harald/VerityBook
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

SELINUX=1 enforcing

Browse source
This commit is contained in:
Harald Hoyer 2018-09-20 07:24:26 +02:00
parent f05fdad33b
commit a5f5c4385e
5 changed files with 117 additions and 38 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
FedoraBook.fc Normal file
View file

@ -0,0 +1,9 @@
/usr/lib/shadow -- gen_context(system_u:object_r:shadow_t,s0)
/usr/lib/gshadow -- gen_context(system_u:object_r:shadow_t,s0)
/usr/db/shadow.db -- gen_context(system_u:object_r:shadow_t,s0)
/usr/db/gshadow.db -- gen_context(system_u:object_r:shadow_t,s0)
/usr/lib/passwd -- gen_context(system_u:object_r:passwd_file_t,s0)
/usr/lib/group -- gen_context(system_u:object_r:passwd_file_t,s0)
/usr/db/passwd.db -- gen_context(system_u:object_r:passwd_file_t,s0)
/usr/db/group.db -- gen_context(system_u:object_r:passwd_file_t,s0)
/var/run/gnome-initial-setup(/.*)? -- gen_context(system_u:object_r:xdm_var_run_t,s0)

55
FedoraBook.te
View file

@ -3,22 +3,38 @@ module FedoraBook 1.0;
require { require {
type accountsd_t; type accountsd_t;
type shadow_t; type auditd_t;
type system_dbusd_t; type default_t;
type init_var_run_t;
type useradd_t;
type geoclue_t; type geoclue_t;
type geoclue_tmp_t; type geoclue_tmp_t;
type unlabeled_t; type init_t;
type init_exec_t;
type init_var_run_t;
type lib_t;
type machineid_t;
type security_t;
type semanage_store_t;
type shadow_t;
type system_dbusd_t;
type system_dbusd_var_run_t;
type systemd_gpt_generator_t;
type systemd_tmpfiles_t; type systemd_tmpfiles_t;
type unconfined_t;
type unlabeled_t;
type useradd_t;
type var_lib_t;
type var_run_t;
type xdm_t;
class dir { add_name write read setattr };
class file { execute getattr setattr map read open relabelto write create };
class sock_file { read };
class lnk_file read; class lnk_file read;
class file { execute getattr map }; class security setenforce;
class dir { add_name write }; class service stop;
class system { reload status stop };
} }
#============= accountsd_t ============== #============= accountsd_t ==============
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow accountsd_t shadow_t:file map; allow accountsd_t shadow_t:file map;
#============= geoclue_t ============== #============= geoclue_t ==============
@ -29,6 +45,27 @@ allow system_dbusd_t init_var_run_t:lnk_file read;
#============= systemd_tmpfiles_t ============== #============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t shadow_t:file getattr; allow systemd_tmpfiles_t shadow_t:file getattr;
allow systemd_tmpfiles_t shadow_t:file read;
allow systemd_tmpfiles_t shadow_t:file open;
allow systemd_tmpfiles_t shadow_t:file relabelto;
#============= useradd_t ============== #============= useradd_t ==============
allow useradd_t unlabeled_t:dir { add_name write }; allow useradd_t unlabeled_t:dir { add_name write };
#============= init_t ==============
allow init_t var_lib_t:dir setattr;
allow init_t system_dbusd_var_run_t:sock_file read;
allow init_t security_t:security setenforce;
allow init_t semanage_store_t:file map;
allow init_t machineid_t:file { create write relabelto read setattr open };
#============= xdm_t ==============
allow xdm_t var_run_t:dir setattr;
allow xdm_t lib_t:service stop;
allow xdm_t unconfined_t:system { reload status stop };
#============= systemd_gpt_generator_t ==============
allow systemd_gpt_generator_t default_t:dir read;
#============= auditd_t ==============
allow auditd_t init_var_run_t:lnk_file read;

2
README.md
View file

@ -55,7 +55,6 @@ All configurable files have been whitelisted and moved to /cfg.
- support more clevis pins and mixed pins - support more clevis pins and mixed pins
- firmware update - firmware update
- option to always clean data disk on boot - option to always clean data disk on boot
- selinux?
## Complete / What works already? ## Complete / What works already?
- boot from single efi binary - boot from single efi binary
@ -65,6 +64,7 @@ All configurable files have been whitelisted and moved to /cfg.
- swap on LUKS2 with tpm2 (no password for resume from disk??) - swap on LUKS2 with tpm2 (no password for resume from disk??)
- /home /cfg and /var on single data partition - /home /cfg and /var on single data partition
- Secure Boot - Secure Boot
- selinux
## Known Failures ## Known Failures
- no kernel command line on DELL ( you need a newer systemd https://github.com/systemd/systemd/pull/10001 ) - no kernel command line on DELL ( you need a newer systemd https://github.com/systemd/systemd/pull/10001 )

25
pre-pivot.sh
View file

@ -115,19 +115,40 @@ for i in var home cfg; do
if ! [[ -d /run/initramfs/mnt/$i ]]; then if ! [[ -d /run/initramfs/mnt/$i ]]; then
mkdir /run/initramfs/mnt/$i mkdir /run/initramfs/mnt/$i
FIRST_TIME=1 FIRST_TIME=1
elif [[ -f /run/initramfs/mnt/$i/.autorelabel ]]; then
RELABEL=1
fi fi
done done
mount -o bind /run/initramfs/mnt/var /sysroot/var mount -o bind /run/initramfs/mnt/var /sysroot/var
mount -o bind /run/initramfs/mnt/home /sysroot/home mount -o bind /run/initramfs/mnt/home /sysroot/home
mount -o bind /run/initramfs/mnt/cfg /sysroot/cfg mount -o bind /run/initramfs/mnt/cfg /sysroot/cfg
umount -l /run/initramfs/mnt umount -l /run/initramfs/mnt &>/dev/null
if [[ $FIRST_TIME ]]; then if [[ $FIRST_TIME ]]; then
mount -o bind /sys /sysroot/sys mount -o bind /sys /sysroot/sys
mount -t selinuxfs none /sysroot/sys/fs/selinux mount -t selinuxfs none /sysroot/sys/fs/selinux
chroot /sysroot bash -c 'LANG=C; /usr/sbin/load_policy -i; setenforce 0; /usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev --exclude-prefix=/run --exclude-prefix=/tmp --exclude-prefix=/etc ; /usr/sbin/restorecon -m -vvvvv -F -R /cfg /var' chroot /sysroot bash -c '
/usr/sbin/load_policy -i
/sbin/restorecon -m -F -v /cfg /var /home
'
umount /sysroot/sys/fs/selinux umount /sysroot/sys/fs/selinux
umount /sysroot/sys umount /sysroot/sys
fi fi
if [[ $RELABEL ]]; then
mount -o bind /sys /sysroot/sys
mount -t selinuxfs none /sysroot/sys/fs/selinux
chroot /sysroot bash -c '
/usr/sbin/load_policy -i
for i in var home cfg; do
[[ -e /$i/.autorelabel ]] || continue
rm -f /$i/.autorelabel
/sbin/restorecon -m -F -v -R /$i
done
' 2>&1 | vwarn
umount /sysroot/sys/fs/selinux
umount /sysroot/sys
fi
:

64
prepare-root.sh
View file

@ -150,7 +150,7 @@ trap '
# clean up after ourselves no matter how we die. # clean up after ourselves no matter how we die.
trap 'exit 1;' SIGINT trap 'exit 1;' SIGINT
setenforce 0 #setenforce 0
if ! [[ -f "${BASEDIR}"/linuxx64.efi.stub ]]; then if ! [[ -f "${BASEDIR}"/linuxx64.efi.stub ]]; then
cp /lib/systemd/boot/efi/linuxx64.efi.stub "${BASEDIR}"/linuxx64.efi.stub cp /lib/systemd/boot/efi/linuxx64.efi.stub "${BASEDIR}"/linuxx64.efi.stub
@ -170,8 +170,9 @@ chmod 0000 "$sysroot"/etc/{shadow,gshadow}
mkdir -p "$sysroot"/{dev,proc,sys,run} mkdir -p "$sysroot"/{dev,proc,sys,run}
mount -o bind /proc "$sysroot/proc" mount -o bind /proc "$sysroot/proc"
#mount -o bind /run "$sysroot/run" mount -o bind /run "$sysroot/run"
mount -o bind /sys "$sysroot/sys" mount -o bind /sys "$sysroot/sys"
mount -o bind /sys/fs/selinux "$sysroot/sys/fs/selinux"
mount -t devtmpfs devtmpfs "$sysroot/dev" mount -t devtmpfs devtmpfs "$sysroot/dev"
mkdir -p "$sysroot"/var/cache/dnf mkdir -p "$sysroot"/var/cache/dnf
@ -227,6 +228,7 @@ dnf -v --nogpgcheck \
selinux-policy-devel \ selinux-policy-devel \
libselinux-utils \ libselinux-utils \
audit \ audit \
dosfstools \
$PKGLIST $PKGLIST
for i in passwd shadow group gshadow subuid subgid; do for i in passwd shadow group gshadow subuid subgid; do
@ -281,7 +283,7 @@ chroot "$sysroot" \
--install "clevis clevis-luks-bind jose clevis-encrypt-tpm2 clevis-decrypt clevis-luks-unlock clevis-decrypt-tpm2" \ --install "clevis clevis-luks-bind jose clevis-encrypt-tpm2 clevis-decrypt clevis-luks-unlock clevis-decrypt-tpm2" \
--install "cryptsetup tail sort pwmake mktemp swapon" \ --install "cryptsetup tail sort pwmake mktemp swapon" \
--install "tpm2_pcrextend tpm2_createprimary tpm2_pcrlist tpm2_createpolicy" \ --install "tpm2_pcrextend tpm2_createprimary tpm2_pcrlist tpm2_createpolicy" \
--install "tpm2_create tpm2_load tpm2_unseal tpm2_takeownership" \ --install "tpm2_create tpm2_load tpm2_unseal tpm2_takeownership chcon sleep" \
--include /pre-pivot.sh /lib/dracut/hooks/pre-pivot/80-pre-pivot.sh \ --include /pre-pivot.sh /lib/dracut/hooks/pre-pivot/80-pre-pivot.sh \
--install /usr/lib/systemd/system/clevis-luks-askpass.path \ --install /usr/lib/systemd/system/clevis-luks-askpass.path \
--install /usr/lib/systemd/system/clevis-luks-askpass.service \ --install /usr/lib/systemd/system/clevis-luks-askpass.service \
@ -319,10 +321,6 @@ done
# timesync # timesync
ln -fsnr "$sysroot"/usr/lib/systemd/system/systemd-timesyncd.service "$sysroot"/usr/lib/systemd/system/sysinit.target.wants/systemd-timesyncd.service ln -fsnr "$sysroot"/usr/lib/systemd/system/systemd-timesyncd.service "$sysroot"/usr/lib/systemd/system/sysinit.target.wants/systemd-timesyncd.service
#---------------
# dbus-broker
ln -fsnr "$sysroot"/usr/lib/systemd/system/dbus-broker.service "$sysroot"/etc/systemd/system/dbus.service
#--------------- #---------------
# ssh # ssh
if [[ -d "$sysroot"/etc/ssh ]]; then if [[ -d "$sysroot"/etc/ssh ]]; then
@ -395,6 +393,9 @@ sed -i -e 's#/etc/adjtime#/cfg/adjtime#g;s#/etc/localtime#/cfg/localtime#g;s#/et
"$sysroot"/usr/lib/systemd/systemd-timedated \ "$sysroot"/usr/lib/systemd/systemd-timedated \
"$sysroot"/usr/lib/systemd/libsystemd-shared*.so \ "$sysroot"/usr/lib/systemd/libsystemd-shared*.so \
"$sysroot"/usr/lib/systemd/systemd \ "$sysroot"/usr/lib/systemd/systemd \
"$sysroot"/usr/bin/systemd-machine-id-setup \
"$sysroot"/usr/bin/systemd-firstboot \
"$sysroot"/usr/lib/systemd/system/systemd-machine-id-commit.service \
"$sysroot"/lib*/libc.so.* "$sysroot"/lib*/libc.so.*
sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/cfg#g' \ sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/cfg#g' \
@ -402,11 +403,22 @@ sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/cfg#g' \
"$sysroot"/lib/systemd/system/systemd-timedated.service \ "$sysroot"/lib/systemd/system/systemd-timedated.service \
"$sysroot"/lib/systemd/system/systemd-hostnamed.service "$sysroot"/lib/systemd/system/systemd-hostnamed.service
#cat > "$sysroot"/lib/systemd/system-generators/machine-id <<EOF
##!/bin/bash -x
#/sbin/restorecon -m -F -v /cfg /var /home /cfg/machine-id /var/run /var/lock
#exit 0
#EOF
#chmod a+x "$sysroot"/lib/systemd/system-generators/machine-id
cat >> "$sysroot"/usr/lib/tmpfiles.d/00-basics.conf <<EOF cat >> "$sysroot"/usr/lib/tmpfiles.d/00-basics.conf <<EOF
C /cfg/vconsole.conf - - - - - C /cfg/vconsole.conf - - - - -
C /cfg/locale.conf - - - - - C /cfg/locale.conf - - - - -
C /cfg/localtime - - - - - C /cfg/localtime - - - - -
C /cfg/adjtime - - - - - C /cfg/adjtime - - - - -
z /home - - - - -
z /cfg - - - - -
z /cfg/machine-id 0444 - - - -
z /var - - - - -
EOF EOF
#--------------- #---------------
@ -450,7 +462,9 @@ EOF
#--------------- #---------------
# gnome-initial-setup # gnome-initial-setup
> "$sysroot"/usr/share/gnome-initial-setup/vendor.conf if [[ -f "$sysroot"/usr/share/gnome-initial-setup/vendor.conf ]]; then
> "$sysroot"/usr/share/gnome-initial-setup/vendor.conf
fi
#--------------- #---------------
# LVM # LVM
@ -465,37 +479,32 @@ rm -f "$sysroot"/etc/systemd/system/multi-user.target.wants/dnf-makecache.timer
# network-online.target # network-online.target
rm -fr "$sysroot"/etc/systemd/system/network-online.target.wants rm -fr "$sysroot"/etc/systemd/system/network-online.target.wants
#---------------
# rsyslog link
rm -fr "$sysroot"/etc/systemd/system/syslog.service
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# selinux # selinux
#sed -i -e 's#^SELINUX=.*#SELINUX=permissive#g' "$sysroot"/etc/selinux/config #sed -i -e 's#^SELINUX=.*#SELINUX=permissive#g' "$sysroot"/etc/selinux/config
mount -o bind /sys/fs/selinux "$sysroot/sys/fs/selinux"
chroot "$sysroot" semanage fcontext -a -e /etc /cfg chroot "$sysroot" semanage fcontext -a -e /etc /cfg
chroot "$sysroot" semanage fcontext -a -e /etc /usr/share/factory/cfg cp "$CURDIR"/FedoraBook.te "$CURDIR"/FedoraBook.fc "$sysroot"/var/tmp
chroot "$sysroot" semanage fcontext -a -e /var /usr/share/factory/var
chroot "$sysroot" semanage fcontext -a -s system_u -f f -t passwd_file_t /usr/lib/passwd
chroot "$sysroot" semanage fcontext -a -s system_u -f f -t passwd_file_t /usr/lib/group
chroot "$sysroot" semanage fcontext -a -s system_u -f f -t shadow_t /usr/lib/shadow
chroot "$sysroot" semanage fcontext -a -s system_u -f f -t shadow_t /usr/lib/gshadow
chroot "$sysroot" semanage fcontext -a -s system_u -f f -t passwd_file_t /usr/db/passwd.db
chroot "$sysroot" semanage fcontext -a -s system_u -f f -t passwd_file_t /usr/db/group.db
chroot "$sysroot" semanage fcontext -a -s system_u -f f -t shadow_t /usr/db/shadow.db
chroot "$sysroot" semanage fcontext -a -s system_u -f f -t shadow_t /usr/db/gshadow.db
cp "$CURDIR"/FedoraBook.te "$sysroot"/var/tmp
chroot "$sysroot" bash -c "cd /var/tmp; make -f /usr/share/selinux/devel/Makefile; semodule -i FedoraBook.pp" chroot "$sysroot" bash -c "cd /var/tmp; make -f /usr/share/selinux/devel/Makefile; semodule -i FedoraBook.pp"
chroot "$sysroot" restorecon -m -v -F -R /usr /etc || :
rm -fr "$sysroot"/var/lib/selinux rm -fr "$sysroot"/var/lib/selinux
#--------------- #---------------
# var # var
rm -fr "$sysroot"//usr/lib/fontconfig/cache
rm -fr "$sysroot"/var/lib/rpm rm -fr "$sysroot"/var/lib/rpm
rm -fr "$sysroot"/var/lib/sepolgen
rm -fr "$sysroot"/var/lib/dnf
rm -fr "$sysroot"/var/lib/flatpak/repo/tmp
rm -fr "$sysroot"/var/log/dnf* rm -fr "$sysroot"/var/log/dnf*
rm -fr "$sysroot"/var/cache/*/* rm -fr "$sysroot"/var/cache/*/*
rm -fr "$sysroot"/var/tmp/* rm -fr "$sysroot"/var/tmp/*
mv "$sysroot"/lib/tmpfiles.d/var.conf "$sysroot"/lib/tmpfiles.d-var.conf mv "$sysroot"/lib/tmpfiles.d/var.conf "$sysroot"/lib/tmpfiles.d-var.conf
chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -type d); do grep " $i " -r -q /lib/tmpfiles.d && ! grep " $i " -q /lib/tmpfiles.d-var.conf && rm -vfr --one-file-system "$i" ; done; :' chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -type d); do grep " $i " -r -q /lib/tmpfiles.d && ! grep " $i " -q /lib/tmpfiles.d-var.conf && rm -vfr --one-file-system "$i" ; done; :'
cp -avxr "$sysroot"/var/* "$sysroot"/usr/share/factory/var/ cp -avxr "$sysroot"/var/* "$sysroot"/usr/share/factory/var/
rm -fr "$sysroot"/usr/share/factory/var/{run,lock} rm -f "$sysroot"/usr/share/factory/var/{run,lock}
chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -maxdepth 2 -mindepth 1 -type d); do echo "C $i - - - - -"; done >> /usr/lib/tmpfiles.d/var-quirk.conf; :' chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -maxdepth 2 -mindepth 1 -type d); do echo "C $i - - - - -"; done >> /usr/lib/tmpfiles.d/var-quirk.conf; :'
echo 'C /var/mail - - - - -' >> "$sysroot"/usr/lib/tmpfiles.d/var-quirk.conf echo 'C /var/mail - - - - -' >> "$sysroot"/usr/lib/tmpfiles.d/var-quirk.conf
@ -515,12 +524,15 @@ fi
rm -fr "$sysroot"/{boot,root} rm -fr "$sysroot"/{boot,root}
ln -sfnr "$sysroot"/var/roothome "$sysroot"/root ln -sfnr "$sysroot"/var/roothome "$sysroot"/root
mkdir "$sysroot"/efi
rm -fr "$sysroot"/var rm -fr "$sysroot"/var
rm -fr "$sysroot"/home rm -fr "$sysroot"/home
rm -f "$sysroot"/etc/yum.repos.d/* rm -f "$sysroot"/etc/yum.repos.d/*
mkdir -p "$sysroot"/{var,home,cfg} mkdir -p "$sysroot"/{var,home,cfg,net,efi}
chroot "$sysroot" restorecon -F -v /var /home /cfg /efi|| : ln -sfnr "$sysroot"/run "$sysroot"/var/run
ln -sfnr "$sysroot"/run/lock "$sysroot"/var/lock
chroot "$sysroot" restorecon -m -v -F -R /usr /etc /var
chroot "$sysroot" restorecon -m -v -F /cfg /efi /home /net /root
for i in "$sysroot"/{dev,sys/fs/selinux,sys,proc,run}; do for i in "$sysroot"/{dev,sys/fs/selinux,sys,proc,run}; do
[[ -d "$i" ]] && mountpoint -q "$i" && umount "$i" [[ -d "$i" ]] && mountpoint -q "$i" && umount "$i"