From dbc6dec07098e5bf91eebfa64f0bac87065ab473 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Mon, 24 Sep 2012 11:23:25 -0400 Subject: Use the tomcat selinux domain for the Java processes --- base/selinux/src/pki.if | 289 ------------------------------------------------ base/selinux/src/pki.te | 129 +++++++++++++++------ 2 files changed, 97 insertions(+), 321 deletions(-) (limited to 'base/selinux') diff --git a/base/selinux/src/pki.if b/base/selinux/src/pki.if index 4272bd0c5..5264271eb 100644 --- a/base/selinux/src/pki.if +++ b/base/selinux/src/pki.if @@ -1,295 +1,6 @@ ## policy for pki -######################################## -## -## Create a set of derived types for apache -## web content. -## -## -## -## The prefix to be used for deriving type names. -## -## -# -template(`pki_tomcat_template',` - gen_require(` - attribute pki_tomcat_process; - attribute pki_tomcat_config, pki_tomcat_var_lib, pki_tomcat_var_run; - attribute pki_tomcat_executable, pki_tomcat_script, pki_tomcat_var_log; - type pki_tomcat_tomcat_exec_t; - type tomcat_exec_t; - type rpm_var_lib_t; - type rpm_exec_t; - type setfiles_t; - type load_policy_t; - type mxi_port_t; - type http_cache_port_t; - type http_port_t; - type dns_port_t; - ') - ######################################## - # - # Declarations - # - - type $1_t, pki_tomcat_process; - type $1_exec_t, pki_tomcat_executable; - domain_type($1_t) - init_daemon_domain($1_t, $1_exec_t) - - type $1_script_t; - domain_type($1_script_t) - gen_require(` - type java_exec_t; - type initrc_t; - ') - domtrans_pattern($1_script_t, java_exec_t, $1_t) - - role system_r types $1_script_t; - allow $1_t java_exec_t:file entrypoint; - allow initrc_t $1_script_t:process transition; - - type $1_etc_rw_t, pki_tomcat_config; - files_type($1_etc_rw_t) - - type $1_var_run_t, pki_tomcat_var_run; - files_pid_file($1_var_run_t) - - type $1_var_lib_t, pki_tomcat_var_lib; - files_type($1_var_lib_t) - - type $1_log_t, pki_tomcat_var_log; - logging_log_file($1_log_t) - - ######################################## - # - # $1 local policy - # - - # Execstack/execmem caused by java app. - allow $1_t self:process { execstack execmem getsched setsched signal}; - allow initrc_t self:process execstack; - - ## internal communication is often done using fifo and unix sockets. - allow $1_t self:fifo_file rw_file_perms; - allow $1_t self:unix_stream_socket create_stream_socket_perms; - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:process signull; - - ## ports (these will be in the tomcat domain) - allow $1_t mxi_port_t : tcp_socket { name_bind name_connect }; - allow $1_t http_cache_port_t : tcp_socket name_bind; - allow $1_t http_port_t : tcp_socket { name_bind name_connect }; - allow $1_t dns_port_t : tcp_socket { recv_msg send_msg name_connect }; - - # use rpm to look at velocity version in dtomcat-foo - allow $1_t rpm_exec_t:file exec_file_perms; - - corenet_all_recvfrom_unlabeled($1_t) - corenet_tcp_sendrecv_all_if($1_t) - corenet_tcp_sendrecv_all_nodes($1_t) - corenet_tcp_sendrecv_all_ports($1_t) - - corenet_tcp_bind_all_nodes($1_t) - corenet_tcp_bind_ocsp_port($1_t) - corenet_tcp_connect_ocsp_port($1_t) - corenet_tcp_connect_generic_port($1_t) - - # for file signing - corenet_tcp_connect_http_port($1_t) - - # This is for /etc/$1/tomcat.conf: - can_exec($1_t, $1_tomcat_exec_t) - allow $1_t $1_tomcat_exec_t:file {getattr read}; - - #installation requires this for access to /var/lib/tomcat5/common/lib/jdtcore.jar - rpm_read_db($1_t) - - # Init script handling - domain_use_interactive_fds($1_t) - - files_read_etc_files($1_t) - - manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) - manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) - files_etc_filetrans($1_t,$1_etc_rw_t, { file dir }) - - # start/stop using pki-cad, pki-krad, pki-ocspd, or pki-tksd - allow setfiles_t $1_etc_rw_t:file read; - - manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - files_pid_filetrans($1_t,$1_var_run_t, { file dir }) - - manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t) - manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) - read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) - files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } ) - allow $1_t rpm_var_lib_t:lnk_file { read getattr }; - - manage_dirs_pattern($1_t, $1_log_t, $1_log_t) - manage_files_pattern($1_t, $1_log_t, $1_log_t) - logging_log_filetrans($1_t, $1_log_t, { file dir } ) - - corecmd_exec_bin($1_t) - corecmd_read_bin_symlinks($1_t) - corecmd_exec_shell($1_t) - corecmd_search_bin($1_t) - - dev_list_sysfs($1_t) - dev_read_sysfs($1_t) - dev_read_rand($1_t) - dev_read_urand($1_t) - - # Java is looking in /tmp for some reason...: - files_manage_generic_tmp_dirs($1_t) - files_manage_generic_tmp_files($1_t) - files_read_usr_files($1_t) - files_read_usr_symlinks($1_t) - # These are used to read tomcat class files in /var/lib/tomcat - files_read_var_lib_files($1_t) - files_read_var_lib_symlinks($1_t) - - #needed in tps key archival in kra - files_list_var($1_t) - - kernel_read_network_state($1_t) - kernel_read_system_state($1_t) - kernel_search_network_state($1_t) - kernel_signull_unlabeled($1_t) - - auth_use_nsswitch($1_t) - - init_dontaudit_write_utmp($1_t) - - libs_use_ld_so($1_t) - libs_use_shared_libs($1_t) - - miscfiles_read_localization($1_t) - miscfiles_read_hwdata($1_t) - miscfiles_manage_generic_cert_dirs($1_t) - miscfiles_manage_generic_cert_files($1_t) - - logging_send_syslog_msg($1_t) - - ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys($1_t) - term_dontaudit_use_generic_ptys($1_t) - ') - - # allow java subsystems to talk to the ncipher hsm - allow $1_t pki_common_dev_t:sock_file write; - allow $1_t pki_common_dev_t:dir search; - allow $1_t pki_common_t:dir create_dir_perms; - manage_files_pattern($1_t, pki_common_t, pki_common_t) - can_exec($1_t, pki_common_t) - init_stream_connect_script($1_t) - - #allow java subsystems to talk to lunasa hsm - - #allow sending mail - corenet_tcp_connect_smtp_port($1_t) - - # allow rpm -q in init scripts - rpm_exec($1_t) - - # allow writing to the kernel keyring - allow $1_t self:key { write read }; - - #reverse proxy - corenet_tcp_connect_dogtag_port($1_t) - - #connect to ldap - corenet_tcp_connect_ldap_port($1_t) - - # tomcat connects to ephemeral ports on shutdown - corenet_tcp_connect_all_unreserved_ports($1_t) - - # new tomcat perms for dogtag 10 - allow $1_t pki_tomcat_var_run_t:lnk_file read; - can_exec($1_t, tomcat_exec_t) - consoletype_exec($1_t) - fs_getattr_xattr_fs($1_t) - fs_read_hugetlbfs_files($1_t) - hostname_exec($1_t) - allow $1_t self:capability { setuid chown setgid fowner audit_write dac_override }; - allow $1_t self:netlink_audit_socket { nlmsg_relay create write read}; - kernel_read_kernel_sysctls($1_t) - selinux_get_enforce_mode($1_t) - dirsrv_manage_var_lib($1_t) - tomcat_search_cache($1_t) - - # write to /var/log/pki for spawn and destroy - allow $1_t pki_log_t:dir {getattr search}; - allow load_policy_t pki_log_t:file write; - allow setfiles_t pki_log_t:file write; - - optional_policy(` - #This is broken in selinux-policy we need java_exec defined, Will add to policy - gen_require(` - type java_exec_t; - ') - can_exec($1_t, java_exec_t) - ') - - optional_policy(` - unconfined_domain($1_script_t) - ') -') - -######################################## -## -## All of the rules required to administrate -## an pki_tomcat environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the syslog domain. -## -## -## -## -## The type of the user terminal. -## -## -## -# -interface(`pki_tomcat_admin',` - gen_require(` - type pki_tomcat_tomcat_exec_t; - attribute pki_tomcat_process; - attribute pki_tomcat_config; - attribute pki_tomcat_executable; - attribute pki_tomcat_var_lib; - attribute pki_tomcat_var_log; - attribute pki_tomcat_var_run; - attribute pki_tomcat_pidfiles; - attribute pki_tomcat_script; - ') - - allow $1 pki_tomcat_process:process { ptrace signal_perms }; - ps_process_pattern($1, pki_tomcat_t) - - # Allow pki_tomcat_t to restart the service - pki_tomcat_script_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 pki_tomcat_script system_r; - allow $2 system_r; - - manage_all_pattern($1, pki_tomcat_config) - manage_all_pattern($1, pki_tomcat_var_run) - manage_all_pattern($1, pki_tomcat_var_lib) - manage_all_pattern($1, pki_tomcat_var_log) - manage_all_pattern($1, pki_tomcat_config) - manage_all_pattern($1, pki_tomcat_tomcat_exec_t) -') - ######################################## ## ## Execute pki_ra server in the pki_ra domain. diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te index cce797d7e..a13344338 100644 --- a/base/selinux/src/pki.te +++ b/base/selinux/src/pki.te @@ -1,13 +1,4 @@ -policy_module(pki,10.0.6) - -attribute pki_tomcat_config; -attribute pki_tomcat_executable; -attribute pki_tomcat_var_lib; -attribute pki_tomcat_var_log; -attribute pki_tomcat_var_run; -attribute pki_tomcat_pidfiles; -attribute pki_tomcat_script; -attribute pki_tomcat_process; +policy_module(pki,10.0.10) type pki_log_t; files_type(pki_log_t) @@ -18,10 +9,75 @@ files_type(pki_common_t) type pki_common_dev_t; files_type(pki_common_dev_t) -type pki_tomcat_tomcat_exec_t; -files_type(pki_tomcat_tomcat_exec_t) +type pki_tomcat_etc_rw_t; +files_type(pki_tomcat_etc_rw_t) + +tomcat_domain_template(pki_tomcat) + +permissive pki_tomcat_t; + +type pki_tomcat_lock_t; +files_lock_file(pki_tomcat_lock_t) + +require { + type pki_tomcat_var_lib_t; + type pki_tomcat_t; + type pki_tomcat_var_run_t; + type pki_tomcat_log_t; + type systemd_unit_file_t; +} + +allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice}; +allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create }; + +allow pki_tomcat_t self:key write; +allow pki_tomcat_t self:process { signal setsched signull execmem }; +allow pki_tomcat_t self:tcp_socket { accept listen }; +allow pki_tomcat_t self:unix_dgram_socket { create connect }; +allow pki_tomcat_t self:process signal; + +# allow writing to the kernel keyring +allow pki_tomcat_t self:key { write read }; + +manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) +manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) + +manage_dirs_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) +manage_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) +manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) +files_lock_filetrans(pki_tomcat_t, pki_tomcat_lock_t, { dir file lnk_file }) + +# allow java subsystems to talk to the ncipher hsm +allow pki_tomcat_t pki_common_dev_t:sock_file write; +allow pki_tomcat_t pki_common_dev_t:dir search; +allow pki_tomcat_t pki_common_t:dir create_dir_perms; +manage_files_pattern(pki_tomcat_t, pki_common_t, pki_common_t) +can_exec(pki_tomcat_t, pki_common_t) +init_stream_connect_script(pki_tomcat_t) + +# init script checks and fixes links if needed +allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { read getattr setattr }; +allow pki_tomcat_t pki_tomcat_var_run_t:lnk_file { create getattr setattr }; +allow pki_tomcat_t self:capability sys_nice; +allow pki_tomcat_t systemd_unit_file_t:lnk_file { read getattr setattr }; +allow pki_tomcat_t systemd_unit_file_t:dir getattr; +allow pki_tomcat_t systemd_unit_file_t:file getattr; -pki_tomcat_template(pki_tomcat) +allow pki_tomcat_t pki_log_t:dir getattr; +allow pki_tomcat_t pki_log_t:dir search; + +kernel_read_kernel_sysctls(pki_tomcat_t) + +corenet_tcp_connect_http_cache_port(pki_tomcat_t) +corenet_tcp_connect_ldap_port(pki_tomcat_t) +corenet_tcp_connect_smtp_port(pki_tomcat_t) + +selinux_get_enforce_mode(pki_tomcat_t) + +logging_send_audit_msgs(pki_tomcat_t) +logging_send_syslog_msg(pki_tomcat_t) + +miscfiles_read_hwdata(pki_tomcat_t) # forward proxy # need to define ports to fix this @@ -32,6 +88,13 @@ allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink }; # for ECC auth_getattr_shadow(pki_tomcat_t) +optional_policy(` + consoletype_exec(pki_tomcat_t) +') + +optional_policy(` + hostname_exec(pki_tomcat_t) +') # old type aliases for migration typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t }; @@ -40,22 +103,10 @@ typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_oc typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t }; typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t }; # typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t }; -attribute pki_ra_config; -attribute pki_ra_executable; -attribute pki_ra_var_lib; -attribute pki_ra_var_log; -attribute pki_ra_var_run; -attribute pki_ra_pidfiles; -attribute pki_ra_script; -attribute pki_ra_process; - -type pki_ra_tomcat_exec_t; -files_type(pki_ra_tomcat_exec_t) - -pki_ra_template(pki_ra) -# needed for token enrollment, list /var/cache/tomcat5/temp -files_list_var(pki_tomcat_t) +########################## +# TPS policy +########################## attribute pki_tps_config; attribute pki_tps_executable; @@ -81,6 +132,7 @@ can_exec(pki_tps_t, httpd_suexec_exec_t) apache_exec_modules(pki_tps_t) apache_list_modules(pki_tps_t) apache_read_config(pki_tps_t) +apache_exec(pki_tps_t) allow pki_tps_t lib_t:file execute_no_trans; @@ -166,9 +218,23 @@ rpm_exec(pki_tps_t) # allow writing to the kernel keyring allow pki_tps_t self:key { write read }; -# new for f14 -apache_exec(pki_tps_t) +########################## +# RA policy +######################### + +attribute pki_ra_config; +attribute pki_ra_executable; +attribute pki_ra_var_lib; +attribute pki_ra_var_log; +attribute pki_ra_var_run; +attribute pki_ra_pidfiles; +attribute pki_ra_script; +attribute pki_ra_process; +type pki_ra_tomcat_exec_t; +files_type(pki_ra_tomcat_exec_t) + +pki_ra_template(pki_ra) # start up httpd in pki_ra_t mode allow pki_ra_t httpd_config_t:file { read getattr execute }; allow pki_ra_t httpd_exec_t:file entrypoint; @@ -179,6 +245,7 @@ allow pki_ra_t httpd_suexec_exec_t:file { getattr read execute }; apache_read_config(pki_ra_t) apache_exec_modules(pki_ra_t) apache_list_modules(pki_ra_t) +apache_exec(pki_ra_t) allow pki_ra_t lib_t:file execute_no_trans; @@ -263,5 +330,3 @@ rpm_exec(pki_ra_t) # allow writing to the kernel keyring allow pki_ra_t self:key { write read }; -# new for f14 -apache_exec(pki_ra_t) -- cgit