-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Selinux updates #1496
Selinux updates #1496
Changes from all commits
3417166
f90ac72
88fe9bb
3704cc6
1a212af
9a72ae8
f724856
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||
---|---|---|---|---|
|
@@ -11,10 +11,17 @@ require { | |||
type vmblock_t; | ||||
type ssh_exec_t; | ||||
type ssh_home_t; | ||||
type sshd_key_t; | ||||
type ssh_keysign_exec_t; | ||||
type net_conf_t; | ||||
type krb5_conf_t; | ||||
type sssd_var_run_t; | ||||
type admin_home_t; | ||||
type usr_t; | ||||
type initrc_var_run_t; | ||||
class dbus send_msg; | ||||
class passwd rootok; | ||||
class passwd passwd; | ||||
} | ||||
|
||||
# Define custom types | ||||
|
@@ -139,19 +146,21 @@ optional_policy(` | |||
|
||||
## <desc> | ||||
## <p> | ||||
## Allow OnDemand to use Shell app | ||||
## Allow OnDemand to use SSH | ||||
## </p> | ||||
## </desc> | ||||
gen_tunable(ondemand_use_shell_app, true) | ||||
gen_tunable(ondemand_use_ssh, true) | ||||
|
||||
tunable_policy(`ondemand_use_shell_app',` | ||||
tunable_policy(`ondemand_use_ssh',` | ||||
allow ood_pun_t ptmx_t:chr_file { ioctl open read write }; | ||||
can_exec(ood_pun_t, ssh_exec_t) | ||||
ssh_exec(ood_pun_t) | ||||
can_exec(ood_pun_t, ssh_keysign_exec_t) | ||||
corenet_tcp_connect_ssh_port(ood_pun_t) | ||||
allow ood_pun_t sshd_key_t:file read_file_perms; | ||||
allow ood_pun_t self:key { read view write }; | ||||
') | ||||
|
||||
tunable_policy(`ondemand_use_shell_app && ondemand_manage_user_home_dir',` | ||||
tunable_policy(`ondemand_use_ssh && ondemand_manage_user_home_dir',` | ||||
manage_dirs_pattern(ood_pun_t, ssh_home_t, ssh_home_t) | ||||
manage_files_pattern(ood_pun_t, ssh_home_t, ssh_home_t) | ||||
') | ||||
|
@@ -201,6 +210,44 @@ tunable_policy(`ondemand_use_slurm',` | |||
corenet_tcp_connect_generic_port(ood_pun_t) | ||||
# Access munge socket | ||||
allow ood_pun_t var_run_t:sock_file { getattr write }; | ||||
# SLURM commands like squeue | ||||
allow ood_pun_t self:netlink_route_socket { create_netlink_socket_perms }; | ||||
') | ||||
|
||||
## <desc> | ||||
## <p> | ||||
## Allow OnDemand to use Kubernetes | ||||
## </p> | ||||
## </desc> | ||||
gen_tunable(ondemand_use_kubernetes, false) | ||||
|
||||
tunable_policy(`ondemand_use_kubernetes',` | ||||
# Access /root/.kube | ||||
allow ood_pun_t admin_home_t:dir { add_name remove_name write }; | ||||
allow ood_pun_t admin_home_t:file { getattr create open read rename setattr unlink write }; | ||||
# Needed to execute sudo for kubectl | ||||
allow ood_pun_t self:capability { setuid setgid sys_resource audit_write }; | ||||
allow ood_pun_t self:process { setrlimit setsched }; | ||||
allow ood_pun_t self:key write; | ||||
allow ood_pun_t self:passwd { passwd rootok }; | ||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This caught my eye. Admittedly I don't know much about selinux. Can you tell me why we need this directive? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I believe this is needed for sudo. Because I think the passwd is so the process can access it's own passwd entry, hence the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I see. In combination with
These are opt-in policies right? Seems like this bootstrapping may need to be rethought. There may be less unobtrusive way to pass this the user. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think maybe doing The setuid and setgid are likely because sudo is is setuid/setgid executable. This part of policy that involves a lot of sudo is opt-in, disabled by default, and intended for sites using Kubernetes. |
||||
sudo_exec(ood_pun_t) | ||||
auth_exec_chkpwd(ood_pun_t) | ||||
auth_domtrans_chkpwd(ood_pun_t) | ||||
auth_tunable_read_shadow(ood_pun_t) | ||||
auth_rw_lastlog(ood_pun_t) | ||||
auth_rw_faillog(ood_pun_t) | ||||
systemd_write_inherited_logind_sessions_pipes(ood_pun_t) | ||||
systemd_dbus_chat_logind(ood_pun_t) | ||||
allow ood_pun_t initrc_var_run_t:file { lock open read }; | ||||
# Needed to execute kubectl via sudo | ||||
allow ood_pun_t self:netlink_route_socket { create_netlink_socket_perms }; | ||||
logging_send_audit_msgs(ood_pun_t) | ||||
# Execute kubectl | ||||
corenet_tcp_connect_generic_port(ood_pun_t) | ||||
# Needed to submit pods | ||||
allow ood_pun_t node_t:udp_socket node_bind; | ||||
corenet_tcp_connect_generic_port(ood_pun_t) | ||||
corenet_udp_bind_generic_port(ood_pun_t) | ||||
') | ||||
|
||||
## <desc> | ||||
|
@@ -241,6 +288,8 @@ exec_files_pattern(ood_pun_t, bin_t, bin_t) | |||
exec_files_pattern(ood_pun_t, shell_exec_t, shell_exec_t) | ||||
# Allow PUN to execute rsync | ||||
exec_files_pattern(ood_pun_t, rsync_exec_t, rsync_exec_t) | ||||
# Allow PUN to execute usr_t (like /opt) | ||||
exec_files_pattern(ood_pun_t, usr_t, usr_t) | ||||
|
||||
# Allow PUN to connect to Apache | ||||
corenet_tcp_connect_http_port(ood_pun_t) | ||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I take it the doc for this removal?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ondemand docs need updated for both removal and additional new booleans. I updated description with Doc changes required for this and 2.0 PR.