From 5cda66ea192ea1dbcb58e0952810db6f00e4e581 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Tue, 2 Jan 2024 14:13:42 +0100 Subject: [PATCH 1/4] Fix condition of the FR SSH files SELinux context check And add a comment describing the meaning of the logical expression. Ticket: ENT-11136 Changelog: None --- .../enterprise/federation/federation.cf | 53 +++++++++++-------- 1 file changed, 31 insertions(+), 22 deletions(-) diff --git a/cfe_internal/enterprise/federation/federation.cf b/cfe_internal/enterprise/federation/federation.cf index 6149b4e2cd..b34f3896f7 100644 --- a/cfe_internal/enterprise/federation/federation.cf +++ b/cfe_internal/enterprise/federation/federation.cf @@ -300,29 +300,38 @@ bundle agent transport_user expression => not(returnszero("$(default:paths.semanage) fcontext -l | grep '$(home)/.ssh(/.*)?'", "useshell")), if => fileexists("$(home)"); enabled.selinux_enabled:: + # For all the files below it must be true that if they exist they need + # to have the right context. + # IOW, the following implication: if fileexists() then correct_context. + # IOW, the following OR: not(filexists()) or correct_context. + # not( and()) means that if for one of the files the implication is false, we get a true. "incorrect_ssh_context" - expression => and( and( - fileexists("$(home)"), - fileexists("$(ssh_auth_keys)"), - fileexists("$(ssh_priv_key)"), - fileexists("$(ssh_pub_key)"), - fileexists("$(ssh_config)")), - or( - regcmp(".*[\s:]ssh_home_t[\s:].*", - execresult("ls -Z $(home) | grep .ssh", - useshell)), - regcmp(".*[\s:]ssh_home_t[\s:].*", - execresult("ls -Z $(ssh_auth_keys)", - useshell)), - regcmp(".*[\s:]ssh_home_t[\s:].*", - execresult("ls -Z $(ssh_priv_key)", - useshell)), - regcmp(".*[\s:]ssh_home_t[\s:].*", - execresult("ls -Z $(ssh_pub_key)", - useshell)), - regcmp(".*[\s:]ssh_home_t[\s:].*", - execresult("ls -Z $(ssh_config)", - useshell)))); + expression => not( and( + or( + not(fileexists("$(home)")), + regcmp(".*[\s:]ssh_home_t[\s:].*", + execresult("ls -Z $(home) | grep .ssh", + useshell))), + or( + not(fileexists("$(ssh_auth_keys)")), + regcmp(".*[\s:]ssh_home_t[\s:].*", + execresult("ls -Z $(ssh_auth_keys)", + useshell))), + or( + not(fileexists("$(ssh_priv_key)")), + regcmp(".*[\s:]ssh_home_t[\s:].*", + execresult("ls -Z $(ssh_priv_key)", + useshell))), + or( + not(fileexists("$(ssh_pub_key)")), + regcmp(".*[\s:]ssh_home_t[\s:].*", + execresult("ls -Z $(ssh_pub_key)", + useshell))), + or( + not(fileexists("$(ssh_config)")), + regcmp(".*[\s:]ssh_home_t[\s:].*", + execresult("ls -Z $(ssh_config)", + useshell))))); users: "$(user)" policy => "present", From ab1c21c78762ce816c38c1860c9faf323f30b020 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Tue, 2 Jan 2024 14:16:16 +0100 Subject: [PATCH 2/4] Fix class name for restorecon availability in FR policy Ticket: ENT-11136 Changelog: Federated reporting policy now properly fixes SELinux context of the ~cftransport/.ssh directory and its contents. --- cfe_internal/enterprise/federation/federation.cf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cfe_internal/enterprise/federation/federation.cf b/cfe_internal/enterprise/federation/federation.cf index b34f3896f7..c3aaaa9481 100644 --- a/cfe_internal/enterprise/federation/federation.cf +++ b/cfe_internal/enterprise/federation/federation.cf @@ -378,7 +378,7 @@ bundle agent transport_user # _stdlib_path_exists_ and paths. are defined is masterfiles/lib/paths.cf selinux_enabled.cftransport_fcontext_missing.default:_stdlib_path_exists_semanage:: "$(default:paths.semanage) fcontext -a -t ssh_home_t '$(home)/.ssh(/.*)?'"; - selinux_enabled.incorrect_ssh_context.default:_stdlib_exists_restorecon:: + selinux_enabled.incorrect_ssh_context.default:_stdlib_path_exists_restorecon:: "$(default:paths.restorecon) -R -F $(home)/.ssh/"; any:: From 9f88d5e9e4dae34a28a4281a948c8bdb5ee18d54 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Tue, 2 Jan 2024 14:19:54 +0100 Subject: [PATCH 3/4] Fix check of ~cftransport/.ssh directory existence and SELinux context Ticket: ENT-11136 Changelog: None --- cfe_internal/enterprise/federation/federation.cf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cfe_internal/enterprise/federation/federation.cf b/cfe_internal/enterprise/federation/federation.cf index c3aaaa9481..1d9bbcd4c4 100644 --- a/cfe_internal/enterprise/federation/federation.cf +++ b/cfe_internal/enterprise/federation/federation.cf @@ -308,9 +308,9 @@ bundle agent transport_user "incorrect_ssh_context" expression => not( and( or( - not(fileexists("$(home)")), + not(fileexists("$(home)/.ssh")), regcmp(".*[\s:]ssh_home_t[\s:].*", - execresult("ls -Z $(home) | grep .ssh", + execresult("ls -dZ $(home)/.ssh", useshell))), or( not(fileexists("$(ssh_auth_keys)")), From a32e2db41c4dcbef806a5d3dd20792489d515e1c Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Tue, 2 Jan 2024 14:21:01 +0100 Subject: [PATCH 4/4] Don't use shell when checking SELinux context of FR SSH files We only run a single command, no need to use shell. Also, reformat the policy a bit for better readability. Ticket: ENT-11136 Changelog: None --- cfe_internal/enterprise/federation/federation.cf | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/cfe_internal/enterprise/federation/federation.cf b/cfe_internal/enterprise/federation/federation.cf index 1d9bbcd4c4..9e64f45e0b 100644 --- a/cfe_internal/enterprise/federation/federation.cf +++ b/cfe_internal/enterprise/federation/federation.cf @@ -310,28 +310,24 @@ bundle agent transport_user or( not(fileexists("$(home)/.ssh")), regcmp(".*[\s:]ssh_home_t[\s:].*", - execresult("ls -dZ $(home)/.ssh", - useshell))), + execresult("$(default:paths.ls) -dZ $(home)/.ssh", noshell))), or( not(fileexists("$(ssh_auth_keys)")), regcmp(".*[\s:]ssh_home_t[\s:].*", - execresult("ls -Z $(ssh_auth_keys)", - useshell))), + execresult("$(default:paths.ls) -Z $(ssh_auth_keys)", noshell))), or( not(fileexists("$(ssh_priv_key)")), regcmp(".*[\s:]ssh_home_t[\s:].*", - execresult("ls -Z $(ssh_priv_key)", - useshell))), + execresult("$(default:paths.ls) -Z $(ssh_priv_key)", noshell))), or( not(fileexists("$(ssh_pub_key)")), regcmp(".*[\s:]ssh_home_t[\s:].*", - execresult("ls -Z $(ssh_pub_key)", - useshell))), + execresult("$(default:paths.ls) -Z $(ssh_pub_key)", noshell))), or( not(fileexists("$(ssh_config)")), regcmp(".*[\s:]ssh_home_t[\s:].*", - execresult("ls -Z $(ssh_config)", - useshell))))); + execresult("$(default:paths.ls) -Z $(ssh_config)", noshell))) + )); users: "$(user)" policy => "present",