tftpdir_t:file { getattr open read };
diff --git a/include/cloysterhpc/selinux/xCAT/xCAT-rsync.te b/include/cloysterhpc/selinux/xCAT/xCAT-rsync.te
@@ -0,0 +1,68 @@
+module xCAT-rsync 2.0;
+
+require {
+    class capability dac_override;
+    class chr_file write;
+    class dir { getattr search write };
+    class file { execute execute_no_trans getattr map open read };
+    class lnk_file read;
+    class tcp_socket name_connect;
+    type bin_t;
+    type dhcpd_t;
+    type etc_t;
+    type groupadd_t;
+    type httpd_sys_content_t;
+    type kpatch_exec_t;
+    type krb5_keytab_t;
+    type rhsmcertd_t;
+    type root_t;
+    type rsync_t;
+    type rsync_t;
+    type setfiles_t;
+    type shell_exec_t;
+    type ssh_exec_t;
+    type ssh_home_t;
+    type ssh_keysign_exec_t;
+    type ssh_port_t;
+    type sshd_key_t;
+    type sysctl_net_t;
+    type useradd_t;
+}
+
+#============= rsync_t ==============
+
+allow rsync_t bin_t:file map;
+allow rsync_t bin_t:file { execute execute_no_trans map };
+allow rsync_t bin_t:file { execute execute_no_trans };
+allow rsync_t etc_t:dir write;
+allow rsync_t krb5_keytab_t:dir search;
+allow rsync_t self:capability dac_override;
+allow rsync_t shell_exec_t:file map;
+allow rsync_t shell_exec_t:file { execute execute_no_trans map };
+allow rsync_t shell_exec_t:file { execute execute_no_trans };
+allow rsync_t ssh_exec_t:file { execute execute_no_trans map open read };
+allow rsync_t ssh_home_t:dir { getattr search };
+allow rsync_t ssh_home_t:file { getattr open read };
+allow rsync_t ssh_keysign_exec_t:file { execute execute_no_trans getattr map open read };
+allow rsync_t ssh_keysign_exec_t:file { execute execute_no_trans };
+allow rsync_t ssh_keysign_exec_t:file { getattr map open read };
+allow rsync_t ssh_port_t:tcp_socket name_connect;
+allow rsync_t sshd_key_t:file { getattr open read };
+
+#============= dhcpd_t ==============
+allow dhcpd_t sysctl_net_t:dir search;
+
+#============= groupadd_t ==============
+allow groupadd_t httpd_sys_content_t:chr_file write;
+allow groupadd_t httpd_sys_content_t:lnk_file read;
+
+#============= rhsmcertd_t ==============
+allow rhsmcertd_t kpatch_exec_t:file getattr;
+allow rhsmcertd_t root_t:file read;
+
+#============= setfiles_t ==============
+allow setfiles_t httpd_sys_content_t:chr_file write;
+
+#============= useradd_t ==============
+allow useradd_t httpd_sys_content_t:chr_file write;
+allow useradd_t httpd_sys_content_t:lnk_file read;
diff --git a/include/cloysterhpc/selinux/xCAT/xcatpolicies.h b/include/cloysterhpc/selinux/xCAT/xcatpolicies.h
@@ -0,0 +1,21 @@
+/*
+ * Created by Lucas Gracioso <[email protected]>
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#ifndef CLOYSTERHPC_XCATPOLICIES_H_
+#define CLOYSTERHPC_XCATPOLICIES_H_
+
+constexpr const char* xCATSELinuxPolicyFile =
+#include "cloysterhpc/selinux/xCAT/xCAT-httpd-read-tftpdir.te"
+    ;
+
+constexpr const char* xCATgenimageSELinuxPolicyFile =
+#include "cloysterhpc/selinux/xCAT/xCAT-genimage-ldconfig-rw-tmpdir.te"
+    ;
+
+constexpr const char* xCATrsyncSELinuxPolicyFile =
+#include "cloysterhpc/selinux/xCAT/xCAT-rsync.te"
+    ;
+
+#endif // CLOYSTERHPC_XCATPOLICIES_H_
diff --git a/src/cluster.cpp b/src/cluster.cpp
@@ -20,6 +20,7 @@
 #include <regex>
 
 #ifndef NDEBUG
+#include "cloysterhpc/selinux/selinux.h"
 #include <fmt/format.h>
 #endif
 
@@ -606,6 +607,12 @@ void Cluster::fillData(const std::string& answerfilePath)
     setProvisioner(Provisioner::xCAT);
     m_headnode.setOS(nodeOS);
 
+    // SELinux policies
+    if (getSELinux() != SELinuxMode::Disabled) {
+        SELinux SELinuxConfigurer;
+        SELinuxConfigurer.configureProvisioner(getProvisioner());
+    }
+
     LOG_TRACE("Configure Nodes")
     for (auto node : answerfile.nodes.nodes) {
 

diff --git a/src/functions.cpp b/src/functions.cpp
@@ -222,4 +222,15 @@ void addStringToFile(std::string_view filename, std::string_view string)
     LOG_DEBUG("Added line(s):\n{}\n => to file: {}", string, filename)
 }
 
+/**
+ *
+ * @param filename The filename
+ * @param mode The wanted permissions (mode). By default it is set to 0600.
+ */
+void setFilePermissions(const std::string& filename, mode_t mode) {
+    if (chmod(filename.c_str(), mode) != 0) {
+        throw std::runtime_error(fmt::format("Error setting permissions on file: {}", filename));
+    }
+}
+
 } // namespace cloyster
diff --git a/src/services/selinux.cpp b/src/services/selinux.cpp
@@ -0,0 +1,82 @@
+/*
+ * Created by Lucas Gracioso <[email protected]>
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#include "cloysterhpc/selinux/selinux.h"
+#include "cloysterhpc/functions.h"
+#include "cloysterhpc/services/log.h"
+
+void SELinux::configurexCATPolicies()
+{
+    LOG_TRACE("Configuring xCAT SELinux policies")
+    configurexCATPolicyFile();
+    configurexCATgenimagePolicyFile();
+    configurexCATrsyncPolicyFile();
+}
+
+void SELinux::configurexCATPolicyFile()
+{
+    // Create SELinux policy file for xCAT
+    const std::string file = "/root/xCAT-httpd-read-tftpdir.te";
+    cloyster::addStringToFile(file, xCATSELinuxPolicyFile);
+    cloyster::setFilePermissions(file);
+
+    // Install SELinux policy file for xCAT
+    std::string combinedCommands
+        = "checkmodule -M -m -o /root/xCAT-httpd-read-tftpdir.mod "
+          "/root/xCAT-httpd-read-tftpdir.te && "
+          "semodule_package -o /root/xCAT-httpd-read-tftpdir.pp -m "
+          "/root/xCAT-httpd-read-tftpdir.mod && "
+          "semodule -i /root/xCAT-httpd-read-tftpdir.pp && "
+          "semanage fcontext -a -t httpd_sys_content_t '/install(/.*)?' && "
+          "restorecon -R /install && "
+          "rm -rf /root/xCAT-httpd-read-tftpdir*";
+
+    cloyster::runCommand(combinedCommands);
+}
+
+void SELinux::configurexCATgenimagePolicyFile()
+{
+    // Create SELinux genimage policy file for xCAT
+    const std::string file = "/root/xCAT-genimage-ldconfig-rw-tmpdir.te";
+    cloyster::addStringToFile(file, xCATgenimageSELinuxPolicyFile);
+    cloyster::setFilePermissions(file);
+
+    // Install SELinux genimage policy file for xCAT
+    std::string combinedCommands
+        = "checkmodule -M -m -o /root/xCAT-genimage-ldconfig-rw-tmpdir.mod "
+          "/root/xCAT-genimage-ldconfig-rw-tmpdir.te && "
+          "semodule_package -o /root/xCAT-genimage-ldconfig-rw-tmpdir.pp -m "
+          "/root/xCAT-genimage-ldconfig-rw-tmpdir.mod && "
+          "semodule -i /root/xCAT-genimage-ldconfig-rw-tmpdir.pp && "
+          "rm -rf /root/xCAT-genimage-ldconfig*";
+
+    cloyster::runCommand(combinedCommands);
+}
+
+void SELinux::configurexCATrsyncPolicyFile()
+{
+    // Create SELinux rsync policy file for xCAT
+    const std::string file = "/root/xCAT-rsync.te";
+    cloyster::addStringToFile(file, xCATrsyncSELinuxPolicyFile);
+    cloyster::setFilePermissions(file);
+
+    // Install SELinux rsync policy file for xCAT
+    std::string combinedCommands
+        = "checkmodule -M -m -o /root/xCAT-rsync.mod /root/xCAT-rsync.te && "
+          "semodule_package -o /root/xCAT-rsync.pp -m /root/xCAT-rsync.mod && "
+          "semodule -i /root/xCAT-rsync.pp && "
+          "rm -rf /root/xCAT-genimage-ldconfig*";
+
+    cloyster::runCommand(combinedCommands);
+}
+
+void SELinux::configureProvisioner(Cluster::Provisioner provisioner)
+{
+    switch (provisioner) {
+        case Cluster::Provisioner::xCAT:
+            configurexCATPolicies();
+            break;
+    }
+}