SELINUX=1 enforcing
This commit is contained in:
Harald Hoyer
parent
f05fdad33b
commit
a5f5c4385e
9
FedoraBook.fc
Normal file
9
FedoraBook.fc
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
/usr/lib/shadow -- gen_context(system_u:object_r:shadow_t,s0)
|
||||
/usr/lib/gshadow -- gen_context(system_u:object_r:shadow_t,s0)
|
||||
/usr/db/shadow.db -- gen_context(system_u:object_r:shadow_t,s0)
|
||||
/usr/db/gshadow.db -- gen_context(system_u:object_r:shadow_t,s0)
|
||||
/usr/lib/passwd -- gen_context(system_u:object_r:passwd_file_t,s0)
|
||||
/usr/lib/group -- gen_context(system_u:object_r:passwd_file_t,s0)
|
||||
/usr/db/passwd.db -- gen_context(system_u:object_r:passwd_file_t,s0)
|
||||
/usr/db/group.db -- gen_context(system_u:object_r:passwd_file_t,s0)
|
||||
/var/run/gnome-initial-setup(/.*)? -- gen_context(system_u:object_r:xdm_var_run_t,s0)
|
||||
|
|
@ -3,22 +3,38 @@ module FedoraBook 1.0;
|
|||
|
||||
require {
|
||||
type accountsd_t;
|
||||
type shadow_t;
|
||||
type system_dbusd_t;
|
||||
type init_var_run_t;
|
||||
type useradd_t;
|
||||
type auditd_t;
|
||||
type default_t;
|
||||
type geoclue_t;
|
||||
type geoclue_tmp_t;
|
||||
type unlabeled_t;
|
||||
type init_t;
|
||||
type init_exec_t;
|
||||
type init_var_run_t;
|
||||
type lib_t;
|
||||
type machineid_t;
|
||||
type security_t;
|
||||
type semanage_store_t;
|
||||
type shadow_t;
|
||||
type system_dbusd_t;
|
||||
type system_dbusd_var_run_t;
|
||||
type systemd_gpt_generator_t;
|
||||
type systemd_tmpfiles_t;
|
||||
type unconfined_t;
|
||||
type unlabeled_t;
|
||||
type useradd_t;
|
||||
type var_lib_t;
|
||||
type var_run_t;
|
||||
type xdm_t;
|
||||
class dir { add_name write read setattr };
|
||||
class file { execute getattr setattr map read open relabelto write create };
|
||||
class sock_file { read };
|
||||
class lnk_file read;
|
||||
class file { execute getattr map };
|
||||
class dir { add_name write };
|
||||
class security setenforce;
|
||||
class service stop;
|
||||
class system { reload status stop };
|
||||
}
|
||||
|
||||
#============= accountsd_t ==============
|
||||
|
||||
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
|
||||
allow accountsd_t shadow_t:file map;
|
||||
|
||||
#============= geoclue_t ==============
|
||||
|
|
@ -29,6 +45,27 @@ allow system_dbusd_t init_var_run_t:lnk_file read;
|
|||
|
||||
#============= systemd_tmpfiles_t ==============
|
||||
allow systemd_tmpfiles_t shadow_t:file getattr;
|
||||
allow systemd_tmpfiles_t shadow_t:file read;
|
||||
allow systemd_tmpfiles_t shadow_t:file open;
|
||||
allow systemd_tmpfiles_t shadow_t:file relabelto;
|
||||
|
||||
#============= useradd_t ==============
|
||||
allow useradd_t unlabeled_t:dir { add_name write };
|
||||
|
||||
#============= init_t ==============
|
||||
allow init_t var_lib_t:dir setattr;
|
||||
allow init_t system_dbusd_var_run_t:sock_file read;
|
||||
allow init_t security_t:security setenforce;
|
||||
allow init_t semanage_store_t:file map;
|
||||
allow init_t machineid_t:file { create write relabelto read setattr open };
|
||||
|
||||
#============= xdm_t ==============
|
||||
allow xdm_t var_run_t:dir setattr;
|
||||
allow xdm_t lib_t:service stop;
|
||||
allow xdm_t unconfined_t:system { reload status stop };
|
||||
|
||||
#============= systemd_gpt_generator_t ==============
|
||||
allow systemd_gpt_generator_t default_t:dir read;
|
||||
|
||||
#============= auditd_t ==============
|
||||
allow auditd_t init_var_run_t:lnk_file read;
|
||||
|
|
|
|||
|
|
@ -55,7 +55,6 @@ All configurable files have been whitelisted and moved to /cfg.
|
|||
- support more clevis pins and mixed pins
|
||||
- firmware update
|
||||
- option to always clean data disk on boot
|
||||
- selinux?
|
||||
|
||||
## Complete / What works already?
|
||||
- boot from single efi binary
|
||||
|
|
@ -65,6 +64,7 @@ All configurable files have been whitelisted and moved to /cfg.
|
|||
- swap on LUKS2 with tpm2 (no password for resume from disk??)
|
||||
- /home /cfg and /var on single data partition
|
||||
- Secure Boot
|
||||
- selinux
|
||||
|
||||
## Known Failures
|
||||
- no kernel command line on DELL ( you need a newer systemd https://github.com/systemd/systemd/pull/10001 )
|
||||
|
|
|
|||
25
pre-pivot.sh
25
pre-pivot.sh
|
|
@ -115,19 +115,40 @@ for i in var home cfg; do
|
|||
if ! [[ -d /run/initramfs/mnt/$i ]]; then
|
||||
mkdir /run/initramfs/mnt/$i
|
||||
FIRST_TIME=1
|
||||
elif [[ -f /run/initramfs/mnt/$i/.autorelabel ]]; then
|
||||
RELABEL=1
|
||||
fi
|
||||
done
|
||||
|
||||
mount -o bind /run/initramfs/mnt/var /sysroot/var
|
||||
mount -o bind /run/initramfs/mnt/home /sysroot/home
|
||||
mount -o bind /run/initramfs/mnt/cfg /sysroot/cfg
|
||||
umount -l /run/initramfs/mnt
|
||||
umount -l /run/initramfs/mnt &>/dev/null
|
||||
|
||||
if [[ $FIRST_TIME ]]; then
|
||||
mount -o bind /sys /sysroot/sys
|
||||
mount -t selinuxfs none /sysroot/sys/fs/selinux
|
||||
chroot /sysroot bash -c 'LANG=C; /usr/sbin/load_policy -i; setenforce 0; /usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev --exclude-prefix=/run --exclude-prefix=/tmp --exclude-prefix=/etc ; /usr/sbin/restorecon -m -vvvvv -F -R /cfg /var'
|
||||
chroot /sysroot bash -c '
|
||||
/usr/sbin/load_policy -i
|
||||
/sbin/restorecon -m -F -v /cfg /var /home
|
||||
'
|
||||
umount /sysroot/sys/fs/selinux
|
||||
umount /sysroot/sys
|
||||
fi
|
||||
|
||||
if [[ $RELABEL ]]; then
|
||||
mount -o bind /sys /sysroot/sys
|
||||
mount -t selinuxfs none /sysroot/sys/fs/selinux
|
||||
chroot /sysroot bash -c '
|
||||
/usr/sbin/load_policy -i
|
||||
for i in var home cfg; do
|
||||
[[ -e /$i/.autorelabel ]] || continue
|
||||
rm -f /$i/.autorelabel
|
||||
/sbin/restorecon -m -F -v -R /$i
|
||||
done
|
||||
' 2>&1 | vwarn
|
||||
umount /sysroot/sys/fs/selinux
|
||||
umount /sysroot/sys
|
||||
fi
|
||||
|
||||
:
|
||||
|
|
@ -150,7 +150,7 @@ trap '
|
|||
# clean up after ourselves no matter how we die.
|
||||
trap 'exit 1;' SIGINT
|
||||
|
||||
setenforce 0
|
||||
#setenforce 0
|
||||
|
||||
if ! [[ -f "${BASEDIR}"/linuxx64.efi.stub ]]; then
|
||||
cp /lib/systemd/boot/efi/linuxx64.efi.stub "${BASEDIR}"/linuxx64.efi.stub
|
||||
|
|
@ -170,8 +170,9 @@ chmod 0000 "$sysroot"/etc/{shadow,gshadow}
|
|||
|
||||
mkdir -p "$sysroot"/{dev,proc,sys,run}
|
||||
mount -o bind /proc "$sysroot/proc"
|
||||
#mount -o bind /run "$sysroot/run"
|
||||
mount -o bind /run "$sysroot/run"
|
||||
mount -o bind /sys "$sysroot/sys"
|
||||
mount -o bind /sys/fs/selinux "$sysroot/sys/fs/selinux"
|
||||
mount -t devtmpfs devtmpfs "$sysroot/dev"
|
||||
|
||||
mkdir -p "$sysroot"/var/cache/dnf
|
||||
|
|
@ -227,6 +228,7 @@ dnf -v --nogpgcheck \
|
|||
selinux-policy-devel \
|
||||
libselinux-utils \
|
||||
audit \
|
||||
dosfstools \
|
||||
$PKGLIST
|
||||
|
||||
for i in passwd shadow group gshadow subuid subgid; do
|
||||
|
|
@ -281,7 +283,7 @@ chroot "$sysroot" \
|
|||
--install "clevis clevis-luks-bind jose clevis-encrypt-tpm2 clevis-decrypt clevis-luks-unlock clevis-decrypt-tpm2" \
|
||||
--install "cryptsetup tail sort pwmake mktemp swapon" \
|
||||
--install "tpm2_pcrextend tpm2_createprimary tpm2_pcrlist tpm2_createpolicy" \
|
||||
--install "tpm2_create tpm2_load tpm2_unseal tpm2_takeownership" \
|
||||
--install "tpm2_create tpm2_load tpm2_unseal tpm2_takeownership chcon sleep" \
|
||||
--include /pre-pivot.sh /lib/dracut/hooks/pre-pivot/80-pre-pivot.sh \
|
||||
--install /usr/lib/systemd/system/clevis-luks-askpass.path \
|
||||
--install /usr/lib/systemd/system/clevis-luks-askpass.service \
|
||||
|
|
@ -319,10 +321,6 @@ done
|
|||
# timesync
|
||||
ln -fsnr "$sysroot"/usr/lib/systemd/system/systemd-timesyncd.service "$sysroot"/usr/lib/systemd/system/sysinit.target.wants/systemd-timesyncd.service
|
||||
|
||||
#---------------
|
||||
# dbus-broker
|
||||
ln -fsnr "$sysroot"/usr/lib/systemd/system/dbus-broker.service "$sysroot"/etc/systemd/system/dbus.service
|
||||
|
||||
#---------------
|
||||
# ssh
|
||||
if [[ -d "$sysroot"/etc/ssh ]]; then
|
||||
|
|
@ -395,6 +393,9 @@ sed -i -e 's#/etc/adjtime#/cfg/adjtime#g;s#/etc/localtime#/cfg/localtime#g;s#/et
|
|||
"$sysroot"/usr/lib/systemd/systemd-timedated \
|
||||
"$sysroot"/usr/lib/systemd/libsystemd-shared*.so \
|
||||
"$sysroot"/usr/lib/systemd/systemd \
|
||||
"$sysroot"/usr/bin/systemd-machine-id-setup \
|
||||
"$sysroot"/usr/bin/systemd-firstboot \
|
||||
"$sysroot"/usr/lib/systemd/system/systemd-machine-id-commit.service \
|
||||
"$sysroot"/lib*/libc.so.*
|
||||
|
||||
sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/cfg#g' \
|
||||
|
|
@ -402,11 +403,22 @@ sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/cfg#g' \
|
|||
"$sysroot"/lib/systemd/system/systemd-timedated.service \
|
||||
"$sysroot"/lib/systemd/system/systemd-hostnamed.service
|
||||
|
||||
#cat > "$sysroot"/lib/systemd/system-generators/machine-id <<EOF
|
||||
##!/bin/bash -x
|
||||
#/sbin/restorecon -m -F -v /cfg /var /home /cfg/machine-id /var/run /var/lock
|
||||
#exit 0
|
||||
#EOF
|
||||
#chmod a+x "$sysroot"/lib/systemd/system-generators/machine-id
|
||||
|
||||
cat >> "$sysroot"/usr/lib/tmpfiles.d/00-basics.conf <<EOF
|
||||
C /cfg/vconsole.conf - - - - -
|
||||
C /cfg/locale.conf - - - - -
|
||||
C /cfg/localtime - - - - -
|
||||
C /cfg/adjtime - - - - -
|
||||
z /home - - - - -
|
||||
z /cfg - - - - -
|
||||
z /cfg/machine-id 0444 - - - -
|
||||
z /var - - - - -
|
||||
EOF
|
||||
|
||||
#---------------
|
||||
|
|
@ -450,7 +462,9 @@ EOF
|
|||
|
||||
#---------------
|
||||
# gnome-initial-setup
|
||||
> "$sysroot"/usr/share/gnome-initial-setup/vendor.conf
|
||||
if [[ -f "$sysroot"/usr/share/gnome-initial-setup/vendor.conf ]]; then
|
||||
> "$sysroot"/usr/share/gnome-initial-setup/vendor.conf
|
||||
fi
|
||||
|
||||
#---------------
|
||||
# LVM
|
||||
|
|
@ -465,37 +479,32 @@ rm -f "$sysroot"/etc/systemd/system/multi-user.target.wants/dnf-makecache.timer
|
|||
# network-online.target
|
||||
rm -fr "$sysroot"/etc/systemd/system/network-online.target.wants
|
||||
|
||||
#---------------
|
||||
# rsyslog link
|
||||
rm -fr "$sysroot"/etc/systemd/system/syslog.service
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# selinux
|
||||
#sed -i -e 's#^SELINUX=.*#SELINUX=permissive#g' "$sysroot"/etc/selinux/config
|
||||
mount -o bind /sys/fs/selinux "$sysroot/sys/fs/selinux"
|
||||
|
||||
chroot "$sysroot" semanage fcontext -a -e /etc /cfg
|
||||
chroot "$sysroot" semanage fcontext -a -e /etc /usr/share/factory/cfg
|
||||
chroot "$sysroot" semanage fcontext -a -e /var /usr/share/factory/var
|
||||
chroot "$sysroot" semanage fcontext -a -s system_u -f f -t passwd_file_t /usr/lib/passwd
|
||||
chroot "$sysroot" semanage fcontext -a -s system_u -f f -t passwd_file_t /usr/lib/group
|
||||
chroot "$sysroot" semanage fcontext -a -s system_u -f f -t shadow_t /usr/lib/shadow
|
||||
chroot "$sysroot" semanage fcontext -a -s system_u -f f -t shadow_t /usr/lib/gshadow
|
||||
chroot "$sysroot" semanage fcontext -a -s system_u -f f -t passwd_file_t /usr/db/passwd.db
|
||||
chroot "$sysroot" semanage fcontext -a -s system_u -f f -t passwd_file_t /usr/db/group.db
|
||||
chroot "$sysroot" semanage fcontext -a -s system_u -f f -t shadow_t /usr/db/shadow.db
|
||||
chroot "$sysroot" semanage fcontext -a -s system_u -f f -t shadow_t /usr/db/gshadow.db
|
||||
cp "$CURDIR"/FedoraBook.te "$sysroot"/var/tmp
|
||||
cp "$CURDIR"/FedoraBook.te "$CURDIR"/FedoraBook.fc "$sysroot"/var/tmp
|
||||
chroot "$sysroot" bash -c "cd /var/tmp; make -f /usr/share/selinux/devel/Makefile; semodule -i FedoraBook.pp"
|
||||
chroot "$sysroot" restorecon -m -v -F -R /usr /etc || :
|
||||
rm -fr "$sysroot"/var/lib/selinux
|
||||
|
||||
#---------------
|
||||
# var
|
||||
rm -fr "$sysroot"//usr/lib/fontconfig/cache
|
||||
rm -fr "$sysroot"/var/lib/rpm
|
||||
rm -fr "$sysroot"/var/lib/sepolgen
|
||||
rm -fr "$sysroot"/var/lib/dnf
|
||||
rm -fr "$sysroot"/var/lib/flatpak/repo/tmp
|
||||
rm -fr "$sysroot"/var/log/dnf*
|
||||
rm -fr "$sysroot"/var/cache/*/*
|
||||
rm -fr "$sysroot"/var/tmp/*
|
||||
mv "$sysroot"/lib/tmpfiles.d/var.conf "$sysroot"/lib/tmpfiles.d-var.conf
|
||||
chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -type d); do grep " $i " -r -q /lib/tmpfiles.d && ! grep " $i " -q /lib/tmpfiles.d-var.conf && rm -vfr --one-file-system "$i" ; done; :'
|
||||
cp -avxr "$sysroot"/var/* "$sysroot"/usr/share/factory/var/
|
||||
rm -fr "$sysroot"/usr/share/factory/var/{run,lock}
|
||||
rm -f "$sysroot"/usr/share/factory/var/{run,lock}
|
||||
|
||||
chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -maxdepth 2 -mindepth 1 -type d); do echo "C $i - - - - -"; done >> /usr/lib/tmpfiles.d/var-quirk.conf; :'
|
||||
echo 'C /var/mail - - - - -' >> "$sysroot"/usr/lib/tmpfiles.d/var-quirk.conf
|
||||
|
|
@ -515,12 +524,15 @@ fi
|
|||
|
||||
rm -fr "$sysroot"/{boot,root}
|
||||
ln -sfnr "$sysroot"/var/roothome "$sysroot"/root
|
||||
mkdir "$sysroot"/efi
|
||||
rm -fr "$sysroot"/var
|
||||
rm -fr "$sysroot"/home
|
||||
rm -f "$sysroot"/etc/yum.repos.d/*
|
||||
mkdir -p "$sysroot"/{var,home,cfg}
|
||||
chroot "$sysroot" restorecon -F -v /var /home /cfg /efi|| :
|
||||
mkdir -p "$sysroot"/{var,home,cfg,net,efi}
|
||||
ln -sfnr "$sysroot"/run "$sysroot"/var/run
|
||||
ln -sfnr "$sysroot"/run/lock "$sysroot"/var/lock
|
||||
|
||||
chroot "$sysroot" restorecon -m -v -F -R /usr /etc /var
|
||||
chroot "$sysroot" restorecon -m -v -F /cfg /efi /home /net /root
|
||||
|
||||
for i in "$sysroot"/{dev,sys/fs/selinux,sys,proc,run}; do
|
||||
[[ -d "$i" ]] && mountpoint -q "$i" && umount "$i"
|
||||
|
|
|
|||
Loading…
Reference in a new issue