policy_module(rocketgit,1.0.119) ######################################## # # Declarations # gen_require(` # really needed httpd_log_t? type httpd_t; type httpd_log_t; type httpd_unit_file_t; type system_mail_t; type unconfined_t; role unconfined_r; type fs_t; type sshd_t; # next are for worker.sh #class dir mounton; #class filesystem { getattr mount unmount }; #class capability { setgid setuid sys_admin }; @@EXTRA_GEN_REQUIRE@@ ') # Without this I get: type=SELINUX_ERR msg=audit(1422396984.627:349803): \ # security_compute_sid: invalid context \ # unconfined_u:unconfined_r:rocketgit_t:s0-s0:c0.c1023 for \ # scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 \ # tcontext=system_u:object_r:rocketgit_exec_t:s0 tclass=process role unconfined_r types rocketgit_t; type rocketgit_t; domain_type(rocketgit_t) # Allow crons to search in /var/lib - not clear why files_search_var_lib(rocketgit_t) # Allow rocketgit_t to manage .ssh/authorized_keys ssh_manage_home_files(rocketgit_t) type rocketgit_exec_t; domain_entry_file(rocketgit_t, rocketgit_exec_t) # When cron executes rocketgit_exec_t, we transition to rocketgit_t cron_system_entry(rocketgit_t, rocketgit_exec_t) # When running from inetd, transit to rocketgit_t. Seems that rocketgit_exec_t # is not enough. Why?! optional_policy(` inetd_tcp_service_domain(rocketgit_t, rocketgit_exec_t) ') # Force ssh to transition to rocketgit_t domain_auto_trans(unconfined_t, rocketgit_exec_t, rocketgit_t) domain_auto_trans(sshd_t, rocketgit_exec_t, rocketgit_t) # Allow rocketgit_t to send sigchld to sshd, else: # type=AVC msg=audit(1478322111.327:1158923): avc: denied { sigchld } for pid=24506 comm="sshd" scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=0 # Not sure if this is the best way. allow rocketgit_t sshd_t:process sigchld; # Allow events.php to manage /home/rocketgit/.ssh userdom_manage_user_home_content(rocketgit_t) # Allow PHP to read /proc/meminfo, probably other files # Seems a little bit too much. TODO kernel_read_system_state(rocketgit_t) dev_read_urand(rocketgit_t) # Allow rocketgit_t to execute flock. # Seems a little bit too much to allow all execution. TODO application_exec_all(rocketgit_t) # Allow rocketgit_t to use tcp sockets (webhooks) corenet_tcp_connect_all_ports(rocketgit_t) corenet_tcp_bind_all_ports(rocketgit_t) corenet_tcp_bind_all_nodes(rocketgit_t) ###allow rocketgit_t self:tcp_socket { connect getopt getattr create setopt listen accept }; ###allow rocketgit_t unreserved_port_t:tcp_socket { name_bind getopt setopt }; ###allow rocketgit_t node_t:tcp_socket node_bind; sysnet_dns_name_resolve(rocketgit_t) # builder.php: #type=AVC msg=audit(1467841975.578:232307): avc: denied { listen } for pid=21318 comm="php" lport=65000 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tclass=tcp_socket permissive=1 #type=AVC msg=audit(1467841975.808:232308): avc: denied { dac_override } for pid=21319 comm="php" capability=1 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tclass=capability permissive=1 #type=AVC msg=audit(1467841975.809:232309): avc: denied { fowner } for pid=21319 comm="php" capability=3 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tclass=capability permissive=1 #type=AVC msg=audit(1467841975.809:232310): avc: denied { fsetid } for pid=21319 comm="php" capability=4 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tclass=capability permissive=1 #type=AVC msg=audit(1467841975.949:232311): avc: denied { accept } for pid=21318 comm="php" lport=65000 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tclass=tcp_socket permissive=1 allow rocketgit_t self:capability { dac_override fowner fsetid }; allow rocketgit_t self:tcp_socket { accept listen }; # Allow basic access to net sysnet_read_config(rocketgit_t) sysnet_dns_name_resolve(rocketgit_t) # Probably to list owner of files auth_read_passwd(rocketgit_t) # php files type rocketgit_usr_t; files_type(rocketgit_usr_t) read_files_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t) exec_files_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t) list_dirs_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t) read_files_pattern(httpd_t, rocketgit_usr_t, rocketgit_usr_t) # log files type rocketgit_log_t; files_type(rocketgit_log_t) manage_files_pattern(rocketgit_t, rocketgit_log_t, rocketgit_log_t) # Allow httpd(php-fpm) to create log files - note that it will run as # 'rocketgit' user. manage_files_pattern(httpd_t, rocketgit_log_t, rocketgit_log_t) logging_log_filetrans(rocketgit_t, rocketgit_log_t, file) # content (repos) type rocketgit_var_t; files_type(rocketgit_var_t) admin_pattern(rocketgit_t, rocketgit_var_t, rocketgit_var_t) filetrans_pattern(rocketgit_t, rocketgit_var_t, rocketgit_var_t, { file dir }) read_files_pattern(httpd_t, rocketgit_var_t, rocketgit_var_t) list_dirs_pattern(httpd_t, rocketgit_var_t, rocketgit_var_t) # sockets type rocketgit_socket_t; files_type(rocketgit_socket_t) manage_sock_files_pattern(rocketgit_t, rocketgit_socket_t, rocketgit_socket_t) filetrans_pattern(rocketgit_t, rocketgit_socket_t, rocketgit_socket_t, file) rw_sock_files_pattern(httpd_t, rocketgit_socket_t, rocketgit_socket_t) # Allow httpd to connect to _domain_ rocketgit_t for event.sock allow httpd_t rocketgit_t:unix_stream_socket connectto; # locks type rocketgit_lock_t; files_lock_file(rocketgit_lock_t) manage_files_pattern(rocketgit_t, rocketgit_lock_t, rocketgit_lock_t) filetrans_pattern(rocketgit_t, rocketgit_lock_t, rocketgit_lock_t, file) # we need php-fpm to be able to take locks manage_files_pattern(httpd_t, rocketgit_lock_t, rocketgit_lock_t) filetrans_pattern(httpd_t, rocketgit_lock_t, rocketgit_lock_t, file) # conf type rocketgit_conf_t; files_type(rocketgit_conf_t) read_files_pattern(rocketgit_t, rocketgit_conf_t, rocketgit_conf_t) filetrans_pattern(rocketgit_t, rocketgit_conf_t, rocketgit_conf_t, file) read_files_pattern(httpd_t, rocketgit_conf_t, rocketgit_conf_t) # Permit PHP to use nscd socket optional_policy(` nscd_socket_use(rocketgit_t) ') # Allow connection to database postgresql_tcp_connect(rocketgit_t) postgresql_stream_connect(rocketgit_t) # mail mta_send_mail(rocketgit_t) # self allow rocketgit_t self:unix_stream_socket { connectto }; allow rocketgit_t self:process { setsched }; # PHP needs getattr to /var/lib files_getattr_var_lib_dirs(rocketgit_t) # We leak log and lock fds, ignore for now - not clear if 'dontaudit' = allow! TODO dontaudit system_mail_t rocketgit_lock_t:file { read write }; dontaudit system_mail_t rocketgit_log_t:file append; dontaudit system_mail_t rocketgit_usr_t:file read; # Seems that the opcode cache (php-opcache) needs write access to /tmp allow rocketgit_t tmp_t:dir { write remove_name add_name }; allow rocketgit_t tmp_t:file { write open create unlink setattr }; # Locale miscfiles_read_localization(rocketgit_t) # type=AVC msg=audit(1461494910.399:8020179): avc: denied { read } for pid=1667 comm="php" name="/" dev="tmpfs" ino=11809 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 files_list_tmp(rocketgit_t) # Hugetlbfs (for opcache): # type=AVC msg=audit(1482069602.067:865): avc: denied { read write } for pid=2157 comm="php" path=2F616E6F6E5F6875676570616765202864656C6574656429 dev="hugetlbfs" ino=26965 scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=file permissive=0 fs_rw_hugetlbfs_files(rocketgit_t) fs_exec_hugetlbfs_files(rocketgit_t) allow rocketgit_t self:process execmem; # worker.sh needs some rights type rocketgit_worker_t; domain_type(rocketgit_worker_t) optional_policy(` unconfined_domain(rocketgit_worker_t) ') role unconfined_r types rocketgit_worker_t; type rocketgit_worker_exec_t; domain_entry_file(rocketgit_worker_t, rocketgit_worker_exec_t) # When cron executes rocketgit_worker_t, we transition to rocketgit_worker_t cron_system_entry(rocketgit_worker_t, rocketgit_worker_exec_t) #allow rocketgit_t fs_t:filesystem { getattr mount unmount }; #allow rocketgit_t rocketgit_var_t:dir mounton; #allow rocketgit_t self:capability { setgid setuid }; #dev_list_sysfs(rocketgit_t) #dev_read_sysfs(rocketgit_t) #dev_read_rand(rocketgit_t) #dev_rw_loop_control(rocketgit_t) #kernel_setsched(rocketgit_t) #kernel_read_network_state(rocketgit_t) #virt_admin(rocketgit_t, unconfined_r) #mount_rw_pid_files(rocketgit_t) #storage_manage_fixed_disk(rocketgit_t) #files_manage_isid_type_dirs(rocketgit_t) #files_manage_isid_type_files(rocketgit_t) #files_manage_isid_type_symlinks(rocketgit_t) #userdom_read_admin_home_files(rocketgit_t) #miscfiles_read_hwdata(rocketgit_t)