Foreman » SELinux

# vim: sw=4:ts=4:et

#

# Copyright 2013 Red Hat, Inc.

#

# This program and entire repository is free software: you can redistribute it

# and/or modify it under the terms of the GNU General Public License as

# published by the Free Software Foundation, either version 3 of the License,

# or any later version.

#

# This program is distributed in the hope that it will be useful, but WITHOUT

# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS

# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more

# details.

#

# You should have received a copy of the GNU General Public License along with

# this program. If not, see http://www.gnu.org/licenses/.

#

policy_module(foreman, @@VERSION@@)

#######################################

#

# Declarations

#

# Note: Some mod_passanger 4.0+ processes are running under httpd_t domain,

# therefore we need to keep two domains: passenger_t and httpd_t.

#

## <desc>

## <p>

## Allow passenger to run foreman.

## </p>

## </desc>

gen_tunable(passenger_run_foreman, true)

## <desc>

### <p>

### Allow passenger to run the puppetmaster.

### </p>

### </desc>

gen_tunable(passenger_run_puppetmaster, true)

## <desc>

## <p>

## Allow passenger (httpd_t domain) to run foreman.

## </p>

## </desc>

gen_tunable(httpd_run_foreman, true)

## <desc>

## <p>

## Determine whether passenger can connect to TCP ports

## other than specified in the policy.

## </p>

## </desc>

gen_tunable(passenger_can_connect_all, false)

# define types for foreman scripts

apache_content_template(foreman)

# Some basic aliases for different aspects of the filesystem to make things

# more clear.

require{

type etc_t;

}

typealias etc_t alias foreman_config_t;

type foreman_db_t;

files_type(foreman_db_t)

type foreman_enc_t;

files_config_file(foreman_enc_t)

type foreman_lib_t;

files_type(foreman_lib_t)

type foreman_log_t;

typealias foreman_log_t alias httpd_foreman_script_log_t;

logging_log_file(foreman_log_t)

type foreman_var_run_t;

files_pid_file(foreman_var_run_t)

require{

type httpd_t;

type httpd_tmp_t;

type ifconfig_exec_t;

type init_t;

type passenger_t;

type passenger_tmp_t;

type proc_net_t;

type puppet_etc_t;

type puppet_log_t;

type puppet_port_t;

type puppet_var_lib_t;

type puppetmaster_exec_t;

type puppetmaster_t;

type sysctl_net_t;

}

#######################################

#

# Foreman local policy

#

manage_dirs_pattern(httpd_foreman_script_t, foreman_lib_t , foreman_lib_t)

manage_dirs_pattern(httpd_foreman_script_t, foreman_lib_t , foreman_lib_t)

manage_files_pattern(httpd_foreman_script_t, foreman_log_t , foreman_log_t)

manage_files_pattern(httpd_foreman_script_t, foreman_var_run_t , foreman_var_run_t)

files_read_etc_files(httpd_foreman_script_t)

logging_send_syslog_msg(httpd_foreman_script_t)

miscfiles_read_localization(httpd_foreman_script_t)

#######################################

#

# Passanger/httpd local policy

#

allow passenger_t self:capability sys_resource;

allow passenger_t self:process signull;

allow passenger_t self:tcp_socket listen;

miscfiles_read_localization(passenger_t)

# Allow Foreman to connect to PostgreSQL

corenet_tcp_connect_postgresql_port(passenger_t)

optional_policy(`

postgresql_stream_connect(passenger_t)

')

# Allow Foreman to connect anywhere when bool is set

tunable_policy(`passenger_can_connect_all',`

corenet_tcp_connect_all_ports(passenger_t)

')

# The read the code (and potentially modules) from /usr/share.

files_read_usr_files(passenger_t)

# Allow access to pseudo terminal devices to connect to local virt.

term_search_ptys(passenger_t)

# For memory-statistics script which executes /usr/bin/free

files_exec_usr_files(passenger_t)

# For memory-statistics and agent which executes /bin/ps (#3465)

dev_read_sysfs(passenger_t)

dev_search_sysfs(passenger_t)

dev_read_rand(passenger_t)

optional_policy(`

tunable_policy(`passenger_run_foreman', `

read_files_pattern(httpd_t, foreman_lib_t, foreman_lib_t)

manage_files_pattern(passenger_t, foreman_lib_t, foreman_lib_t)

manage_dirs_pattern(passenger_t, foreman_lib_t, foreman_lib_t)

manage_files_pattern(passenger_t, foreman_var_run_t, foreman_var_run_t)

manage_dirs_pattern(passenger_t, foreman_var_run_t, foreman_var_run_t)

# Allow Foreman to connect to hosts and guests

corenet_tcp_connect_virt_port(passenger_t)

corenet_tcp_connect_ssh_port(passenger_t)

# Allow Foreman to write to the SQlite databases

read_files_pattern(passenger_t, foreman_db_t, foreman_db_t)

write_files_pattern(passenger_t, foreman_db_t, foreman_db_t)

')

')

optional_policy(`

tunable_policy(`passenger_run_foreman', `

read_files_pattern(passenger_t, httpd_foreman_script_exec_t, httpd_foreman_script_exec_t)

read_lnk_files_pattern(passenger_t, httpd_foreman_script_exec_t, httpd_foreman_script_exec_t)

append_files_pattern(passenger_t, foreman_log_t, foreman_log_t)

')

')

optional_policy(`

tunable_policy(`passenger_run_foreman', `

allow passenger_t self:process getsession;

fs_rw_anon_inodefs_files(passenger_t)

allow passenger_t httpd_t:unix_stream_socket getattr;

')

')

tunable_policy(`httpd_run_foreman', `

allow httpd_t passenger_tmp_t:sock_file write;

')

tunable_policy(`httpd_run_foreman', `

manage_dirs_pattern(passenger_t, httpd_tmp_t, httpd_tmp_t)

manage_files_pattern(passenger_t, httpd_tmp_t, httpd_tmp_t)

manage_sock_files_pattern(passenger_t, httpd_tmp_t, httpd_tmp_t)

')

optional_policy(`

tunable_policy(`passenger_run_puppetmaster', `

allow passenger_t foreman_enc_t:file { execute execute_no_trans };

allow passenger_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };

allow passenger_t init_t:unix_stream_socket { getattr ioctl };

allow passenger_t proc_net_t:file { read getattr open };

allow passenger_t puppet_log_t:file { write relabelfrom relabelto };

allow passenger_t puppet_var_lib_t:dir { relabelfrom relabelto create rmdir setattr };

allow passenger_t puppet_var_lib_t:file { relabelfrom relabelto };

allow passenger_t sysctl_net_t:dir search;

# Allow basic httpd processes to access puppet_etc_t and

# puppet_port_t before passenger is initialized. This is for

# Fedora.

allow httpd_t puppet_etc_t:dir getattr;

allow httpd_t puppet_port_t:tcp_socket name_connect;

')

')

optional_policy(`

# Allow sending of email reports.

mta_send_mail(passenger_t)

')

optional_policy(`

mysql_stream_connect(passenger_t)

mysql_list_db(passenger_t)

')

optional_policy(`

hostname_exec(passenger_t)

')

optional_policy(`

# Transition to puppet_master

corecmd_search_bin(passenger_t)

domtrans_pattern(passenger_t, puppetmaster_exec_t, puppetmaster_t)

')

#######################################

#

# Websockify

#

type websockify_t;

type websockify_exec_t;

role system_r types websockify_t;

application_domain(websockify_t, websockify_exec_t)

domtrans_pattern(passenger_t, websockify_exec_t, websockify_t)

require {

type vnc_port_t;

}

allow websockify_t self:netlink_route_socket { bind create getattr nlmsg_read };

allow websockify_t self:tcp_socket { setopt bind create listen accept connect shutdown };

allow websockify_t self:udp_socket { getattr ioctl create connect };

corenet_tcp_bind_generic_node(websockify_t)

corenet_tcp_connect_vnc_port(websockify_t)

corenet_tcp_bind_vnc_port(websockify_t)

dev_read_urand(websockify_t)

kernel_read_system_state(websockify_t)

logging_send_syslog_msg(websockify_t)

miscfiles_read_localization(websockify_t)

sysnet_read_config(websockify_t)

abrt_stream_connect(websockify_t)

######################################

#

# Foreman Bootdisk plugin

#

# no rules necessary