From cc49096044051f8f1211c0489211cf413125a7fd Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Wed, 19 Feb 2014 08:37:54 -0500 Subject: [PATCH] Add internal SELinux policy overrides In the future, this will likely include an ostree_t domain. For now, this is just a few additional allow rules. --- Makefile.am | 4 ++++ configure.ac | 1 + packaging/ostree.spec.in | 24 ++++++++++++++++++++++++ selinux/.gitignore | 2 ++ selinux/Makefile.am | 22 ++++++++++++++++++++++ selinux/ostree.fc | 9 +++++++++ selinux/ostree.if | 1 + selinux/ostree.te | 33 +++++++++++++++++++++++++++++++++ 8 files changed, 96 insertions(+) create mode 100644 selinux/.gitignore create mode 100644 selinux/Makefile.am create mode 100644 selinux/ostree.fc create mode 100644 selinux/ostree.if create mode 100644 selinux/ostree.te diff --git a/Makefile.am b/Makefile.am index b20738a0..803ce0aa 100644 --- a/Makefile.am +++ b/Makefile.am @@ -31,6 +31,10 @@ endif SUBDIRS += . +if USE_SELINUX +SUBDIRS += selinux +endif + if ENABLE_GTK_DOC SUBDIRS += doc endif diff --git a/configure.ac b/configure.ac index 542c9ff0..d3c72d72 100644 --- a/configure.ac +++ b/configure.ac @@ -203,6 +203,7 @@ AC_CONFIG_FILES([ Makefile embedded-dependencies/Makefile doc/Makefile +selinux/Makefile src/libostree/ostree-1.pc ]) AC_OUTPUT diff --git a/packaging/ostree.spec.in b/packaging/ostree.spec.in index c2596d2c..105b0aeb 100644 --- a/packaging/ostree.spec.in +++ b/packaging/ostree.spec.in @@ -44,6 +44,19 @@ Requires: %{name} = %{version}-%{release} %description devel The %{name}-devel package includes the header files for the %{name} library. +%package selinux +Summary: SELinux policy module for %{name} +Group: System Environment/Base +Requires: %{name} = %{version}-%{release} +Requires: policycoreutils, libselinux-utils +Requires(post): selinux-policy-base, policycoreutils +Requires(postun): policycoreutils +BuildRequires: selinux-policy-devel +BuildArch: noarch + +%description selinux +This package installs and sets up the SELinux policy security module for %{name}. + %prep %setup -q -n ostree-%{version} @@ -69,6 +82,14 @@ rm -rf $RPM_BUILD_ROOT %preun %systemd_preun ostree-remount.service +%post selinux +semodule -n -i %{_datadir}/selinux/packages/%{name}.pp + +%postun selinux +if [ $1 -eq 0 ]; then + semodule -n -r %{name} +fi + %files %doc COPYING README.md %{_bindir}/ostree @@ -91,3 +112,6 @@ rm -rf $RPM_BUILD_ROOT %dir %{_datadir}/gtk-doc/html/ostree %{_datadir}/gtk-doc/html/ostree %{_datadir}/gir-1.0/OSTree-1.0.gir + +%files selinux +%attr(0600,root,root) %{_datadir}/selinux/packages/%{name}.pp diff --git a/selinux/.gitignore b/selinux/.gitignore new file mode 100644 index 00000000..cbefb9da --- /dev/null +++ b/selinux/.gitignore @@ -0,0 +1,2 @@ +ostree.pp +tmp diff --git a/selinux/Makefile.am b/selinux/Makefile.am new file mode 100644 index 00000000..1d69949f --- /dev/null +++ b/selinux/Makefile.am @@ -0,0 +1,22 @@ +# Copyright (C) 2014 Colin Walters +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the +# Free Software Foundation, Inc., 59 Temple Place - Suite 330, +# Boston, MA 02111-1307, USA. + +ostree.pp: ostree.fc ostree.if ostree.te + make -f /usr/share/selinux/devel/Makefile + +selinuxpkgdir = $(datadir)/selinux/packages +selinuxpkg_DATA = ostree.pp diff --git a/selinux/ostree.fc b/selinux/ostree.fc new file mode 100644 index 00000000..56b9c4f8 --- /dev/null +++ b/selinux/ostree.fc @@ -0,0 +1,9 @@ +# Core definitions + +/sysroot -d gen_context(system_u:object_r:usr_t,s0) +/ostree -d gen_context(system_u:object_r:usr_t,s0) +/ostree -l gen_context(system_u:object_r:usr_t,s0) +/media -l gen_context(system_u:object_r:mnt_t,s0) +/mnt -l gen_context(system_u:object_r:mnt_t,s0) +/var/roothome -d gen_context(system_u:object_r:admin_home_t,s0) +/var/home -d gen_context(system_u:object_r:home_root_t,s0) diff --git a/selinux/ostree.if b/selinux/ostree.if new file mode 100644 index 00000000..996cee9a --- /dev/null +++ b/selinux/ostree.if @@ -0,0 +1 @@ +# Empty. diff --git a/selinux/ostree.te b/selinux/ostree.te new file mode 100644 index 00000000..8d34940a --- /dev/null +++ b/selinux/ostree.te @@ -0,0 +1,33 @@ +policy_module(ostree, 1.3.0) + +require { + type init_t; + type root_t; + type var_log_t; + type games_data_t; + type var_yp_t; + type systemd_tmpfiles_t; + type local_login_t; + type admin_home_t; + type ldconfig_cache_t; + type var_t; + type var_run_t; + class lnk_file { relabelfrom relabelto read getattr }; + class dir { relabelfrom relabelto create setattr write }; +} + +# init_t +allow init_t admin_home_t:lnk_file { read getattr }; +allow init_t root_t:dir { write }; + +#============= systemd_tmpfiles_t ============== +allow systemd_tmpfiles_t games_data_t:dir relabelto; +allow systemd_tmpfiles_t var_log_t:dir create; +allow systemd_tmpfiles_t var_run_t:lnk_file { relabelfrom relabelto }; +allow systemd_tmpfiles_t var_t:dir { create relabelfrom relabelto setattr }; +allow systemd_tmpfiles_t var_yp_t:dir relabelto; +allow systemd_tmpfiles_t ldconfig_cache_t:dir { relabelfrom relabelto setattr }; +allow systemd_tmpfiles_t var_t:dir { relabelfrom relabelto setattr }; + +#============= local_login_t ============== +allow local_login_t admin_home_t:lnk_file read;