From 3417166af2012e479a5b58542fae6707658fde42 Mon Sep 17 00:00:00 2001
From: Trey Dockendorf <tdockendorf@osc.edu>
Date: Fri, 22 Oct 2021 17:13:24 -0400
Subject: [PATCH 1/7] SELinux fixes, mostly for Kubernetes support

---
 packaging/rpm/ondemand-selinux.te | 33 +++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/packaging/rpm/ondemand-selinux.te b/packaging/rpm/ondemand-selinux.te
index 6db0aea315..4296263c38 100644
--- a/packaging/rpm/ondemand-selinux.te
+++ b/packaging/rpm/ondemand-selinux.te
@@ -201,6 +201,39 @@ tunable_policy(`ondemand_use_slurm',`
   corenet_tcp_connect_generic_port(ood_pun_t)
   # Access munge socket
   allow ood_pun_t var_run_t:sock_file { getattr write };
+  # SLURM commands like squeue
+  allow ood_pun_t self:netlink_route_socket { create_netlink_socket_perms };
+')
+
+## <desc>
+## <p>
+## Allow OnDemand to use Kubernetes
+## </p>
+## </desc>
+gen_tunable(ondemand_use_kubernetes, false)
+
+tunable_policy(`ondemand_use_kubernetes',`
+  # Access /root/.kube
+  allow ood_pun_t admin_home_t:dir { add_name remove_name write };
+  allow ood_pun_t admin_home_t:file { create open read rename setattr unlink write };
+  # Needed to execute sudo for kubectl
+  allow ood_pun_t self:capability { setuid setgid sys_resource };
+  allow ood_pun_t self:process { setrlimit setsched };
+  allow ood_pun_t self:key write;
+  allow ood_pun_t self:passwd { passwd rootok };
+  auth_exec_chkpwd(ood_pun_t)
+  auth_rw_lastlog(ood_pun_t)
+  auth_rw_faillog(ood_pun_t)
+  systemd_write_inherited_logind_sessions_pipes(ood_pun_t)
+  systemd_dbus_chat_logind(ood_pun_t)
+  #allow ood_pun_t initrc_var_run_t:file { lock open read };
+  #allow ood_pun_t self:capability audit_write;
+  #allow ood_pun_t self:process setrlimit;
+  # Needed to execute kubectl
+  allow ood_pun_t self:netlink_route_socket { create_netlink_socket_perms nlmsg_relay };
+  corenet_tcp_connect_generic_port(ood_pun_t)
+  # Neded for /usr/local/bin/kubectl location
+  allow ood_pun_t usr_t:file { execute execute_no_trans };
 ')
 
 ## <desc>

From f90ac725f03bfb324bb7d0e329b04f8f314c51da Mon Sep 17 00:00:00 2001
From: Trey Dockendorf <tdockendorf@osc.edu>
Date: Fri, 22 Oct 2021 17:27:52 -0400
Subject: [PATCH 2/7] Further refine kubernetes allowances

---
 packaging/rpm/ondemand-selinux.te | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/packaging/rpm/ondemand-selinux.te b/packaging/rpm/ondemand-selinux.te
index 4296263c38..2ca52a57e9 100644
--- a/packaging/rpm/ondemand-selinux.te
+++ b/packaging/rpm/ondemand-selinux.te
@@ -14,7 +14,12 @@ require {
   type net_conf_t;
   type krb5_conf_t;
   type sssd_var_run_t;
+  type admin_home_t;
+  type usr_t;
+  type initrc_var_run_t;
   class dbus send_msg;
+  class passwd rootok;
+  class passwd passwd;
 }
 
 # Define custom types
@@ -217,20 +222,21 @@ tunable_policy(`ondemand_use_kubernetes',`
   allow ood_pun_t admin_home_t:dir { add_name remove_name write };
   allow ood_pun_t admin_home_t:file { create open read rename setattr unlink write };
   # Needed to execute sudo for kubectl
-  allow ood_pun_t self:capability { setuid setgid sys_resource };
+  allow ood_pun_t self:capability { setuid setgid sys_resource audit_write };
   allow ood_pun_t self:process { setrlimit setsched };
   allow ood_pun_t self:key write;
   allow ood_pun_t self:passwd { passwd rootok };
+  sudo_exec(ood_pun_t)
   auth_exec_chkpwd(ood_pun_t)
+  auth_domtrans_chkpwd(ood_pun_t)
   auth_rw_lastlog(ood_pun_t)
   auth_rw_faillog(ood_pun_t)
   systemd_write_inherited_logind_sessions_pipes(ood_pun_t)
   systemd_dbus_chat_logind(ood_pun_t)
-  #allow ood_pun_t initrc_var_run_t:file { lock open read };
-  #allow ood_pun_t self:capability audit_write;
-  #allow ood_pun_t self:process setrlimit;
+  allow ood_pun_t initrc_var_run_t:file { lock open read };
   # Needed to execute kubectl
-  allow ood_pun_t self:netlink_route_socket { create_netlink_socket_perms nlmsg_relay };
+  allow ood_pun_t self:netlink_route_socket { create_netlink_socket_perms };
+  allow ood_pun_t self:netlink_audit_socket { create nlmsg_relay };
   corenet_tcp_connect_generic_port(ood_pun_t)
   # Neded for /usr/local/bin/kubectl location
   allow ood_pun_t usr_t:file { execute execute_no_trans };

From 88fe9bb3c7f9f90f40c97d69c164ce4cfc97d0e0 Mon Sep 17 00:00:00 2001
From: Trey Dockendorf <tdockendorf@osc.edu>
Date: Sat, 23 Oct 2021 11:47:29 -0400
Subject: [PATCH 3/7] More Kubernetes tuning

---
 packaging/rpm/ondemand-selinux.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/packaging/rpm/ondemand-selinux.te b/packaging/rpm/ondemand-selinux.te
index 2ca52a57e9..665419bc80 100644
--- a/packaging/rpm/ondemand-selinux.te
+++ b/packaging/rpm/ondemand-selinux.te
@@ -229,6 +229,7 @@ tunable_policy(`ondemand_use_kubernetes',`
   sudo_exec(ood_pun_t)
   auth_exec_chkpwd(ood_pun_t)
   auth_domtrans_chkpwd(ood_pun_t)
+  auth_tunable_read_shadow(ood_pun_t)
   auth_rw_lastlog(ood_pun_t)
   auth_rw_faillog(ood_pun_t)
   systemd_write_inherited_logind_sessions_pipes(ood_pun_t)

From 3704cc680b0d5c693a3ce31f0a51be25d09ad0fd Mon Sep 17 00:00:00 2001
From: Trey Dockendorf <tdockendorf@osc.edu>
Date: Sat, 23 Oct 2021 12:33:07 -0400
Subject: [PATCH 4/7] Use more generic ondemand_use_ssh boolean and will
 deprecate ondemand_use_shell_app. This will better support LHA and other uses
 of SSH

---
 packaging/rpm/ondemand-selinux.te | 28 ++++++++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/packaging/rpm/ondemand-selinux.te b/packaging/rpm/ondemand-selinux.te
index 665419bc80..dd627c4ba8 100644
--- a/packaging/rpm/ondemand-selinux.te
+++ b/packaging/rpm/ondemand-selinux.te
@@ -11,6 +11,8 @@ require {
   type vmblock_t;
   type ssh_exec_t;
   type ssh_home_t;
+  type sshd_key_t;
+  type ssh_keysign_exec_t;
   type net_conf_t;
   type krb5_conf_t;
   type sssd_var_run_t;
@@ -145,13 +147,14 @@ optional_policy(`
 ## <desc>
 ## <p>
 ## Allow OnDemand to use Shell app
+## DEPRECATED, use ondemand_use_ssh instead
 ## </p>
 ## </desc>
-gen_tunable(ondemand_use_shell_app, true)
+gen_tunable(ondemand_use_shell_app, false)
 
 tunable_policy(`ondemand_use_shell_app',`
   allow ood_pun_t ptmx_t:chr_file { ioctl open read write };
-  can_exec(ood_pun_t, ssh_exec_t)
+  ssh_exec(ood_pun_t)
   corenet_tcp_connect_ssh_port(ood_pun_t)
   allow ood_pun_t self:key { read view write };
 ')
@@ -161,6 +164,27 @@ tunable_policy(`ondemand_use_shell_app && ondemand_manage_user_home_dir',`
   manage_files_pattern(ood_pun_t, ssh_home_t, ssh_home_t)
 ')
 
+## <desc>
+## <p>
+## Allow OnDemand to use SSH
+## </p>
+## </desc>
+gen_tunable(ondemand_use_ssh, true)
+
+tunable_policy(`ondemand_use_ssh',`
+  allow ood_pun_t ptmx_t:chr_file { ioctl open read write };
+  ssh_exec(ood_pun_t)
+  can_exec(ood_pun_t, ssh_keysign_exec_t)
+  corenet_tcp_connect_ssh_port(ood_pun_t)
+  allow ood_pun_t sshd_key_t:file read_file_perms;
+  allow ood_pun_t self:key { read view write };
+')
+
+tunable_policy(`ondemand_use_ssh && ondemand_manage_user_home_dir',`
+  manage_dirs_pattern(ood_pun_t, ssh_home_t, ssh_home_t)
+  manage_files_pattern(ood_pun_t, ssh_home_t, ssh_home_t)
+')
+
 ## <desc>
 ## <p>
 ## Allow OnDemand to access SSSD

From 1a212afab9291bea9b5c8241726952299b8bd00e Mon Sep 17 00:00:00 2001
From: Trey Dockendorf <tdockendorf@osc.edu>
Date: Sat, 23 Oct 2021 13:03:31 -0400
Subject: [PATCH 5/7] Allow PUN to always execute things in usr_t like /opt.
 More fixes for interacting with Kubernetes

---
 packaging/rpm/ondemand-selinux.te | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/packaging/rpm/ondemand-selinux.te b/packaging/rpm/ondemand-selinux.te
index dd627c4ba8..a5c11e5c8c 100644
--- a/packaging/rpm/ondemand-selinux.te
+++ b/packaging/rpm/ondemand-selinux.te
@@ -263,8 +263,10 @@ tunable_policy(`ondemand_use_kubernetes',`
   allow ood_pun_t self:netlink_route_socket { create_netlink_socket_perms };
   allow ood_pun_t self:netlink_audit_socket { create nlmsg_relay };
   corenet_tcp_connect_generic_port(ood_pun_t)
-  # Neded for /usr/local/bin/kubectl location
-  allow ood_pun_t usr_t:file { execute execute_no_trans };
+  # Needed to submit pods
+  allow ood_pun_t node_t:udp_socket node_bind;
+  corenet_tcp_connect_generic_port(ood_pun_t)
+  corenet_udp_bind_generic_port(ood_pun_t)
 ')
 
 ## <desc>
@@ -305,6 +307,8 @@ exec_files_pattern(ood_pun_t, bin_t, bin_t)
 exec_files_pattern(ood_pun_t, shell_exec_t, shell_exec_t)
 # Allow PUN to execute rsync
 exec_files_pattern(ood_pun_t, rsync_exec_t, rsync_exec_t)
+# Allow PUN to execute usr_t (like /opt)
+exec_files_pattern(ood_pun_t, usr_t, usr_t)
 
 # Allow PUN to connect to Apache
 corenet_tcp_connect_http_port(ood_pun_t)

From 9a72ae8772217064778682de9d1faf85f7cfe525 Mon Sep 17 00:00:00 2001
From: Trey Dockendorf <tdockendorf@osc.edu>
Date: Sat, 23 Oct 2021 13:24:57 -0400
Subject: [PATCH 6/7] Changes necessary during enforcing testing

---
 packaging/rpm/ondemand-selinux.te | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/packaging/rpm/ondemand-selinux.te b/packaging/rpm/ondemand-selinux.te
index a5c11e5c8c..cd0fb7878e 100644
--- a/packaging/rpm/ondemand-selinux.te
+++ b/packaging/rpm/ondemand-selinux.te
@@ -244,7 +244,7 @@ gen_tunable(ondemand_use_kubernetes, false)
 tunable_policy(`ondemand_use_kubernetes',`
   # Access /root/.kube
   allow ood_pun_t admin_home_t:dir { add_name remove_name write };
-  allow ood_pun_t admin_home_t:file { create open read rename setattr unlink write };
+  allow ood_pun_t admin_home_t:file { getattr create open read rename setattr unlink write };
   # Needed to execute sudo for kubectl
   allow ood_pun_t self:capability { setuid setgid sys_resource audit_write };
   allow ood_pun_t self:process { setrlimit setsched };
@@ -259,9 +259,10 @@ tunable_policy(`ondemand_use_kubernetes',`
   systemd_write_inherited_logind_sessions_pipes(ood_pun_t)
   systemd_dbus_chat_logind(ood_pun_t)
   allow ood_pun_t initrc_var_run_t:file { lock open read };
-  # Needed to execute kubectl
+  # Needed to execute kubectl via sudo
   allow ood_pun_t self:netlink_route_socket { create_netlink_socket_perms };
-  allow ood_pun_t self:netlink_audit_socket { create nlmsg_relay };
+  logging_send_audit_msgs(ood_pun_t)
+  # Execute kubectl
   corenet_tcp_connect_generic_port(ood_pun_t)
   # Needed to submit pods
   allow ood_pun_t node_t:udp_socket node_bind;

From f724856c280f4751357d7e431471fb915a6958f1 Mon Sep 17 00:00:00 2001
From: Trey Dockendorf <tdockendorf@osc.edu>
Date: Sat, 23 Oct 2021 13:30:23 -0400
Subject: [PATCH 7/7] Remove boolean that is deprecated in 2.0 release

---
 packaging/rpm/ondemand-selinux.te | 20 --------------------
 1 file changed, 20 deletions(-)

diff --git a/packaging/rpm/ondemand-selinux.te b/packaging/rpm/ondemand-selinux.te
index cd0fb7878e..27df937fb7 100644
--- a/packaging/rpm/ondemand-selinux.te
+++ b/packaging/rpm/ondemand-selinux.te
@@ -144,26 +144,6 @@ optional_policy(`
     ')
 ')
 
-## <desc>
-## <p>
-## Allow OnDemand to use Shell app
-## DEPRECATED, use ondemand_use_ssh instead
-## </p>
-## </desc>
-gen_tunable(ondemand_use_shell_app, false)
-
-tunable_policy(`ondemand_use_shell_app',`
-  allow ood_pun_t ptmx_t:chr_file { ioctl open read write };
-  ssh_exec(ood_pun_t)
-  corenet_tcp_connect_ssh_port(ood_pun_t)
-  allow ood_pun_t self:key { read view write };
-')
-
-tunable_policy(`ondemand_use_shell_app && ondemand_manage_user_home_dir',`
-  manage_dirs_pattern(ood_pun_t, ssh_home_t, ssh_home_t)
-  manage_files_pattern(ood_pun_t, ssh_home_t, ssh_home_t)
-')
-
 ## <desc>
 ## <p>
 ## Allow OnDemand to use SSH