From a5f5c4385eb5568e6993038b084bbdb1ef1aa06b Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Thu, 20 Sep 2018 07:24:26 +0200 Subject: [PATCH] SELINUX=1 enforcing --- FedoraBook.fc | 9 +++++++ FedoraBook.te | 55 +++++++++++++++++++++++++++++++++++------- README.md | 2 +- pre-pivot.sh | 25 +++++++++++++++++-- prepare-root.sh | 64 +++++++++++++++++++++++++++++-------------------- 5 files changed, 117 insertions(+), 38 deletions(-) create mode 100644 FedoraBook.fc diff --git a/FedoraBook.fc b/FedoraBook.fc new file mode 100644 index 0000000..89774ef --- /dev/null +++ b/FedoraBook.fc @@ -0,0 +1,9 @@ +/usr/lib/shadow -- gen_context(system_u:object_r:shadow_t,s0) +/usr/lib/gshadow -- gen_context(system_u:object_r:shadow_t,s0) +/usr/db/shadow.db -- gen_context(system_u:object_r:shadow_t,s0) +/usr/db/gshadow.db -- gen_context(system_u:object_r:shadow_t,s0) +/usr/lib/passwd -- gen_context(system_u:object_r:passwd_file_t,s0) +/usr/lib/group -- gen_context(system_u:object_r:passwd_file_t,s0) +/usr/db/passwd.db -- gen_context(system_u:object_r:passwd_file_t,s0) +/usr/db/group.db -- gen_context(system_u:object_r:passwd_file_t,s0) +/var/run/gnome-initial-setup(/.*)? -- gen_context(system_u:object_r:xdm_var_run_t,s0) diff --git a/FedoraBook.te b/FedoraBook.te index 93e9008..11ade9e 100644 --- a/FedoraBook.te +++ b/FedoraBook.te @@ -3,22 +3,38 @@ module FedoraBook 1.0; require { type accountsd_t; - type shadow_t; - type system_dbusd_t; - type init_var_run_t; - type useradd_t; + type auditd_t; + type default_t; type geoclue_t; type geoclue_tmp_t; - type unlabeled_t; + type init_t; + type init_exec_t; + type init_var_run_t; + type lib_t; + type machineid_t; + type security_t; + type semanage_store_t; + type shadow_t; + type system_dbusd_t; + type system_dbusd_var_run_t; + type systemd_gpt_generator_t; type systemd_tmpfiles_t; + type unconfined_t; + type unlabeled_t; + type useradd_t; + type var_lib_t; + type var_run_t; + type xdm_t; + class dir { add_name write read setattr }; + class file { execute getattr setattr map read open relabelto write create }; + class sock_file { read }; class lnk_file read; - class file { execute getattr map }; - class dir { add_name write }; + class security setenforce; + class service stop; + class system { reload status stop }; } #============= accountsd_t ============== - -#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow accountsd_t shadow_t:file map; #============= geoclue_t ============== @@ -29,6 +45,27 @@ allow system_dbusd_t init_var_run_t:lnk_file read; #============= systemd_tmpfiles_t ============== allow systemd_tmpfiles_t shadow_t:file getattr; +allow systemd_tmpfiles_t shadow_t:file read; +allow systemd_tmpfiles_t shadow_t:file open; +allow systemd_tmpfiles_t shadow_t:file relabelto; #============= useradd_t ============== allow useradd_t unlabeled_t:dir { add_name write }; + +#============= init_t ============== +allow init_t var_lib_t:dir setattr; +allow init_t system_dbusd_var_run_t:sock_file read; +allow init_t security_t:security setenforce; +allow init_t semanage_store_t:file map; +allow init_t machineid_t:file { create write relabelto read setattr open }; + +#============= xdm_t ============== +allow xdm_t var_run_t:dir setattr; +allow xdm_t lib_t:service stop; +allow xdm_t unconfined_t:system { reload status stop }; + +#============= systemd_gpt_generator_t ============== +allow systemd_gpt_generator_t default_t:dir read; + +#============= auditd_t ============== +allow auditd_t init_var_run_t:lnk_file read; diff --git a/README.md b/README.md index 9dafeb4..1c498d2 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,6 @@ All configurable files have been whitelisted and moved to /cfg. - support more clevis pins and mixed pins - firmware update - option to always clean data disk on boot -- selinux? ## Complete / What works already? - boot from single efi binary @@ -65,6 +64,7 @@ All configurable files have been whitelisted and moved to /cfg. - swap on LUKS2 with tpm2 (no password for resume from disk??) - /home /cfg and /var on single data partition - Secure Boot +- selinux ## Known Failures - no kernel command line on DELL ( you need a newer systemd https://github.com/systemd/systemd/pull/10001 ) diff --git a/pre-pivot.sh b/pre-pivot.sh index 36a4e60..a1d5bcc 100644 --- a/pre-pivot.sh +++ b/pre-pivot.sh @@ -115,19 +115,40 @@ for i in var home cfg; do if ! [[ -d /run/initramfs/mnt/$i ]]; then mkdir /run/initramfs/mnt/$i FIRST_TIME=1 + elif [[ -f /run/initramfs/mnt/$i/.autorelabel ]]; then + RELABEL=1 fi done mount -o bind /run/initramfs/mnt/var /sysroot/var mount -o bind /run/initramfs/mnt/home /sysroot/home mount -o bind /run/initramfs/mnt/cfg /sysroot/cfg -umount -l /run/initramfs/mnt +umount -l /run/initramfs/mnt &>/dev/null if [[ $FIRST_TIME ]]; then mount -o bind /sys /sysroot/sys mount -t selinuxfs none /sysroot/sys/fs/selinux - chroot /sysroot bash -c 'LANG=C; /usr/sbin/load_policy -i; setenforce 0; /usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev --exclude-prefix=/run --exclude-prefix=/tmp --exclude-prefix=/etc ; /usr/sbin/restorecon -m -vvvvv -F -R /cfg /var' + chroot /sysroot bash -c ' +/usr/sbin/load_policy -i +/sbin/restorecon -m -F -v /cfg /var /home +' umount /sysroot/sys/fs/selinux umount /sysroot/sys fi +if [[ $RELABEL ]]; then + mount -o bind /sys /sysroot/sys + mount -t selinuxfs none /sysroot/sys/fs/selinux + chroot /sysroot bash -c ' +/usr/sbin/load_policy -i +for i in var home cfg; do + [[ -e /$i/.autorelabel ]] || continue + rm -f /$i/.autorelabel + /sbin/restorecon -m -F -v -R /$i +done +' 2>&1 | vwarn + umount /sysroot/sys/fs/selinux + umount /sysroot/sys +fi + +: \ No newline at end of file diff --git a/prepare-root.sh b/prepare-root.sh index aaa2208..b45b82b 100755 --- a/prepare-root.sh +++ b/prepare-root.sh @@ -150,7 +150,7 @@ trap ' # clean up after ourselves no matter how we die. trap 'exit 1;' SIGINT -setenforce 0 +#setenforce 0 if ! [[ -f "${BASEDIR}"/linuxx64.efi.stub ]]; then cp /lib/systemd/boot/efi/linuxx64.efi.stub "${BASEDIR}"/linuxx64.efi.stub @@ -170,8 +170,9 @@ chmod 0000 "$sysroot"/etc/{shadow,gshadow} mkdir -p "$sysroot"/{dev,proc,sys,run} mount -o bind /proc "$sysroot/proc" -#mount -o bind /run "$sysroot/run" +mount -o bind /run "$sysroot/run" mount -o bind /sys "$sysroot/sys" +mount -o bind /sys/fs/selinux "$sysroot/sys/fs/selinux" mount -t devtmpfs devtmpfs "$sysroot/dev" mkdir -p "$sysroot"/var/cache/dnf @@ -227,6 +228,7 @@ dnf -v --nogpgcheck \ selinux-policy-devel \ libselinux-utils \ audit \ + dosfstools \ $PKGLIST for i in passwd shadow group gshadow subuid subgid; do @@ -281,7 +283,7 @@ chroot "$sysroot" \ --install "clevis clevis-luks-bind jose clevis-encrypt-tpm2 clevis-decrypt clevis-luks-unlock clevis-decrypt-tpm2" \ --install "cryptsetup tail sort pwmake mktemp swapon" \ --install "tpm2_pcrextend tpm2_createprimary tpm2_pcrlist tpm2_createpolicy" \ - --install "tpm2_create tpm2_load tpm2_unseal tpm2_takeownership" \ + --install "tpm2_create tpm2_load tpm2_unseal tpm2_takeownership chcon sleep" \ --include /pre-pivot.sh /lib/dracut/hooks/pre-pivot/80-pre-pivot.sh \ --install /usr/lib/systemd/system/clevis-luks-askpass.path \ --install /usr/lib/systemd/system/clevis-luks-askpass.service \ @@ -319,10 +321,6 @@ done # timesync ln -fsnr "$sysroot"/usr/lib/systemd/system/systemd-timesyncd.service "$sysroot"/usr/lib/systemd/system/sysinit.target.wants/systemd-timesyncd.service -#--------------- -# dbus-broker -ln -fsnr "$sysroot"/usr/lib/systemd/system/dbus-broker.service "$sysroot"/etc/systemd/system/dbus.service - #--------------- # ssh if [[ -d "$sysroot"/etc/ssh ]]; then @@ -395,6 +393,9 @@ sed -i -e 's#/etc/adjtime#/cfg/adjtime#g;s#/etc/localtime#/cfg/localtime#g;s#/et "$sysroot"/usr/lib/systemd/systemd-timedated \ "$sysroot"/usr/lib/systemd/libsystemd-shared*.so \ "$sysroot"/usr/lib/systemd/systemd \ + "$sysroot"/usr/bin/systemd-machine-id-setup \ + "$sysroot"/usr/bin/systemd-firstboot \ + "$sysroot"/usr/lib/systemd/system/systemd-machine-id-commit.service \ "$sysroot"/lib*/libc.so.* sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/cfg#g' \ @@ -402,11 +403,22 @@ sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/cfg#g' \ "$sysroot"/lib/systemd/system/systemd-timedated.service \ "$sysroot"/lib/systemd/system/systemd-hostnamed.service +#cat > "$sysroot"/lib/systemd/system-generators/machine-id <> "$sysroot"/usr/lib/tmpfiles.d/00-basics.conf < "$sysroot"/usr/share/gnome-initial-setup/vendor.conf +if [[ -f "$sysroot"/usr/share/gnome-initial-setup/vendor.conf ]]; then + > "$sysroot"/usr/share/gnome-initial-setup/vendor.conf +fi #--------------- # LVM @@ -465,37 +479,32 @@ rm -f "$sysroot"/etc/systemd/system/multi-user.target.wants/dnf-makecache.timer # network-online.target rm -fr "$sysroot"/etc/systemd/system/network-online.target.wants +#--------------- +# rsyslog link +rm -fr "$sysroot"/etc/systemd/system/syslog.service + # ------------------------------------------------------------------------------ # selinux #sed -i -e 's#^SELINUX=.*#SELINUX=permissive#g' "$sysroot"/etc/selinux/config -mount -o bind /sys/fs/selinux "$sysroot/sys/fs/selinux" - chroot "$sysroot" semanage fcontext -a -e /etc /cfg -chroot "$sysroot" semanage fcontext -a -e /etc /usr/share/factory/cfg -chroot "$sysroot" semanage fcontext -a -e /var /usr/share/factory/var -chroot "$sysroot" semanage fcontext -a -s system_u -f f -t passwd_file_t /usr/lib/passwd -chroot "$sysroot" semanage fcontext -a -s system_u -f f -t passwd_file_t /usr/lib/group -chroot "$sysroot" semanage fcontext -a -s system_u -f f -t shadow_t /usr/lib/shadow -chroot "$sysroot" semanage fcontext -a -s system_u -f f -t shadow_t /usr/lib/gshadow -chroot "$sysroot" semanage fcontext -a -s system_u -f f -t passwd_file_t /usr/db/passwd.db -chroot "$sysroot" semanage fcontext -a -s system_u -f f -t passwd_file_t /usr/db/group.db -chroot "$sysroot" semanage fcontext -a -s system_u -f f -t shadow_t /usr/db/shadow.db -chroot "$sysroot" semanage fcontext -a -s system_u -f f -t shadow_t /usr/db/gshadow.db -cp "$CURDIR"/FedoraBook.te "$sysroot"/var/tmp +cp "$CURDIR"/FedoraBook.te "$CURDIR"/FedoraBook.fc "$sysroot"/var/tmp chroot "$sysroot" bash -c "cd /var/tmp; make -f /usr/share/selinux/devel/Makefile; semodule -i FedoraBook.pp" -chroot "$sysroot" restorecon -m -v -F -R /usr /etc || : rm -fr "$sysroot"/var/lib/selinux #--------------- # var +rm -fr "$sysroot"//usr/lib/fontconfig/cache rm -fr "$sysroot"/var/lib/rpm +rm -fr "$sysroot"/var/lib/sepolgen +rm -fr "$sysroot"/var/lib/dnf +rm -fr "$sysroot"/var/lib/flatpak/repo/tmp rm -fr "$sysroot"/var/log/dnf* rm -fr "$sysroot"/var/cache/*/* rm -fr "$sysroot"/var/tmp/* mv "$sysroot"/lib/tmpfiles.d/var.conf "$sysroot"/lib/tmpfiles.d-var.conf chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -type d); do grep " $i " -r -q /lib/tmpfiles.d && ! grep " $i " -q /lib/tmpfiles.d-var.conf && rm -vfr --one-file-system "$i" ; done; :' cp -avxr "$sysroot"/var/* "$sysroot"/usr/share/factory/var/ -rm -fr "$sysroot"/usr/share/factory/var/{run,lock} +rm -f "$sysroot"/usr/share/factory/var/{run,lock} chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -maxdepth 2 -mindepth 1 -type d); do echo "C $i - - - - -"; done >> /usr/lib/tmpfiles.d/var-quirk.conf; :' echo 'C /var/mail - - - - -' >> "$sysroot"/usr/lib/tmpfiles.d/var-quirk.conf @@ -515,12 +524,15 @@ fi rm -fr "$sysroot"/{boot,root} ln -sfnr "$sysroot"/var/roothome "$sysroot"/root -mkdir "$sysroot"/efi rm -fr "$sysroot"/var rm -fr "$sysroot"/home rm -f "$sysroot"/etc/yum.repos.d/* -mkdir -p "$sysroot"/{var,home,cfg} -chroot "$sysroot" restorecon -F -v /var /home /cfg /efi|| : +mkdir -p "$sysroot"/{var,home,cfg,net,efi} +ln -sfnr "$sysroot"/run "$sysroot"/var/run +ln -sfnr "$sysroot"/run/lock "$sysroot"/var/lock + +chroot "$sysroot" restorecon -m -v -F -R /usr /etc /var +chroot "$sysroot" restorecon -m -v -F /cfg /efi /home /net /root for i in "$sysroot"/{dev,sys/fs/selinux,sys,proc,run}; do [[ -d "$i" ]] && mountpoint -q "$i" && umount "$i"