make cockpit definition optional

theforeman · Feb 7, 2024 · 10266e3 · 10266e3
1 parent ec6e5e0
commit 10266e3
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 19 deletions.
diff --git a/foreman.fc b/foreman.fc
@@ -40,8 +40,8 @@
 
 # Foreman Remote Execution
 
-/usr/sbin/foreman-cockpit-session       gen_context(system_u:object_r:cockpit_session_exec_t,s0)
-/usr/share/gems/gems/foreman_remote_execution-.*/extra/cockpit/foreman-cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
+/usr/sbin/foreman-cockpit-session       gen_context(system_u:object_r:foreman_cockpit_session_exec_t,s0)
+/usr/share/gems/gems/foreman_remote_execution-.*/extra/cockpit/foreman-cockpit-session -- gen_context(system_u:object_r:foreman_cockpit_session_exec_t,s0)
 
 # Foreman Hooks plugin
 

diff --git a/foreman.te b/foreman.te
@@ -128,9 +128,6 @@ require{
     type bin_t;
     type httpd_t;
     type websm_port_t;
-    type cockpit_ws_t;
-    type cockpit_session_t;
-    type cockpit_session_exec_t;
     type unconfined_service_t;
     type http_cache_port_t;
     type squid_port_t;
@@ -333,25 +330,41 @@ manage_dirs_pattern(foreman_rails_t, system_cronjob_tmp_t, system_cronjob_tmp_t)
 # Remote Execution
 #
 
-# File /usr/sbin/foreman-cockpit-session is a symlink
-read_lnk_files_pattern(cockpit_ws_t, cockpit_session_exec_t, cockpit_session_exec_t)
-read_lnk_files_pattern(cockpit_session_t, cockpit_session_exec_t, cockpit_session_exec_t)
+# this needs to exist even if cockpit policy doesn't
+type foreman_cockpit_session_exec_t;
 
-# Run /usr/bin/env and /usr/bin/ruby
-corecmd_exec_bin(cockpit_ws_t)
-kernel_read_system_state(cockpit_ws_t)
+optional_policy(`
+    gen_require(`
+        type cockpit_ws_t;
+        type cockpit_session_t;
+        type cockpit_session_exec_t;
+    ')
+
+    # foreman-cockpit-session needs to be labeled foreman_cockpit_session_exec_t,
+    # but we need to end up in cockpit_session_t
+    domtrans_pattern(cockpit_ws_t, foreman_cockpit_session_exec_t, cockpit_session_t)
 
-# Connect to Foreman HTTP(s) port
-corenet_tcp_connect_http_port(cockpit_session_t)
-corenet_tcp_connect_http_port(cockpit_ws_t)
+    # File /usr/sbin/foreman-cockpit-session is a symlink
+    read_lnk_files_pattern(cockpit_ws_t, cockpit_session_exec_t, cockpit_session_exec_t)
+    read_lnk_files_pattern(cockpit_session_t, cockpit_session_exec_t, cockpit_session_exec_t)
+    read_lnk_files_pattern(cockpit_ws_t, foreman_cockpit_session_exec_t, foreman_cockpit_session_exec_t)
+    read_lnk_files_pattern(cockpit_session_t, foreman_cockpit_session_exec_t, foreman_cockpit_session_exec_t)
 
-# Connect to remote Cockpit instance HTTPS port
-corenet_tcp_connect_websm_port(cockpit_session_t)
-corenet_tcp_connect_websm_port(cockpit_ws_t)
+    # Run /usr/bin/env and /usr/bin/ruby
+    corecmd_exec_bin(cockpit_ws_t)
+    kernel_read_system_state(cockpit_ws_t)
 
-# Connect to Foreman Cockpit instance HTTPS port
-corenet_tcp_connect_websm_port(httpd_t)
+    # Connect to Foreman HTTP(s) port
+    corenet_tcp_connect_http_port(cockpit_session_t)
+    corenet_tcp_connect_http_port(cockpit_ws_t)
 
+    # Connect to remote Cockpit instance HTTPS port
+    corenet_tcp_connect_websm_port(cockpit_session_t)
+    corenet_tcp_connect_websm_port(cockpit_ws_t)
+
+    # Connect to Foreman Cockpit instance HTTPS port
+    corenet_tcp_connect_websm_port(httpd_t)
+')
 
 #######################################
 #