SELINUX=1 enforcing

2018-09-20 07:24:26 +02:00 · 2018-09-20 07:24:26 +02:00 · a5f5c4385e
parent f05fdad33b
commit a5f5c4385e
5 changed files with 117 additions and 38 deletions
--- a/FedoraBook.fc
+++ b/FedoraBook.fc
@ -0,0 +1,9 @@
+/usr/lib/shadow	    	--	gen_context(system_u:object_r:shadow_t,s0)
+/usr/lib/gshadow		--	gen_context(system_u:object_r:shadow_t,s0)
+/usr/db/shadow.db		--	gen_context(system_u:object_r:shadow_t,s0)
+/usr/db/gshadow.db		--	gen_context(system_u:object_r:shadow_t,s0)
+/usr/lib/passwd	    	--	gen_context(system_u:object_r:passwd_file_t,s0)
+/usr/lib/group		--	gen_context(system_u:object_r:passwd_file_t,s0)
+/usr/db/passwd.db		--	gen_context(system_u:object_r:passwd_file_t,s0)
+/usr/db/group.db		--	gen_context(system_u:object_r:passwd_file_t,s0)
+/var/run/gnome-initial-setup(/.*)? -- gen_context(system_u:object_r:xdm_var_run_t,s0)
--- a/FedoraBook.te
+++ b/FedoraBook.te
@ -3,22 +3,38 @@ module FedoraBook 1.0;

 require {
 	type accountsd_t;
-	type shadow_t;
-	type system_dbusd_t;
-	type init_var_run_t;
-	type useradd_t;
+    type auditd_t;
+	type default_t;
 	type geoclue_t;
 	type geoclue_tmp_t;
-	type unlabeled_t;
+	type init_t;
+	type init_exec_t;
+	type init_var_run_t;
+	type lib_t;
+	type machineid_t;
+	type security_t;
+	type semanage_store_t;
+	type shadow_t;
+	type system_dbusd_t;
+	type system_dbusd_var_run_t;
+	type systemd_gpt_generator_t;
 	type systemd_tmpfiles_t;
+	type unconfined_t;
+	type unlabeled_t;
+	type useradd_t;
+	type var_lib_t;
+	type var_run_t;
+	type xdm_t;
+	class dir { add_name write read setattr };
+	class file { execute getattr setattr map read open relabelto write create };
+	class sock_file { read };
 	class lnk_file read;
-	class file { execute getattr map };
-	class dir { add_name write };
+	class security setenforce;
+	class service stop;
+	class system { reload status stop };
 }

 #============= accountsd_t ==============
-
-#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
 allow accountsd_t shadow_t:file map;

 #============= geoclue_t ==============
@ -29,6 +45,27 @@ allow system_dbusd_t init_var_run_t:lnk_file read;

 #============= systemd_tmpfiles_t ==============
 allow systemd_tmpfiles_t shadow_t:file getattr;
+allow systemd_tmpfiles_t shadow_t:file read;
+allow systemd_tmpfiles_t shadow_t:file open;
+allow systemd_tmpfiles_t shadow_t:file relabelto;

 #============= useradd_t ==============
 allow useradd_t unlabeled_t:dir { add_name write };
+
+#============= init_t ==============
+allow init_t var_lib_t:dir setattr;
+allow init_t system_dbusd_var_run_t:sock_file read;
+allow init_t security_t:security setenforce;
+allow init_t semanage_store_t:file map;
+allow init_t machineid_t:file { create write relabelto read setattr open };
+
+#============= xdm_t ==============
+allow xdm_t var_run_t:dir setattr;
+allow xdm_t lib_t:service stop;
+allow xdm_t unconfined_t:system { reload status stop };
+
+#============= systemd_gpt_generator_t ==============
+allow systemd_gpt_generator_t default_t:dir read;
+
+#============= auditd_t ==============
+allow auditd_t init_var_run_t:lnk_file read;
--- a/README.md
+++ b/README.md
@ -55,7 +55,6 @@ All configurable files have been whitelisted and moved to /cfg.
 - support more clevis pins and mixed pins
 - firmware update
 - option to always clean data disk on boot
- selinux?

 ## Complete / What works already?
 - boot from single efi binary
@ -65,6 +64,7 @@ All configurable files have been whitelisted and moved to /cfg.
 - swap on LUKS2 with tpm2 (no password for resume from disk??)
 - /home /cfg and /var on single data partition
 - Secure Boot
+- selinux

 ## Known Failures
 - no kernel command line on DELL ( you need a newer systemd https://github.com/systemd/systemd/pull/10001 )
--- a/pre-pivot.sh
+++ b/pre-pivot.sh
@ -115,19 +115,40 @@ for i in var home cfg; do
    if ! [[ -d /run/initramfs/mnt/$i ]]; then
        mkdir /run/initramfs/mnt/$i
        FIRST_TIME=1
+    elif [[ -f /run/initramfs/mnt/$i/.autorelabel ]]; then
+        RELABEL=1
    fi
 done

 mount -o bind /run/initramfs/mnt/var /sysroot/var
 mount -o bind /run/initramfs/mnt/home /sysroot/home
 mount -o bind /run/initramfs/mnt/cfg /sysroot/cfg
-umount -l /run/initramfs/mnt
+umount -l /run/initramfs/mnt &>/dev/null

 if [[ $FIRST_TIME ]]; then
    mount -o bind /sys /sysroot/sys
    mount -t selinuxfs none /sysroot/sys/fs/selinux
-    chroot /sysroot bash -c 'LANG=C; /usr/sbin/load_policy -i; setenforce 0; /usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev --exclude-prefix=/run --exclude-prefix=/tmp --exclude-prefix=/etc ; /usr/sbin/restorecon -m -vvvvv -F -R /cfg /var'
+    chroot /sysroot bash -c '
+/usr/sbin/load_policy -i
+/sbin/restorecon -m -F -v /cfg /var /home
+'
    umount /sysroot/sys/fs/selinux
    umount /sysroot/sys
 fi

+if [[ $RELABEL ]]; then
+    mount -o bind /sys /sysroot/sys
+    mount -t selinuxfs none /sysroot/sys/fs/selinux
+    chroot /sysroot bash -c '
+/usr/sbin/load_policy -i
+for i in var home cfg; do
+    [[ -e /$i/.autorelabel ]] || continue
+    rm -f /$i/.autorelabel
+    /sbin/restorecon -m -F -v -R /$i
+done
+' 2>&1 | vwarn
+    umount /sysroot/sys/fs/selinux
+    umount /sysroot/sys
+fi
+
+:
--- a/prepare-root.sh
+++ b/prepare-root.sh
@ -150,7 +150,7 @@ trap '
 # clean up after ourselves no matter how we die.
 trap 'exit 1;' SIGINT

-setenforce 0
+#setenforce 0

 if ! [[ -f "${BASEDIR}"/linuxx64.efi.stub ]]; then
    cp /lib/systemd/boot/efi/linuxx64.efi.stub "${BASEDIR}"/linuxx64.efi.stub
@ -170,8 +170,9 @@ chmod 0000 "$sysroot"/etc/{shadow,gshadow}

 mkdir -p "$sysroot"/{dev,proc,sys,run}
 mount -o bind /proc "$sysroot/proc"
-#mount -o bind /run "$sysroot/run"
+mount -o bind /run "$sysroot/run"
 mount -o bind /sys "$sysroot/sys"
+mount -o bind /sys/fs/selinux "$sysroot/sys/fs/selinux"
 mount -t devtmpfs devtmpfs "$sysroot/dev"

 mkdir -p "$sysroot"/var/cache/dnf
@ -227,6 +228,7 @@ dnf -v --nogpgcheck \
    selinux-policy-devel \
    libselinux-utils \
    audit \
+    dosfstools \
    $PKGLIST

 for i in passwd shadow group gshadow subuid subgid; do
@ -281,7 +283,7 @@ chroot  "$sysroot" \
 	--install "clevis clevis-luks-bind jose clevis-encrypt-tpm2 clevis-decrypt clevis-luks-unlock clevis-decrypt-tpm2"  \
 	--install "cryptsetup tail sort pwmake mktemp swapon" \
 	--install "tpm2_pcrextend tpm2_createprimary tpm2_pcrlist tpm2_createpolicy" \
-	--install "tpm2_create tpm2_load tpm2_unseal tpm2_takeownership" \
+	--install "tpm2_create tpm2_load tpm2_unseal tpm2_takeownership chcon sleep" \
 	--include /pre-pivot.sh /lib/dracut/hooks/pre-pivot/80-pre-pivot.sh \
 	--install /usr/lib/systemd/system/clevis-luks-askpass.path \
 	--install /usr/lib/systemd/system/clevis-luks-askpass.service \
@ -319,10 +321,6 @@ done
 # timesync
 ln -fsnr "$sysroot"/usr/lib/systemd/system/systemd-timesyncd.service "$sysroot"/usr/lib/systemd/system/sysinit.target.wants/systemd-timesyncd.service

-#---------------
-# dbus-broker
-ln -fsnr "$sysroot"/usr/lib/systemd/system/dbus-broker.service "$sysroot"/etc/systemd/system/dbus.service
-
 #---------------
 # ssh
 if [[ -d "$sysroot"/etc/ssh ]]; then
@ -395,6 +393,9 @@ sed -i -e 's#/etc/adjtime#/cfg/adjtime#g;s#/etc/localtime#/cfg/localtime#g;s#/et
    "$sysroot"/usr/lib/systemd/systemd-timedated \
    "$sysroot"/usr/lib/systemd/libsystemd-shared*.so \
    "$sysroot"/usr/lib/systemd/systemd \
+    "$sysroot"/usr/bin/systemd-machine-id-setup \
+    "$sysroot"/usr/bin/systemd-firstboot \
+    "$sysroot"/usr/lib/systemd/system/systemd-machine-id-commit.service \
    "$sysroot"/lib*/libc.so.*

 sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/cfg#g' \
@ -402,11 +403,22 @@ sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/cfg#g' \
    "$sysroot"/lib/systemd/system/systemd-timedated.service \
    "$sysroot"/lib/systemd/system/systemd-hostnamed.service

+#cat > "$sysroot"/lib/systemd/system-generators/machine-id <<EOF
+##!/bin/bash -x
+#/sbin/restorecon -m -F -v /cfg /var /home /cfg/machine-id /var/run /var/lock
+#exit 0
+#EOF
+#chmod a+x "$sysroot"/lib/systemd/system-generators/machine-id
+
 cat >> "$sysroot"/usr/lib/tmpfiles.d/00-basics.conf <<EOF
 C /cfg/vconsole.conf - - - - -
 C /cfg/locale.conf - - - - -
 C /cfg/localtime - - - - -
 C /cfg/adjtime - - - - -
+z /home - - - - -
+z /cfg - - - - -
+z /cfg/machine-id 0444 - - - -
+z /var - - - - -
 EOF

 #---------------
@ -450,7 +462,9 @@ EOF

 #---------------
 # gnome-initial-setup
+if [[ -f "$sysroot"/usr/share/gnome-initial-setup/vendor.conf ]]; then
    > "$sysroot"/usr/share/gnome-initial-setup/vendor.conf
+fi

 #---------------
 # LVM
@ -465,37 +479,32 @@ rm -f "$sysroot"/etc/systemd/system/multi-user.target.wants/dnf-makecache.timer
 # network-online.target
 rm -fr "$sysroot"/etc/systemd/system/network-online.target.wants

+#---------------
+# rsyslog link
+rm -fr "$sysroot"/etc/systemd/system/syslog.service
+
 # ------------------------------------------------------------------------------
 # selinux
 #sed -i -e 's#^SELINUX=.*#SELINUX=permissive#g' "$sysroot"/etc/selinux/config
-mount -o bind /sys/fs/selinux "$sysroot/sys/fs/selinux"
-
 chroot "$sysroot" semanage fcontext -a -e /etc /cfg
-chroot "$sysroot" semanage fcontext -a -e /etc /usr/share/factory/cfg
-chroot "$sysroot" semanage fcontext -a -e /var /usr/share/factory/var
-chroot "$sysroot" semanage fcontext -a -s system_u -f f -t passwd_file_t /usr/lib/passwd
-chroot "$sysroot" semanage fcontext -a -s system_u -f f -t passwd_file_t /usr/lib/group
-chroot "$sysroot" semanage fcontext -a -s system_u -f f -t shadow_t /usr/lib/shadow
-chroot "$sysroot" semanage fcontext -a -s system_u -f f -t shadow_t /usr/lib/gshadow
-chroot "$sysroot" semanage fcontext -a -s system_u -f f -t passwd_file_t /usr/db/passwd.db
-chroot "$sysroot" semanage fcontext -a -s system_u -f f -t passwd_file_t /usr/db/group.db
-chroot "$sysroot" semanage fcontext -a -s system_u -f f -t shadow_t /usr/db/shadow.db
-chroot "$sysroot" semanage fcontext -a -s system_u -f f -t shadow_t /usr/db/gshadow.db
-cp "$CURDIR"/FedoraBook.te "$sysroot"/var/tmp
+cp "$CURDIR"/FedoraBook.te "$CURDIR"/FedoraBook.fc "$sysroot"/var/tmp
 chroot "$sysroot" bash -c "cd /var/tmp; make -f  /usr/share/selinux/devel/Makefile; semodule -i FedoraBook.pp"
-chroot "$sysroot" restorecon -m -v -F -R /usr /etc || :
 rm -fr "$sysroot"/var/lib/selinux

 #---------------
 # var
+rm -fr "$sysroot"//usr/lib/fontconfig/cache
 rm -fr "$sysroot"/var/lib/rpm
+rm -fr "$sysroot"/var/lib/sepolgen
+rm -fr "$sysroot"/var/lib/dnf
+rm -fr "$sysroot"/var/lib/flatpak/repo/tmp
 rm -fr "$sysroot"/var/log/dnf*
 rm -fr "$sysroot"/var/cache/*/*
 rm -fr "$sysroot"/var/tmp/*
 mv "$sysroot"/lib/tmpfiles.d/var.conf "$sysroot"/lib/tmpfiles.d-var.conf
 chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -type d); do grep " $i " -r -q /lib/tmpfiles.d && ! grep " $i " -q /lib/tmpfiles.d-var.conf && rm -vfr --one-file-system "$i" ; done; :'
 cp -avxr "$sysroot"/var/* "$sysroot"/usr/share/factory/var/
-rm -fr "$sysroot"/usr/share/factory/var/{run,lock}
+rm -f "$sysroot"/usr/share/factory/var/{run,lock}

 chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -maxdepth 2 -mindepth 1 -type d); do echo "C $i - - - - -"; done >> /usr/lib/tmpfiles.d/var-quirk.conf; :'
 echo 'C /var/mail - - - - -' >>  "$sysroot"/usr/lib/tmpfiles.d/var-quirk.conf
@ -515,12 +524,15 @@ fi

 rm -fr "$sysroot"/{boot,root}
 ln -sfnr "$sysroot"/var/roothome "$sysroot"/root
-mkdir "$sysroot"/efi
 rm -fr "$sysroot"/var
 rm -fr "$sysroot"/home
 rm -f "$sysroot"/etc/yum.repos.d/*
-mkdir -p "$sysroot"/{var,home,cfg}
-chroot "$sysroot" restorecon -F -v /var /home /cfg /efi|| :
+mkdir -p "$sysroot"/{var,home,cfg,net,efi}
+ln -sfnr "$sysroot"/run "$sysroot"/var/run
+ln -sfnr "$sysroot"/run/lock "$sysroot"/var/lock
+
+chroot "$sysroot" restorecon -m -v -F -R /usr /etc /var
+chroot "$sysroot" restorecon -m -v -F /cfg /efi /home /net /root

 for i in "$sysroot"/{dev,sys/fs/selinux,sys,proc,run}; do
    [[ -d "$i" ]] && mountpoint -q "$i" && umount "$i"