psss / rpms / selinux-policy

Forked from rpms/selinux-policy 5 years ago
Clone
Source Code
GIT

Files

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f7 f8 f9 master master-docker master_contrib private-master-atomic-policy private-master-migrate-to-var-lib-selinux requires tests
  1.   master_contrib
  2.   openshift.te
Blob Blame History Raw 
policy_module(openshift,1.0.0)

gen_require(`
	role system_r;
')
 
########################################
#
# Declarations
#

# openshift applications that can use the network.
attribute openshift_net_domain;
# Attribute representing all openshift user processes (excludes apache processes)
attribute openshift_user_domain;
# Attribute representing all openshift processes
attribute openshift_domain;

# Attribute for all openshift content
attribute openshift_file_type;

# Type of openshift init script
type openshift_initrc_t;
type openshift_initrc_exec_t;
init_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t)
init_ranged_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh)
domain_obj_id_change_exemption(openshift_initrc_t)
optional_policy(`
	oddjob_ranged_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh)
')


type openshift_initrc_tmp_t;
files_tmp_file(openshift_initrc_tmp_t)

type openshift_tmpfs_t;
files_tmpfs_file(openshift_tmpfs_t)

type openshift_tmp_t, openshift_file_type;
files_tmp_file(openshift_tmp_t)
files_mountpoint(openshift_tmp_t)
files_poly(openshift_tmp_t)
files_poly_parent(openshift_tmp_t)

type openshift_var_run_t;
files_pid_file(openshift_var_run_t)

type openshift_var_lib_t, openshift_file_type;
files_poly(openshift_var_lib_t)
files_poly_parent(openshift_var_lib_t)
files_mountpoint(openshift_var_lib_t)

type openshift_rw_file_t, openshift_file_type;
files_poly(openshift_rw_file_t)
files_poly_parent(openshift_rw_file_t)

type openshift_log_t;
logging_log_file(openshift_log_t)

type openshift_port_t;
corenet_port(openshift_port_t)
corenet_reserved_port(openshift_port_t)

type openshift_cgroup_read_t;
type openshift_cgroup_read_exec_t;
application_domain(openshift_cgroup_read_t, openshift_cgroup_read_exec_t)

########################################
#
# Template to create openshift_t and openshift_app_t
#

openshift_service_domain_template(openshift)

########################################
#
# openshift initrc local policy
#
unconfined_domain_noaudit(openshift_initrc_t)
mcs_process_set_categories(openshift_initrc_t)

systemd_dbus_chat_logind(openshift_initrc_t)

manage_dirs_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
manage_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
manage_lnk_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
files_tmp_filetrans(openshift_initrc_t, openshift_initrc_tmp_t, { file dir })

manage_dirs_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
manage_files_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
manage_lnk_files_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
files_pid_filetrans(openshift_initrc_t, openshift_var_run_t, { file dir })

manage_dirs_pattern(openshift_initrc_t, openshift_log_t, openshift_log_t)
manage_files_pattern(openshift_initrc_t, openshift_log_t, openshift_log_t)
logging_log_filetrans(openshift_initrc_t, openshift_log_t, { file dir })

allow openshift_initrc_t openshift_domain:process { getattr getsched setsched transition signal signull sigkill };
allow openshift_domain openshift_initrc_t:fd use;
allow openshift_domain openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
allow openshift_domain openshift_initrc_t:process sigchld;
dontaudit openshift_domain openshift_initrc_t:key view;
dontaudit openshift_domain openshift_initrc_t:process signull;
dontaudit openshift_domain openshift_initrc_t:socket_class_set { read write };

#######################################################
#
# Policy for all openshift domains
#
allow openshift_domain self:process all_process_perms;
allow openshift_domain self:msg all_msg_perms;
allow openshift_domain self:msgq create_msgq_perms;
allow openshift_domain self:shm create_shm_perms;
allow openshift_domain self:sem create_sem_perms;
dontaudit openshift_domain self:dir write;

dontaudit openshift_domain self:netlink_tcpdiag_socket create;
allow openshift_domain self:tcp_socket  create_stream_socket_perms;
allow openshift_domain self:fifo_file manage_fifo_file_perms;
allow openshift_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow openshift_domain self:unix_dgram_socket { create_socket_perms sendto };
dontaudit openshift_domain self:netlink_audit_socket { create_socket_perms nlmsg_relay };

manage_dirs_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
manage_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
manage_fifo_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
manage_sock_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
manage_lnk_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
allow openshift_domain openshift_rw_file_t:dir_file_class_set { relabelfrom relabelto };

list_dirs_pattern(openshift_domain, openshift_file_type, openshift_file_type)
read_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
rw_fifo_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
rw_sock_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
read_lnk_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
allow openshift_domain openshift_file_type:file execmod;
can_exec(openshift_domain, openshift_file_type)
allow openshift_domain openshift_file_type:file entrypoint;
# Allow users to execute files in their home dir
allow openshift_domain openshift_file_type:file { execute execute_no_trans };

# Dontaudit openshift domains trying to search other openshift domains directories, 
# this happens just when users are probing the system
dontaudit openshift_domain openshift_file_type:dir search_dir_perms
;

manage_dirs_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
manage_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file })
can_exec(openshift_domain, openshift_tmpfs_t)

manage_dirs_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
manage_fifo_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
manage_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
manage_lnk_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
manage_sock_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
files_tmp_filetrans(openshift_domain, openshift_tmp_t, { lnk_file file dir sock_file fifo_file })
allow openshift_domain openshift_tmp_t:dir_file_class_set { relabelfrom relabelto };

allow openshift_domain openshift_log_t:file { getattr append lock ioctl };

#lsof
allow openshift_domain openshift_initrc_t:tcp_socket getattr;

dontaudit openshift_domain openshift_initrc_tmp_t:file append;
dontaudit openshift_domain openshift_var_run_t:file append;
dontaudit openshift_domain openshift_file_type:sock_file execute;

kernel_read_network_state(openshift_domain)
kernel_dontaudit_list_all_proc(openshift_domain)
kernel_dontaudit_list_all_sysctls(openshift_domain)
kernel_dontaudit_request_load_module(openshift_domain)
kernel_get_sysvipc_info(openshift_domain)

corecmd_shell_entry_type(openshift_domain)
corecmd_bin_entry_type(openshift_domain)
corecmd_exec_all_executables(openshift_domain)

dev_read_sysfs(openshift_domain)
dev_read_rand(openshift_domain)
dev_read_urand(openshift_domain)
dev_dontaudit_append_rand(openshift_domain)
dev_dontaudit_write_urand(openshift_domain)
dev_dontaudit_getattr_all_blk_files(openshift_domain)
dev_dontaudit_getattr_all_chr_files(openshift_domain)

domain_use_interactive_fds(openshift_domain)
domain_dontaudit_read_all_domains_state(openshift_domain)

files_read_var_lib_symlinks(openshift_domain)

fs_rw_hugetlbfs_files(openshift_domain)
fs_rw_anon_inodefs_files(openshift_domain)
fs_search_tmpfs(openshift_domain)
fs_getattr_all_fs(openshift_domain)
fs_dontaudit_getattr_all_fs(openshift_domain)
fs_list_inotifyfs(openshift_domain)
fs_dontaudit_list_auto_mountpoints(openshift_domain)
fs_dontaudit_list_tmpfs(openshift_domain)
storage_dontaudit_getattr_fixed_disk_dev(openshift_domain)
storage_getattr_fixed_disk_dev(openshift_domain)
fs_get_xattr_fs_quotas(openshift_domain)
fs_rw_inherited_tmpfs_files(openshift_domain)
fs_dontaudit_rw_anon_inodefs_files(openshift_domain)

dontaudit openshift_domain file_type:dir read;
files_dontaudit_list_home(openshift_domain)
files_dontaudit_search_all_pids(openshift_domain)
files_dontaudit_getattr_all_dirs(openshift_domain)
files_dontaudit_getattr_all_files(openshift_domain)
files_dontaudit_list_mnt(openshift_domain)
files_dontaudit_list_var(openshift_domain)
files_dontaudit_getattr_lost_found_dirs(openshift_domain)
files_dontaudit_search_all_mountpoints(openshift_domain)
files_dontaudit_search_spool(openshift_domain)
files_dontaudit_search_all_dirs(openshift_domain)
files_exec_etc_files(openshift_domain)
files_exec_usr_files(openshift_domain)
files_dontaudit_getattr_non_security_sockets(openshift_domain)
files_dontaudit_setattr_non_security_dirs(openshift_domain)
files_dontaudit_setattr_non_security_files(openshift_domain)

libs_exec_lib_files(openshift_domain)
libs_exec_ld_so(openshift_domain)

selinux_validate_context(openshift_domain)

logging_inherit_append_all_logs(openshift_domain)

init_dontaudit_read_utmp(openshift_domain)

miscfiles_read_fonts(openshift_domain)
miscfiles_dontaudit_setattr_fonts_cache_dirs(openshift_domain)

mta_dontaudit_read_spool_symlinks(openshift_domain)

term_dontaudit_search_ptys(openshift_domain)
term_use_generic_ptys(openshift_domain)
term_use_ptmx(openshift_domain)

userdom_use_inherited_user_ptys(openshift_domain)
userdom_dontaudit_search_admin_dir(openshift_domain)

application_exec(openshift_domain)

optional_policy(`
	apache_exec_modules(openshift_domain)
	apache_list_modules(openshift_domain)
	apache_read_config(openshift_domain)
	apache_search_config(openshift_domain)
	apache_read_sys_content(openshift_domain)
	apache_exec_sys_script(openshift_domain)
	apache_entrypoint(openshift_domain)
	apache_dontaudit_read_log(openshift_domain)
')

optional_policy(`
	#############################################
	# 
	# openshift cgi script policy
	#
	apache_content_template(openshift)
	domtrans_pattern(httpd_openshift_script_t, openshift_initrc_exec_t, openshift_initrc_t)

	optional_policy(`
		dbus_system_bus_client(httpd_openshift_script_t)

		optional_policy(`
			oddjob_dbus_chat(httpd_openshift_script_t)
			oddjob_dontaudit_rw_fifo_file(openshift_domain)
		')
	')
')

optional_policy(`
	cron_role(system_r, openshift_domain)
')

optional_policy(`
	gpg_entry_type(openshift_domain)
')

optional_policy(`
	mysql_search_db(openshift_domain)
')

optional_policy(`
	screen_exec(openshift_domain)
')

optional_policy(`
	ssh_use_ptys(openshift_domain)
	ssh_getattr_user_home_dir(openshift_domain)
	ssh_dontaudit_search_user_home_dir(openshift_domain)
')

#######################################################
#
# Policy for openshift user domain process
#
manage_dirs_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
manage_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
manage_fifo_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
manage_sock_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
manage_lnk_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
allow openshift_user_domain openshift_file_type:dir_file_class_set { relabelfrom relabelto };

allow openshift_user_domain openshift_domain:process transition;
allow openshift_domain openshift_user_domain:fd use;
allow openshift_domain openshift_user_domain:fifo_file rw_inherited_fifo_file_perms;
allow openshift_domain openshift_user_domain:process sigchld;
dontaudit openshift_domain openshift_user_domain:key view;
dontaudit openshift_domain openshift_user_domain:process signull;
dontaudit openshift_domain openshift_user_domain:socket_class_set { read write };

allow openshift_user_domain openshift_domain:process ptrace;

optional_policy(`
	ssh_rw_tcp_sockets(openshift_user_domain)
')

############################################################################
#
# Rules specific to openshift and openshift_app_t
#
kernel_read_vm_sysctls(openshift_t)
kernel_read_vm_sysctls(openshift_app_t)
kernel_search_vm_sysctl(openshift_t)
kernel_search_vm_sysctl(openshift_app_t)
netutils_domtrans_ping(openshift_t)
netutils_kill_ping(openshift_t)
netutils_signal_ping(openshift_t)

openshift_net_type(openshift_app_t)
openshift_net_type(openshift_t)

optional_policy(`
	postfix_rw_public_pipes(openshift_t)
	postfix_manage_spool_maildrop_files(openshift_t)
')

########################################
#
# openshift_cgroup_read local policy
#

allow openshift_cgroup_read_t self:process { getattr signal_perms };
allow openshift_cgroup_read_t self:fifo_file rw_fifo_file_perms;
allow openshift_cgroup_read_t self:unix_stream_socket create_stream_socket_perms;
allow openshift_cgroup_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;

optional_policy(`
	ssh_use_ptys(openshift_cgroup_read_t)
')

corecmd_exec_bin(openshift_cgroup_read_t)

dev_read_urand(openshift_cgroup_read_t)

domain_use_interactive_fds(openshift_cgroup_read_t)


fs_dontaudit_rw_anon_inodefs_files(openshift_cgroup_read_t)

userdom_use_inherited_user_ptys(openshift_cgroup_read_t)

miscfiles_read_generic_certs(openshift_cgroup_read_t)

domtrans_pattern(openshift_domain, openshift_cgroup_read_exec_t, openshift_cgroup_read_t)
role system_r types openshift_cgroup_read_t;

allow openshift_domain openshift_cgroup_read_t:process { getattr signal signull sigkill };

fs_read_cgroup_files(openshift_cgroup_read_t)

allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms;
read_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t)
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.