-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create SELinux class, implement xCAT SELinux policies
Signed-off-by: Lucas Gracioso <[email protected]>
- Loading branch information
1 parent
dd97326
commit 228e865
Showing
9 changed files
with
241 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
/* | ||
* Created by Lucas Gracioso <[email protected]> | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
#ifndef CLOYSTERHPC_SELINUX_H_ | ||
#define CLOYSTERHPC_SELINUX_H_ | ||
|
||
#include "cloysterhpc/cluster.h" | ||
#include <cloysterhpc/selinux/xCAT/xcatpolicies.h> | ||
|
||
class SELinux { | ||
private: | ||
void configurexCATPolicies(); | ||
void configurexCATPolicyFile(); | ||
void configurexCATgenimagePolicyFile(); | ||
void configurexCATrsyncPolicyFile(); | ||
public: | ||
void configureProvisioner(Cluster::Provisioner provisioner); | ||
}; | ||
|
||
#endif // CLOYSTERHPC_SELINUX_H_ |
16 changes: 16 additions & 0 deletions
16
include/cloysterhpc/selinux/xCAT/xCAT-genimage-ldconfig-rw-tmpdir.te
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
module xCAT-genimage-ldconfig-rw-tmpdir 1.0; | ||
|
||
require { | ||
type initrc_tmp_t; | ||
type ldconfig_t; | ||
class lnk_file { create getattr unlink }; | ||
class file { create rename setattr }; | ||
class dir { add_name read remove_name write }; | ||
} | ||
|
||
#============= ldconfig_t ============== | ||
|
||
allow ldconfig_t initrc_tmp_t:dir { add_name read remove_name write }; | ||
allow ldconfig_t initrc_tmp_t:file { create rename setattr }; | ||
allow ldconfig_t initrc_tmp_t:lnk_file create; | ||
allow ldconfig_t initrc_tmp_t:lnk_file { getattr unlink }; |
12 changes: 12 additions & 0 deletions
12
include/cloysterhpc/selinux/xCAT/xCAT-httpd-read-tftpdir.te
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
module xCAT-httpd-read-tftpdir 1.0; | ||
|
||
require { | ||
type httpd_t; | ||
type tftpdir_t; | ||
class dir read; | ||
class file { getattr open read }; | ||
} | ||
|
||
#============= httpd_t ============== | ||
allow httpd_t tftpdir_t:dir read; | ||
allow httpd_t tftpdir_t:file { getattr open read }; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
module xCAT-rsync 2.0; | ||
|
||
require { | ||
class capability dac_override; | ||
class chr_file write; | ||
class dir { getattr search write }; | ||
class file { execute execute_no_trans getattr map open read }; | ||
class lnk_file read; | ||
class tcp_socket name_connect; | ||
type bin_t; | ||
type dhcpd_t; | ||
type etc_t; | ||
type groupadd_t; | ||
type httpd_sys_content_t; | ||
type kpatch_exec_t; | ||
type krb5_keytab_t; | ||
type rhsmcertd_t; | ||
type root_t; | ||
type rsync_t; | ||
type rsync_t; | ||
type setfiles_t; | ||
type shell_exec_t; | ||
type ssh_exec_t; | ||
type ssh_home_t; | ||
type ssh_keysign_exec_t; | ||
type ssh_port_t; | ||
type sshd_key_t; | ||
type sysctl_net_t; | ||
type useradd_t; | ||
} | ||
|
||
#============= rsync_t ============== | ||
|
||
allow rsync_t bin_t:file map; | ||
allow rsync_t bin_t:file { execute execute_no_trans map }; | ||
allow rsync_t bin_t:file { execute execute_no_trans }; | ||
allow rsync_t etc_t:dir write; | ||
allow rsync_t krb5_keytab_t:dir search; | ||
allow rsync_t self:capability dac_override; | ||
allow rsync_t shell_exec_t:file map; | ||
allow rsync_t shell_exec_t:file { execute execute_no_trans map }; | ||
allow rsync_t shell_exec_t:file { execute execute_no_trans }; | ||
allow rsync_t ssh_exec_t:file { execute execute_no_trans map open read }; | ||
allow rsync_t ssh_home_t:dir { getattr search }; | ||
allow rsync_t ssh_home_t:file { getattr open read }; | ||
allow rsync_t ssh_keysign_exec_t:file { execute execute_no_trans getattr map open read }; | ||
allow rsync_t ssh_keysign_exec_t:file { execute execute_no_trans }; | ||
allow rsync_t ssh_keysign_exec_t:file { getattr map open read }; | ||
allow rsync_t ssh_port_t:tcp_socket name_connect; | ||
allow rsync_t sshd_key_t:file { getattr open read }; | ||
|
||
#============= dhcpd_t ============== | ||
allow dhcpd_t sysctl_net_t:dir search; | ||
|
||
#============= groupadd_t ============== | ||
allow groupadd_t httpd_sys_content_t:chr_file write; | ||
allow groupadd_t httpd_sys_content_t:lnk_file read; | ||
|
||
#============= rhsmcertd_t ============== | ||
allow rhsmcertd_t kpatch_exec_t:file getattr; | ||
allow rhsmcertd_t root_t:file read; | ||
|
||
#============= setfiles_t ============== | ||
allow setfiles_t httpd_sys_content_t:chr_file write; | ||
|
||
#============= useradd_t ============== | ||
allow useradd_t httpd_sys_content_t:chr_file write; | ||
allow useradd_t httpd_sys_content_t:lnk_file read; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
/* | ||
* Created by Lucas Gracioso <[email protected]> | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
#ifndef CLOYSTERHPC_XCATPOLICIES_H_ | ||
#define CLOYSTERHPC_XCATPOLICIES_H_ | ||
|
||
constexpr const char* xCATSELinuxPolicyFile = | ||
#include "cloysterhpc/selinux/xCAT/xCAT-httpd-read-tftpdir.te" | ||
; | ||
|
||
constexpr const char* xCATgenimageSELinuxPolicyFile = | ||
#include "cloysterhpc/selinux/xCAT/xCAT-genimage-ldconfig-rw-tmpdir.te" | ||
; | ||
|
||
constexpr const char* xCATrsyncSELinuxPolicyFile = | ||
#include "cloysterhpc/selinux/xCAT/xCAT-rsync.te" | ||
; | ||
|
||
#endif // CLOYSTERHPC_XCATPOLICIES_H_ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,82 @@ | ||
/* | ||
* Created by Lucas Gracioso <[email protected]> | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
#include "cloysterhpc/selinux/selinux.h" | ||
#include "cloysterhpc/functions.h" | ||
#include "cloysterhpc/services/log.h" | ||
|
||
void SELinux::configurexCATPolicies() | ||
{ | ||
LOG_TRACE("Configuring xCAT SELinux policies") | ||
configurexCATPolicyFile(); | ||
configurexCATgenimagePolicyFile(); | ||
configurexCATrsyncPolicyFile(); | ||
} | ||
|
||
void SELinux::configurexCATPolicyFile() | ||
{ | ||
// Create SELinux policy file for xCAT | ||
const std::string file = "/root/xCAT-httpd-read-tftpdir.te"; | ||
cloyster::addStringToFile(file, xCATSELinuxPolicyFile); | ||
cloyster::setFilePermissions(file); | ||
|
||
// Install SELinux policy file for xCAT | ||
std::string combinedCommands | ||
= "checkmodule -M -m -o /root/xCAT-httpd-read-tftpdir.mod " | ||
"/root/xCAT-httpd-read-tftpdir.te && " | ||
"semodule_package -o /root/xCAT-httpd-read-tftpdir.pp -m " | ||
"/root/xCAT-httpd-read-tftpdir.mod && " | ||
"semodule -i /root/xCAT-httpd-read-tftpdir.pp && " | ||
"semanage fcontext -a -t httpd_sys_content_t '/install(/.*)?' && " | ||
"restorecon -R /install && " | ||
"rm -rf /root/xCAT-httpd-read-tftpdir*"; | ||
|
||
cloyster::runCommand(combinedCommands); | ||
} | ||
|
||
void SELinux::configurexCATgenimagePolicyFile() | ||
{ | ||
// Create SELinux genimage policy file for xCAT | ||
const std::string file = "/root/xCAT-genimage-ldconfig-rw-tmpdir.te"; | ||
cloyster::addStringToFile(file, xCATgenimageSELinuxPolicyFile); | ||
cloyster::setFilePermissions(file); | ||
|
||
// Install SELinux genimage policy file for xCAT | ||
std::string combinedCommands | ||
= "checkmodule -M -m -o /root/xCAT-genimage-ldconfig-rw-tmpdir.mod " | ||
"/root/xCAT-genimage-ldconfig-rw-tmpdir.te && " | ||
"semodule_package -o /root/xCAT-genimage-ldconfig-rw-tmpdir.pp -m " | ||
"/root/xCAT-genimage-ldconfig-rw-tmpdir.mod && " | ||
"semodule -i /root/xCAT-genimage-ldconfig-rw-tmpdir.pp && " | ||
"rm -rf /root/xCAT-genimage-ldconfig*"; | ||
|
||
cloyster::runCommand(combinedCommands); | ||
} | ||
|
||
void SELinux::configurexCATrsyncPolicyFile() | ||
{ | ||
// Create SELinux rsync policy file for xCAT | ||
const std::string file = "/root/xCAT-rsync.te"; | ||
cloyster::addStringToFile(file, xCATrsyncSELinuxPolicyFile); | ||
cloyster::setFilePermissions(file); | ||
|
||
// Install SELinux rsync policy file for xCAT | ||
std::string combinedCommands | ||
= "checkmodule -M -m -o /root/xCAT-rsync.mod /root/xCAT-rsync.te && " | ||
"semodule_package -o /root/xCAT-rsync.pp -m /root/xCAT-rsync.mod && " | ||
"semodule -i /root/xCAT-rsync.pp && " | ||
"rm -rf /root/xCAT-genimage-ldconfig*"; | ||
|
||
cloyster::runCommand(combinedCommands); | ||
} | ||
|
||
void SELinux::configureProvisioner(Cluster::Provisioner provisioner) | ||
{ | ||
switch (provisioner) { | ||
case Cluster::Provisioner::xCAT: | ||
configurexCATPolicies(); | ||
break; | ||
} | ||
} |