From 10266e3556b4143be3194f45d0159a565e93989b Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Fri, 2 Feb 2024 17:42:23 +0100 Subject: [PATCH] make cockpit definition optional --- foreman.fc | 4 ++-- foreman.te | 47 ++++++++++++++++++++++++++++++----------------- 2 files changed, 32 insertions(+), 19 deletions(-) diff --git a/foreman.fc b/foreman.fc index f66f719..a27771e 100644 --- a/foreman.fc +++ b/foreman.fc @@ -40,8 +40,8 @@ # Foreman Remote Execution -/usr/sbin/foreman-cockpit-session gen_context(system_u:object_r:cockpit_session_exec_t,s0) -/usr/share/gems/gems/foreman_remote_execution-.*/extra/cockpit/foreman-cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) +/usr/sbin/foreman-cockpit-session gen_context(system_u:object_r:foreman_cockpit_session_exec_t,s0) +/usr/share/gems/gems/foreman_remote_execution-.*/extra/cockpit/foreman-cockpit-session -- gen_context(system_u:object_r:foreman_cockpit_session_exec_t,s0) # Foreman Hooks plugin diff --git a/foreman.te b/foreman.te index 0905918..99b4561 100644 --- a/foreman.te +++ b/foreman.te @@ -128,9 +128,6 @@ require{ type bin_t; type httpd_t; type websm_port_t; - type cockpit_ws_t; - type cockpit_session_t; - type cockpit_session_exec_t; type unconfined_service_t; type http_cache_port_t; type squid_port_t; @@ -333,25 +330,41 @@ manage_dirs_pattern(foreman_rails_t, system_cronjob_tmp_t, system_cronjob_tmp_t) # Remote Execution # -# File /usr/sbin/foreman-cockpit-session is a symlink -read_lnk_files_pattern(cockpit_ws_t, cockpit_session_exec_t, cockpit_session_exec_t) -read_lnk_files_pattern(cockpit_session_t, cockpit_session_exec_t, cockpit_session_exec_t) +# this needs to exist even if cockpit policy doesn't +type foreman_cockpit_session_exec_t; -# Run /usr/bin/env and /usr/bin/ruby -corecmd_exec_bin(cockpit_ws_t) -kernel_read_system_state(cockpit_ws_t) +optional_policy(` + gen_require(` + type cockpit_ws_t; + type cockpit_session_t; + type cockpit_session_exec_t; + ') + + # foreman-cockpit-session needs to be labeled foreman_cockpit_session_exec_t, + # but we need to end up in cockpit_session_t + domtrans_pattern(cockpit_ws_t, foreman_cockpit_session_exec_t, cockpit_session_t) -# Connect to Foreman HTTP(s) port -corenet_tcp_connect_http_port(cockpit_session_t) -corenet_tcp_connect_http_port(cockpit_ws_t) + # File /usr/sbin/foreman-cockpit-session is a symlink + read_lnk_files_pattern(cockpit_ws_t, cockpit_session_exec_t, cockpit_session_exec_t) + read_lnk_files_pattern(cockpit_session_t, cockpit_session_exec_t, cockpit_session_exec_t) + read_lnk_files_pattern(cockpit_ws_t, foreman_cockpit_session_exec_t, foreman_cockpit_session_exec_t) + read_lnk_files_pattern(cockpit_session_t, foreman_cockpit_session_exec_t, foreman_cockpit_session_exec_t) -# Connect to remote Cockpit instance HTTPS port -corenet_tcp_connect_websm_port(cockpit_session_t) -corenet_tcp_connect_websm_port(cockpit_ws_t) + # Run /usr/bin/env and /usr/bin/ruby + corecmd_exec_bin(cockpit_ws_t) + kernel_read_system_state(cockpit_ws_t) -# Connect to Foreman Cockpit instance HTTPS port -corenet_tcp_connect_websm_port(httpd_t) + # Connect to Foreman HTTP(s) port + corenet_tcp_connect_http_port(cockpit_session_t) + corenet_tcp_connect_http_port(cockpit_ws_t) + # Connect to remote Cockpit instance HTTPS port + corenet_tcp_connect_websm_port(cockpit_session_t) + corenet_tcp_connect_websm_port(cockpit_ws_t) + + # Connect to Foreman Cockpit instance HTTPS port + corenet_tcp_connect_websm_port(httpd_t) +') ####################################### #