Below you will find instructions on how to install a bare SELinux policy for Cobbler. Feedback in the form of AVC denials would be appreciated so that we can perfect this bare policy.<br><br>The version of this policy is far from perfect but it is in my view a solid start. I have installed this policy and was able to start cobblerd in it' s proper security domain. I have not actually tried to use Cobbler. Also there is no policy yet for executable files other then /usr/bin/cobblerd. <br>
<br>Instructions:<br><br><br>mkdir ~/cobbler; cd ~/cobbler<br>echo """<br><br>policy_module(cobbler, 0.0.1)<br><br># Personal declarations<br><br>type cobbler_config_t;<br>files_config_file(cobbler_config_t)<br>
<br>type cobblerd_initrc_exec_t;<br>init_script_file(cobblerd_initrc_exec_t)<br><br>type cobbler_exec_t;<br>application_executable_file(cobbler_exec_t)<br><br>type cobbler_ext_nodes_exec_t;<br>application_executable_file(cobbler_ext_nodes_exec_t)<br>
<br>type cobblerd_exec_t;<br>application_executable_file(cobblerd_exec_t)<br><br>type cobbler_var_lib_t;<br>files_type(cobbler_var_lib_t)<br><br>type cobbler_log_t;<br>logging_log_file(cobbler_log_t)<br><br>type cobblerd_t;<br>
init_daemon_domain(cobblerd_t, cobblerd_exec_t)<br><br>type cobbler_port_t;<br>corenet_port(cobbler_port_t)<br><br># Personal policy<br><br>allow cobblerd_t self:capability { sys_nice chown dac_override fowner };<br>allow cobblerd_t self:fifo_file { read write getattr };<br>
allow cobblerd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };<br>allow cobblerd_t self:process { setsched getsched };<br>allow cobblerd_t self:tcp_socket { getattr setopt bind create accept listen };<br>
allow cobblerd_t self:udp_socket { read bind create };<br><br>allow cobblerd_t cobbler_config_t:dir search;<br>allow cobblerd_t cobbler_config_t:file { read getattr };<br><br>allow cobblerd_t cobbler_exec_t:file getattr;<br>
<br>manage_files_pattern(cobblerd_t, cobbler_log_t, cobbler_log_t)<br>logging_log_filetrans(cobblerd_t, cobbler_log_t, { file })<br><br># files_search_var_lib(cobblerd_t)<br>manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)<br>
files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { file })<br><br>corecmd_exec_bin(cobblerd_t)<br>corecmd_exec_shell(cobblerd_t)<br><br>corecmd_read_bin_symlinks(cobblerd_t)<br><br>corenet_all_recvfrom_unlabeled(cobblerd_t)<br>
corenet_all_recvfrom_netlabel(cobblerd_t)<br><br>corenet_tcp_sendrecv_generic_if(cobblerd_t)<br>corenet_tcp_sendrecv_all_nodes(cobblerd_t)<br>corenet_tcp_sendrecv_all_ports(cobblerd_t)<br><br># allow cobblerd_t cobbler_port_t:tcp_socket { name_bind; }<br>
corenet_tcp_bind_generic_port(cobblerd_t)<br>corenet_tcp_bind_all_nodes(cobblerd_t)<br><br>corenet_udp_sendrecv_generic_if(cobblerd_t)<br>corenet_udp_sendrecv_all_nodes(cobblerd_t)<br>corenet_udp_sendrecv_all_ports(cobblerd_t)<br>
<br># allow cobblerd_t cobbler_port_t:udp_socket { name_bind; }<br>corenet_udp_bind_generic_port(cobblerd_t)<br>corenet_udp_bind_all_nodes(cobblerd_t)<br><br>dev_read_urand(cobblerd_t)<br><br>files_list_tmp(cobblerd_t)<br>
<br>files_read_etc_files(cobblerd_t)<br><br>files_read_usr_symlinks(cobblerd_t)<br>files_search_usr(cobblerd_t)<br><br>kernel_read_system_state(cobblerd_t)<br><br>libs_use_ld_so(cobblerd_t)<br>libs_use_shared_libs(cobblerd_t)<br>
<br>miscfiles_read_localization(cobblerd_t)<br><br># is this optional?<br>rpm_domtrans(cobblerd_t)<br><br>sysnet_read_config(cobblerd_t)<br><br>apache_content_template(cobbler)<br><br>optional_policy(`<br>        dbus_system_bus_client_template(cobblerd, cobblerd_t)<br>
        dbus_connect_system_bus(cobblerd_t)<br>        dbus_system_domain(cobblerd_t, cobblerd_exec_t)<br>')<br><br>#EOF<br>""" > cobbler.te;<br><br>echo """<br><br># File contexts<br>
<br>/etc/cobbler(/.*)?                              gen_context(system_u:object_r:cobbler_config_t, s0)<br><br>/etc/rc\.d/init\.d/cobblerd             --    gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)<br><br>
/usr/bin/cobbler                        --    gen_context(system_u:object_r:cobbler_exec_t, s0)<br>/usr/bin/cobbler-ext-nodes              --    gen_context(system_u:object_r:cobbler_ext_nodes_exec_t, s0)<br>/usr/bin/cobblerd                       --    gen_context(system_u:object_r:cobblerd_exec_t, s0)<br>
<br>/var/lib/cobbler(/.*)?                          gen_context(system_u:object_r:cobbler_var_lib_t, s0)<br><br>/var/log/cobbler(/.*)?                          gen_context(system_u:object_r:cobbler_log_t, s0)<br><br>/var/www/cobbler/svc/services.py        --    gen_context(system_u:object_r:httpd_cobbler_script_exec_t, s0)<br>
/var/www/cobbler/web/index.py           --    gen_context(system_u:object_r:httpd_cobbler_script_exec_t, s0)<br><br>""" > cobbler.fc;<br><br>make -f /usr/share/selinux/devel/Makefile<br>semodule -i cobbler.pp<br>
<br>restorecon -R -v /etc/cobbler<br>restorecon -R -v /etc/init.d/cobblerd<br>restorecon -R -v /usr/bin/cobblerd<br>restorecon -R -v /usr/bin/cobbler<br>restorecon -R -v /usr/bin/cobbler-ext-nodes<br>restorecon -R -v /var/lib/cobbler<br>
restorecon -R -v /var/log/cobbler<br>restorecon -R -v /var/www/cobbler<br><br>semanage permissive -a cobbler_t<br><br>service cobblerd start<br><br>(start testing)<br><br>ausearch -m avc -ts today<br><br>to remove undo:<br>
<br>service cobblerd stop<br>semanage permissive -d cobbler_t<br>semodule -r cobbler<br>restorecon -R -v /etc/cobbler<br>restorecon -R -v /etc/init.d/cobblerd<br>restorecon -R -v /usr/bin/cobblerd<br>restorecon -R -v /usr/bin/cobbler<br>
restorecon -R -v /usr/bin/cobbler-ext-nodes<br>restorecon -R -v /var/lib/cobbler<br>restorecon -R -v /var/log/cobbler<br>restorecon -R -v /var/www/cobbler<br><br>Questions and comments are welcome.<br>Thanks in advance for your feedback.<br>
<br>Dominick Grift<br><br><br><br>