From 40f65f800e58cfe9eb3a4b67563a71ef9f85c138 Mon Sep 17 00:00:00 2001 From: treydock Date: Mon, 25 Oct 2021 11:26:58 -0400 Subject: [PATCH] Selinux updates (for 2.0) (#1497) * SELinux fixes, mostly for Kubernetes support * Further refine kubernetes allowances * More Kubernetes tuning * Use more generic ondemand_use_ssh boolean and will deprecate ondemand_use_shell_app. This will better support LHA and other uses of SSH * Allow PUN to always execute things in usr_t like /opt. More fixes for interacting with Kubernetes * Changes necessary during enforcing testing --- packaging/ondemand-selinux.te | 73 ++++++++++++++++++++++++++++++++++- 1 file changed, 71 insertions(+), 2 deletions(-) diff --git a/packaging/ondemand-selinux.te b/packaging/ondemand-selinux.te index 6db0aea315..cd0fb7878e 100644 --- a/packaging/ondemand-selinux.te +++ b/packaging/ondemand-selinux.te @@ -11,10 +11,17 @@ require { type vmblock_t; type ssh_exec_t; type ssh_home_t; + type sshd_key_t; + type ssh_keysign_exec_t; type net_conf_t; type krb5_conf_t; type sssd_var_run_t; + type admin_home_t; + type usr_t; + type initrc_var_run_t; class dbus send_msg; + class passwd rootok; + class passwd passwd; } # Define custom types @@ -140,13 +147,14 @@ optional_policy(` ## ##

## Allow OnDemand to use Shell app +## DEPRECATED, use ondemand_use_ssh instead ##

##
-gen_tunable(ondemand_use_shell_app, true) +gen_tunable(ondemand_use_shell_app, false) tunable_policy(`ondemand_use_shell_app',` allow ood_pun_t ptmx_t:chr_file { ioctl open read write }; - can_exec(ood_pun_t, ssh_exec_t) + ssh_exec(ood_pun_t) corenet_tcp_connect_ssh_port(ood_pun_t) allow ood_pun_t self:key { read view write }; ') @@ -156,6 +164,27 @@ tunable_policy(`ondemand_use_shell_app && ondemand_manage_user_home_dir',` manage_files_pattern(ood_pun_t, ssh_home_t, ssh_home_t) ') +## +##

+## Allow OnDemand to use SSH +##

+##
+gen_tunable(ondemand_use_ssh, true) + +tunable_policy(`ondemand_use_ssh',` + allow ood_pun_t ptmx_t:chr_file { ioctl open read write }; + ssh_exec(ood_pun_t) + can_exec(ood_pun_t, ssh_keysign_exec_t) + corenet_tcp_connect_ssh_port(ood_pun_t) + allow ood_pun_t sshd_key_t:file read_file_perms; + allow ood_pun_t self:key { read view write }; +') + +tunable_policy(`ondemand_use_ssh && ondemand_manage_user_home_dir',` + manage_dirs_pattern(ood_pun_t, ssh_home_t, ssh_home_t) + manage_files_pattern(ood_pun_t, ssh_home_t, ssh_home_t) +') + ## ##

## Allow OnDemand to access SSSD @@ -201,6 +230,44 @@ tunable_policy(`ondemand_use_slurm',` corenet_tcp_connect_generic_port(ood_pun_t) # Access munge socket allow ood_pun_t var_run_t:sock_file { getattr write }; + # SLURM commands like squeue + allow ood_pun_t self:netlink_route_socket { create_netlink_socket_perms }; +') + +## +##

+## Allow OnDemand to use Kubernetes +##

+##
+gen_tunable(ondemand_use_kubernetes, false) + +tunable_policy(`ondemand_use_kubernetes',` + # Access /root/.kube + allow ood_pun_t admin_home_t:dir { add_name remove_name write }; + allow ood_pun_t admin_home_t:file { getattr create open read rename setattr unlink write }; + # Needed to execute sudo for kubectl + allow ood_pun_t self:capability { setuid setgid sys_resource audit_write }; + allow ood_pun_t self:process { setrlimit setsched }; + allow ood_pun_t self:key write; + allow ood_pun_t self:passwd { passwd rootok }; + sudo_exec(ood_pun_t) + auth_exec_chkpwd(ood_pun_t) + auth_domtrans_chkpwd(ood_pun_t) + auth_tunable_read_shadow(ood_pun_t) + auth_rw_lastlog(ood_pun_t) + auth_rw_faillog(ood_pun_t) + systemd_write_inherited_logind_sessions_pipes(ood_pun_t) + systemd_dbus_chat_logind(ood_pun_t) + allow ood_pun_t initrc_var_run_t:file { lock open read }; + # Needed to execute kubectl via sudo + allow ood_pun_t self:netlink_route_socket { create_netlink_socket_perms }; + logging_send_audit_msgs(ood_pun_t) + # Execute kubectl + corenet_tcp_connect_generic_port(ood_pun_t) + # Needed to submit pods + allow ood_pun_t node_t:udp_socket node_bind; + corenet_tcp_connect_generic_port(ood_pun_t) + corenet_udp_bind_generic_port(ood_pun_t) ') ## @@ -241,6 +308,8 @@ exec_files_pattern(ood_pun_t, bin_t, bin_t) exec_files_pattern(ood_pun_t, shell_exec_t, shell_exec_t) # Allow PUN to execute rsync exec_files_pattern(ood_pun_t, rsync_exec_t, rsync_exec_t) +# Allow PUN to execute usr_t (like /opt) +exec_files_pattern(ood_pun_t, usr_t, usr_t) # Allow PUN to connect to Apache corenet_tcp_connect_http_port(ood_pun_t)