AimeeOS
/
home-assistant-yellow
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Begin custom SELinux policy module 

The *aimee-os* SELinux policy module provides rules that are specific to
our custom commands and system configuration.  These rules are not
suitable for including in the upstream policy, so we include them in a
separate package rather than patches to the base policy.

Currently, the policy module includes rules to allow the `init-storage`
and `system-update` programs to work.  It also includes rules to allow
SSH host keys to be stored in `/var/lib/ssh` instead of `/etc/ssh`,
since our `/etc` is immutable.
master
Dustin 2023-03-09 09:57:43 -06:00
parent 5939fb525c
commit ff5f8b5c3b
7 changed files with 225 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
install.packages
View File

@ -1,5 +1,6 @@
net-misc/openssh net-misc/openssh
net-misc/wget net-misc/wget
sec-policy/selinux-aimee-os
sys-apps/busybox sys-apps/busybox
sys-apps/systemd sys-apps/systemd
sys-fs/btrfs-progs sys-fs/btrfs-progs

1
portage/repos/aimee-os/metadata/layout.conf
View File

@ -1 +1,2 @@
masters = gentoo masters = gentoo
thin-manifests = true

2
portage/repos/aimee-os/sec-policy/selinux-aimee-os/Manifest Normal file
View File

@ -0,0 +1,2 @@
DIST patchbundle-selinux-base-policy-2.20221101-r3.tar.bz2 444710 BLAKE2B e33cc01a8be5a354e022be1e8bf242883b09b15ead0673f859819f5e668f18773a16527f2e608878e6976695dcb2890c55658e77877e93c716ae0b2dd2ed5a9b SHA512 52e60b22346903a6fead95c9fb348fa1d4037b7dcd3e5781248a7dfc426c8c3fced258fd22762c779a5f436d8be21eaed5425ed36ff99c267daae5e1cb9c8e7f
DIST refpolicy-2.20221101.tar.bz2 583183 BLAKE2B 783d8af40fd77d7ddb848dba32e91921dd7c1380c094c45b719ada7b15f91aacbb52b410ffa6341f2f705ecbc9674b8570bd4867ce998e944fa0054ffd8bdf74 SHA512 29e5a29d90f714018c88fead2d5006ea90338fb5b7a1e4e98cb2e588c96cd861871d32176f6cc6f7c4e864ce5acae1aeed85d4c706ce2da8168986535baaf3a6

6
portage/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.fc Normal file
View File

@ -0,0 +1,6 @@
/usr/libexec/init-storage -- gen_context(system_u:object_r:aimee_storinit_exec_t,s0)
/usr/bin/system-update -- gen_context(system_u:object_r:aimee_sysupdate_exec_t,s0)
/var/run/storinit(/.*)? gen_context(system_u:object_r:aimee_storinit_runtime_t,s0)
/var/lib/ssh/.*_key.* -- gen_context(system_u:object_r:sshd_key_t,s0)

47
portage/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.if Normal file
View File

@ -0,0 +1,47 @@
## <summary>Policy for Aimee OS utilities.</summary>
########################################
## <summary>
## Execute system-update in the aimee_sysupdate_t
## domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`aimee_os_system_update_domtrans',`
gen_require(`
type aimee_sysupdate_t, aimee_sysupdate_exec_t;
')
domtrans_pattern($1, aimee_sysupdate_exec_t, aimee_sysupdate_t)
')
########################################
## <summary>
## Execute system-update in the aimee_sysupdate_t
## domain, and allow the specified role the
## aimee_sysupdate_t domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`aimee_os_run_system_update',`
gen_require(`
type aimee_sysupdate_t;
')
aimee_os_system_update_domtrans($1)
role $2 types aimee_sysupdate_t;
')

154
portage/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te Normal file
View File

@ -0,0 +1,154 @@
policy_module(aimee-os, 1.0)
########################################
#
# Declarations
#
type aimee_storinit_t;
type aimee_storinit_exec_t;
init_daemon_domain(aimee_storinit_t, aimee_storinit_exec_t)
type aimee_storinit_runtime_t;
files_runtime_file(aimee_storinit_runtime_t)
type aimee_sysupdate_t;
type aimee_sysupdate_exec_t;
userdom_user_application_domain(aimee_sysupdate_t, aimee_sysupdate_exec_t)
type aimee_sysupdate_tmp_t;
files_tmp_file(aimee_sysupdate_tmp_t)
########################################
#
# init-storage local policy
#
allow aimee_storinit_t self:fifo_file rw_fifo_file_perms;
allow aimee_storinit_t self:capability { chown fsetid sys_admin };
manage_dirs_pattern(aimee_storinit_t, aimee_storinit_runtime_t, aimee_storinit_runtime_t)
manage_files_pattern(aimee_storinit_t, aimee_storinit_runtime_t, aimee_storinit_runtime_t)
files_runtime_filetrans(aimee_storinit_t, aimee_storinit_runtime_t, dir)
corecmd_exec_bin(aimee_storinit_t)
storage_raw_read_fixed_disk(aimee_storinit_t)
fstools_domtrans(aimee_storinit_t)
mount_exec(aimee_storinit_t)
miscfiles_read_localization(aimee_storinit_t)
mount_list_runtime(aimee_storinit_t)
dev_read_sysfs(aimee_storinit_t)
kernel_search_debugfs(aimee_storinit_t)
kernel_list_unlabeled(aimee_storinit_t)
fs_getattr_all_fs(aimee_storinit_t)
fs_mount_all_fs(aimee_storinit_t)
fs_unmount_all_fs(aimee_storinit_t)
allow aimee_storinit_t aimee_storinit_runtime_t:dir mounton;
gen_require(`
type mount_runtime_t;
')
dontaudit aimee_storinit_t mount_runtime_t:dir write;
files_manage_var_dirs(aimee_storinit_t)
files_manage_var_files(aimee_storinit_t)
files_manage_var_symlinks(aimee_storinit_t)
gen_require(`
type var_lib_t, var_lock_t, var_run_t;
type semanage_store_t;
type semanage_read_lock_t, semanage_trans_lock_t;
type system_dbusd_var_lib_t;
type init_var_lib_t;
type auditd_log_t;
type tmp_t;
attribute logfile;
')
manage_dirs_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
manage_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
manage_lnk_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
manage_lnk_files_pattern(aimee_storinit_t, var_lock_t, var_lock_t)
manage_dirs_pattern(aimee_storinit_t, var_run_t, var_run_t)
manage_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
manage_lnk_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
manage_dirs_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
manage_files_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
manage_dirs_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
manage_files_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
manage_dirs_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
manage_files_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
manage_dirs_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
manage_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
manage_lnk_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
manage_dirs_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
manage_files_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
manage_dirs_pattern(aimee_storinit_t, logfile, logfile)
manage_files_pattern(aimee_storinit_t, logfile, logfile)
manage_dirs_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
manage_files_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
manage_dirs_pattern(aimee_storinit_t, tmp_t, tmp_t)
manage_files_pattern(aimee_storinit_t, tmp_t, tmp_t)
########################################
#
# system-update local policy
#
allow aimee_sysupdate_t self:capability { chown fowner fsetid sys_admin };
allow aimee_sysupdate_t self:fifo_file rw_fifo_file_perms;
allow aimee_sysupdate_t self:tcp_socket create_stream_socket_perms;
files_tmp_filetrans(aimee_sysupdate_t, aimee_sysupdate_tmp_t, dir)
manage_dirs_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, aimee_sysupdate_tmp_t)
manage_files_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, aimee_sysupdate_tmp_t)
filetrans_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, bin_t, file, "install")
domain_use_interactive_fds(aimee_sysupdate_t)
userdom_use_inherited_user_terminals(aimee_sysupdate_t)
corecmd_exec_bin(aimee_sysupdate_t)
selinux_get_fs_mount(aimee_sysupdate_t)
seutil_read_config(aimee_sysupdate_t)
userdom_search_user_home_dirs(aimee_sysupdate_t)
kernel_read_system_state(aimee_sysupdate_t)
fstools_exec(aimee_sysupdate_t)
fstools_manage_runtime_files(aimee_sysupdate_t)
miscfiles_read_localization(aimee_sysupdate_t)
storage_raw_rw_fixed_disk(aimee_sysupdate_t)
dev_read_sysfs(aimee_sysupdate_t)
files_read_etc_files(aimee_sysupdate_t)
systemd_read_resolved_runtime(aimee_sysupdate_t)
systemd_stream_connect_resolved(aimee_sysupdate_t)
corenet_tcp_connect_http_port(aimee_sysupdate_t)
corenet_tcp_connect_soundd_port(aimee_sysupdate_t)
files_manage_non_security_dirs(aimee_sysupdate_t)
files_manage_non_security_files(aimee_sysupdate_t)
mount_exec(aimee_sysupdate_t)
mount_list_runtime(aimee_sysupdate_t)
fs_getattr_all_fs(aimee_sysupdate_t)
fs_mount_all_fs(aimee_sysupdate_t)
fs_unmount_all_fs(aimee_sysupdate_t)
dbus_system_bus_client(aimee_sysupdate_t)
systemd_dbus_chat_logind(aimee_sysupdate_t)
logging_send_syslog_msg(aimee_sysupdate_t)
files_mounton_non_security(aimee_sysupdate_t)
gen_require(`
type sysadm_t;
role sysadm_r;
')
aimee_os_run_system_update(sysadm_t, sysadm_r)
########################################
#
# Additional policy rules for Aimee OS-specific behavior
#
# Allow ssh-keygen to create host key files in /var/lib/ssh
gen_require(`
type ssh_keygen_t;
type sshd_key_t, var_lib_t;
')
allow ssh_keygen_t var_lib_t:dir rw_dir_perms;
filetrans_pattern(ssh_keygen_t, var_lib_t, sshd_key_t, file)

14
portage/repos/aimee-os/sec-policy/selinux-aimee-os/selinux-aimee-os-2.20221101-r3.ebuild Normal file
View File

@ -0,0 +1,14 @@
# Copyright 2023 Dustin C. Hatch
# Distributed under the terms of the GNU General Public License v2
EAPI=7
IUSE=""
MODS="aimee-os"
POLICY_FILES="aimee-os.te aimee-os.fc aimee-os.if"
inherit selinux-policy-2
DESCRIPTION="SELinux policy for AimeeOS"
KEYWORDS="~amd64 ~arm ~arm64 ~x86"