Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SELinux policy for cockpit #740

Merged
merged 17 commits into from
Jan 30, 2024
Merged

Add SELinux policy for cockpit #740

merged 17 commits into from
Jan 30, 2024

Conversation

dsugar100
Copy link
Contributor

This was started from #700 and tested on RHEL9 system.
It is a bunch of commits because I wanted to be clear about some of the denials I was seeing and why those rules were added.
I of course will squash before the final merge (if desired).

Please let me know questions and changes desired.

@dsugar100 dsugar100 changed the title Add SELinuux policy for cockpit Add SELinux policy for cockpit Dec 11, 2023
@dsugar100 dsugar100 force-pushed the cockpit branch 3 times, most recently from db636a3 to 631ddb4 Compare December 11, 2023 02:43
pebenito
pebenito requested changes Jan 9, 2024
View reviewed changes
Copy link
Member

@pebenito pebenito left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cockpit.te also needs some style cleanups.

policy/modules/admin/sudo.if Outdated Show resolved Hide resolved
policy/modules/services/cockpit.fc Outdated Show resolved Hide resolved
policy/modules/services/cockpit.if Outdated Show resolved Hide resolved
policy/modules/services/cockpit.if Outdated Show resolved Hide resolved
policy/modules/services/cockpit.if Outdated Show resolved Hide resolved
policy/modules/services/cockpit.te Outdated Show resolved Hide resolved
policy/modules/services/cockpit.te Outdated Show resolved Hide resolved
policy/modules/system/init.if Outdated Show resolved Hide resolved
policy/modules/system/init.te Outdated Show resolved Hide resolved
policy/modules/system/systemd.if Outdated Show resolved Hide resolved
@dsugar100 dsugar100 marked this pull request as draft January 12, 2024 16:05
@dsugar100
Copy link
Contributor Author

Changed status to 'draft'. I'm still working through changes. I'm happy for more feedback, but don't want anyone to think my updates are indications that I'm done.

@dsugar100 dsugar100 marked this pull request as ready for review January 15, 2024 03:30
@dsugar100
Copy link
Contributor Author

Ok, I have made updates. There is a remaining question about the memfd thing which I will update after feedback and new question about chronyd_status. Please let me know if there is anything else.

@dsugar100 dsugar100 force-pushed the cockpit branch 2 times, most recently from f1bdbbc to 0d30af7 Compare January 18, 2024 03:34
@dsugar100
Copy link
Contributor Author

Ok, I believe at this point all your comments have been addressed. Do you want me to resolve conversations that I believe are complete?
Thanks for the time, I know this is a big pull request.

@dsugar100
SELinux policy for cockpit
cc46c32 
Setup domain for cockpit-certificate-ensure
Setup service rules

Signed-off-by: Dave Sugar <[email protected]>
@dsugar100
Fix denial while cleaning up pidfile symlink
4bd6277 
Nov 29 02:15:13 localhost.localdomain audisp-syslog[1698]: node=localhost type=AVC msg=audit(1701224113.540:7569): avc:  denied  { unlink } for  pid=1 comm="systemd" name="key.source" dev="tmpfs" ino=1749 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:cockpit_runtime_t:s0 tclass=lnk_file permissive=1

Signed-off-by: Dave Sugar <[email protected]>
@dsugar100
allow system --user to execute systemd-tmpfiles in <user>_systemd_tmp…
4f90070 
…files_t domain

node=localhost type=AVC msg=audit(1701889206.398:119881): avc:  denied { execute } for  pid=8733 comm="(tmpfiles)" name="systemd-tmpfiles" dev="dm-1" ino=15564 scontext=staff_u:staff_r:staff_systemd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1701889206.398:119884): avc:  denied { read open } for  pid=8733 comm="(tmpfiles)" path="/usr/bin/systemd-tmpfiles" dev="dm-1" ino=15564 scontext=staff_u:staff_r:staff_systemd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1701889206.398:119884): avc:  denied { execute_no_trans } for  pid=8733 comm="(tmpfiles)" path="/usr/bin/systemd-tmpfiles" dev="dm-1" ino=15564 scontext=staff_u:staff_r:staff_systemd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1701889206.398:119884): avc:  denied { map } for  pid=8733 comm="systemd-tmpfile" path="/usr/bin/systemd-tmpfiles" dev="dm-1" ino=15564 scontext=staff_u:staff_r:staff_systemd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1

node=localhost type=AVC msg=audit(1705259838.473:3560): avc:  denied  { read write } for  pid=4853 comm="systemd-tmpfile" path="socket:[47094]" dev="sockfs" ino=47094 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
node=localhost type=AVC msg=audit(1705259838.479:3562): avc:  denied  { search } for  pid=4853 comm="systemd-tmpfile" name="kernel" dev="proc" ino=13283 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705259838.479:3562): avc:  denied  { read } for  pid=4853 comm="systemd-tmpfile" name="cap_last_cap" dev="proc" ino=13343 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705259838.479:3562): avc:  denied  { open } for  pid=4853 comm="systemd-tmpfile" path="/proc/sys/kernel/cap_last_cap" dev="proc" ino=13343 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705259838.479:3563): avc:  denied  { getattr } for  pid=4853 comm="systemd-tmpfile" name="/" dev="proc" ino=1 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1
node=localhost type=AVC msg=audit(1705259838.522:3564): avc:  denied  { search } for  pid=4853 comm="systemd-tmpfile" name="/" dev="tmpfs" ino=1 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705259838.522:3568): avc:  denied  { getattr } for  pid=4853 comm="systemd-tmpfile" name="/" dev="cgroup2" ino=1 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1
node=localhost type=AVC msg=audit(1705259838.522:3569): avc:  denied  { search } for  pid=4853 comm="systemd-tmpfile" name="/" dev="cgroup2" ino=1 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705259838.522:3570): avc:  denied  { read } for  pid=4853 comm="systemd-tmpfile" name="cmdline" dev="proc" ino=4026532018 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705259838.522:3570): avc:  denied  { open } for  pid=4853 comm="systemd-tmpfile" path="/proc/cmdline" dev="proc" ino=4026532018 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705259838.522:3571): avc:  denied  { getattr } for  pid=4853 comm="systemd-tmpfile" path="/proc/cmdline" dev="proc" ino=4026532018 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705259838.522:3572): avc:  denied  { ioctl } for  pid=4853 comm="systemd-tmpfile" path="/proc/cmdline" dev="proc" ino=4026532018 ioctlcmd=0x5401 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705259838.522:3573): avc:  denied  { getattr } for  pid=4853 comm="systemd-tmpfile" path="socket:[47094]" dev="sockfs" ino=47094 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
node=localhost type=AVC msg=audit(1705259838.522:3574): avc:  denied  { create } for  pid=4853 comm="systemd-tmpfile" scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
node=localhost type=AVC msg=audit(1705259838.522:3575): avc:  denied  { getopt } for  pid=4853 comm="systemd-tmpfile" scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
node=localhost type=AVC msg=audit(1705259838.522:3576): avc:  denied  { setopt } for  pid=4853 comm="systemd-tmpfile" scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
node=localhost type=AVC msg=audit(1705259838.522:3577): avc:  denied  { connect } for  pid=4853 comm="systemd-tmpfile" scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
node=localhost type=AVC msg=audit(1705259838.522:3577): avc:  denied  { search } for  pid=4853 comm="systemd-tmpfile" name="journal" dev="tmpfs" ino=55 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:syslogd_runtime_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705259838.522:3577): avc:  denied  { write } for  pid=4853 comm="systemd-tmpfile" name="socket" dev="tmpfs" ino=57 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1
node=localhost type=AVC msg=audit(1705259838.522:3577): avc:  denied  { sendto } for  pid=4853 comm="systemd-tmpfile" path="/run/systemd/journal/socket" scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
node=localhost type=AVC msg=audit(1705259838.523:3578): avc:  denied  { map } for  pid=4853 comm="systemd-tmpfile" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705259838.523:3579): avc:  denied  { search } for  pid=4853 comm="systemd-tmpfile" name="contexts" dev="dm-1" ino=138857 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705259838.523:3579): avc:  denied  { search } for  pid=4853 comm="systemd-tmpfile" name="files" dev="dm-1" ino=138863 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705259838.523:3579): avc:  denied  { read } for  pid=4853 comm="systemd-tmpfile" name="file_contexts.subs_dist" dev="dm-1" ino=138865 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705259838.523:3579): avc:  denied  { open } for  pid=4853 comm="systemd-tmpfile" path="/etc/selinux/clip/contexts/files/file_contexts.subs_dist" dev="dm-1" ino=138865 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705259838.523:3580): avc:  denied  { getattr } for  pid=4853 comm="systemd-tmpfile" path="/etc/selinux/clip/contexts/files/file_contexts.subs_dist" dev="dm-1" ino=138865 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705259838.523:3581): avc:  denied  { map } for  pid=4853 comm="systemd-tmpfile" path="/etc/selinux/clip/contexts/files/file_contexts.bin" dev="dm-1" ino=131164 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705259838.524:3582): avc:  denied  { getattr } for  pid=4853 comm="systemd-tmpfile" path="/home" dev="dm-8" ino=2 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705259838.524:3583): avc:  denied  { search } for  pid=4853 comm="systemd-tmpfile" name="/" dev="dm-8" ino=2 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705259838.524:3584): avc:  denied  { getattr } for  pid=4853 comm="systemd-tmpfile" path="/home/sysadm" dev="dm-8" ino=26 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705259838.524:3585): avc:  denied  { search } for  pid=4853 comm="systemd-tmpfile" name="sysadm" dev="dm-8" ino=26 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705259838.524:3586): avc:  denied  { getattr } for  pid=4853 comm="systemd-tmpfile" path="/run" dev="tmpfs" ino=1 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705259838.524:3587): avc:  denied  { getattr } for  pid=4853 comm="systemd-tmpfile" path="/run/user" dev="tmpfs" ino=92 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_root_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705259838.524:3588): avc:  denied  { search } for  pid=4853 comm="systemd-tmpfile" name="user" dev="tmpfs" ino=92 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_root_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705259838.524:3589): avc:  denied  { getattr } for  pid=4853 comm="systemd-tmpfile" path="/run/user/1002" dev="tmpfs" ino=1 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:user_runtime_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705259838.524:3590): avc:  denied  { search } for  pid=4853 comm="systemd-tmpfile" name="/" dev="tmpfs" ino=1 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:user_runtime_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705259838.526:3591): avc:  denied  { search } for  pid=4845 comm="systemd" name="4853" dev="proc" ino=29607 scontext=sysadm_u:sysadm_r:sysadm_systemd_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705259838.526:3591): avc:  denied  { read } for  pid=4845 comm="systemd" name="comm" dev="proc" ino=47101 scontext=sysadm_u:sysadm_r:sysadm_systemd_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705259838.526:3591): avc:  denied  { open } for  pid=4845 comm="systemd" path="/proc/4853/comm" dev="proc" ino=47101 scontext=sysadm_u:sysadm_r:sysadm_systemd_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tclass=file permissive=1

Signed-off-by: Dave Sugar <[email protected]>
@dsugar100
cockpit ssh as user
c199c29 
node=localhost type=AVC msg=audit(1701889205.276:117169): avc:  denied { use } for  pid=8720 comm="ssh-agent" path="pipe:[68232]" dev="pipefs" ino=68232 scontext=staff_u:sysadm_r:sysadm_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fd permissive=1
node=localhost type=AVC msg=audit(1701889205.276:117169): avc:  denied { read } for  pid=8720 comm="ssh-agent" path="pipe:[68232]" dev="pipefs" ino=68232 scontext=staff_u:sysadm_r:sysadm_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fifo_file permissive=1
node=localhost type=AVC msg=audit(1701889205.276:117169): avc:  denied { write } for  pid=8720 comm="ssh-agent" path="pipe:[68233]" dev="pipefs" ino=68233 scontext=staff_u:sysadm_r:sysadm_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fifo_file permissive=1
node=localhost type=AVC msg=audit(1701889205.314:117185): avc:  denied { getattr } for  pid=8720 comm="ssh-agent" path="pipe:[68233]" dev="pipefs" ino=68233 scontext=staff_u:sysadm_r:sysadm_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fifo_file permissive=1
node=localhost type=AVC msg=audit(1701889286.260:125552): avc:  denied { use } for  pid=8908 comm="ssh-agent" path="pipe:[70169]" dev="pipefs" ino=70169 scontext=staff_u:sysadm_r:sysadm_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fd permissive=0
node=localhost type=AVC msg=audit(1701889286.260:125552): avc:  denied { use } for  pid=8908 comm="ssh-agent" path="pipe:[70170]" dev="pipefs" ino=70170 scontext=staff_u:sysadm_r:sysadm_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fd permissive=0
node=localhost type=AVC msg=audit(1701889286.260:125552): avc:  denied { use } for  pid=8908 comm="ssh-agent" path="pipe:[70171]" dev="pipefs" ino=70171 scontext=staff_u:sysadm_r:sysadm_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fd permissive=0

Signed-off-by: Dave Sugar <[email protected]>
@dsugar100
Allow sudo dbus chat w/sysemd-logind
fddef57 
node=localhost type=USER_AVC msg=audit(1701890241.838:133264): pid=1613 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for  scontext=toor_u:staff_r:staff_sudo_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus permissive=1 exe="/usr/bin/db us-broker" sauid=81 hostname=? addr=? terminal=?' UID="dbus" AUID="unset" SAUID="dbus"

node=localhost type=AVC msg=audit(1701890241.838:133265): avc:  denied { search } for  pid=1627 comm="systemd-logind" name="8995" dev="proc" ino=72855 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=toor_u:staff_r:staff_sudo_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1701890241.838:133265): avc:  denied { read } for  pid=1627 comm="systemd-logind" name="cgroup" dev="proc" ino=72856 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=toor_u:staff_r:staff_sudo_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1701890241.838:133265): avc:  denied { open } for  pid=1627 comm="systemd-logind" path="/proc/8995/cgroup" dev="proc" ino=72856 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=toor_u:staff_r:staff_sudo_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1701890241.838:133266): avc:  denied { getattr } for  pid=1627 comm="systemd-logind" path="/proc/8995/cgroup" dev="proc" ino=72856 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=toor_u:staff_r:staff_sudo_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1701890241.838:133267): avc:  denied { ioctl } for  pid=1627 comm="systemd-logind" path="/proc/8995/cgroup" dev="proc" ino=72856 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=toor_u:staff_r:staff_sudo_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <[email protected]>
@dsugar100
The L+ tmpfiles option needs to read the symlink
a242691 
node=localhost type=AVC msg=audit(1701956913.910:21672): avc:  denied  {
read } for  pid=3783 comm="systemd-tmpfile" name="motd" dev="tmpfs" ino=1812 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:cockpit_runtime_t:s0 tclass=lnk_file permissive=1

Signed-off-by: Dave Sugar <[email protected]>
@dsugar100
Signal during logout
6751444 
node=localhost type=AVC msg=audit(1701975071.847:229359): avc:  denied { signal } for  pid=10270 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_ssh_agent_t:s0 tclass=process permissive=0

Signed-off-by: Dave Sugar <[email protected]>
@dsugar100
This seems important for administrative access
7abf353 
node=localhost type=AVC msg=audit(1701976221.478:269623): avc:  denied { read write } for  pid=11016 comm="sudo" path="socket:[138427]" dev="sockfs" ino=138427 scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=unix_stream_socket permissive=0

Signed-off-by: Dave Sugar <[email protected]>
@dsugar100
This works instead of allow exec on user_tmpfs_t!
cb81021 
node=localhost type=AVC msg=audit(1702069242.629:385266): avc:  denied  { execute } for  pid=5860 comm="cockpit-bridge" path=2F6465762F23373833202864656C6574656429 dev="devtmpfs" ino=783 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:device_t:s0 tclass=file permissive=0

Signed-off-by: Dave Sugar <[email protected]>
@dsugar100
admin can read/write web socket
b34ce38 
node=localhost type=AVC msg=audit(1701889206.489:120065): avc:  denied { use } for  pid=8735 comm="cockpit-bridge" path="socket:[66969]" dev="sockfs" ino=66969 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=fd permissive=1
node=localhost type=AVC msg=audit(1701889206.489:120065): avc:  denied { read write } for  pid=8735 comm="cockpit-bridge" path="socket:[66969]" dev="sockfs" ino=66969 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=unix_stream_socket permissive=1
node=localhost type=AVC msg=audit(1701889206.500:120084): avc:  denied { ioctl } for  pid=8735 comm="cockpit-bridge" path="socket:[66969]" dev="sockfs" ino=66969 ioctlcmd=0x5401 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=unix_stream_socket permissive=1
node=localhost type=AVC msg=audit(1701889207.271:120489): avc:  denied { write } for  pid=8735 comm="cockpit-bridge" path="socket:[66969]" dev="sockfs" ino=66969 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=unix_stream_socket permissive=1
node=localhost type=AVC msg=audit(1701889207.279:120491): avc:  denied { read } for  pid=8735 comm="cockpit-bridge" path="socket:[66969]" dev="sockfs" ino=66969 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=unix_stream_socket permissive=1
node=localhost type=AVC msg=audit(1701889217.374:123275): avc:  denied { use } for  pid=8735 comm="cockpit-bridge" path="socket:[66969]" dev="sockfs" ino=66969 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=fd permissive=1

Signed-off-by: Dave Sugar <[email protected]>
@dsugar100
Allow key manipulation
fcfffd4 
node=localhost type=AVC msg=audit(1701897597.942:245462): avc:  denied { create } for  pid=14658 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=key permissive=1
node=localhost type=AVC msg=audit(1701897597.942:245464): avc:  denied { write } for  pid=14658 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=key permissive=1
node=localhost type=AVC msg=audit(1701897597.942:245464): avc:  denied { search } for  pid=14658 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_systemd_t:s0-s0:c0.c1023 tclass=key permissive=1
node=localhost type=AVC msg=audit(1701897597.942:245464): avc:  denied { link } for  pid=14658 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_systemd_t:s0-s0:c0.c1023 tclass=key permissive=1

Signed-off-by: Dave Sugar <[email protected]>
@dsugar100
Add dontaudit to quiet down a bit
b4d2d58 
node=localhost type=AVC msg=audit(1702086779.746:35710): avc:  denied  { execute } for  pid=2790 comm="cockpit-bridge" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=18 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:user_tmpfs_t:s0 tclass=file permissive=0
node=localhost type=AVC msg=audit(1702086784.802:36735): avc:  denied  { execute } for  pid=2849 comm="cockpit-bridge" path=2F726F6F742F23363535333931202864656C6574656429 dev="dm-1" ino=655391 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:default_t:s0 tclass=file permissive=0
/var/log/audit/audit.log:node=localhost type=AVC msg=audit(1702086784.803:36742): avc:  denied  { execute } for  pid=2849 comm="cockpit-bridge" path=2F233330363834202864656C6574656429 dev="dm-1" ino=30684 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:etc_runtime_t:s0 tclass=file permissive=0
node=localhost type=AVC msg=audit(1702069242.629:385266): avc:  denied { execute } for  pid=5860 comm="cockpit-bridge" path=2F6465762F23373833202864656C6574656429 dev="devtmpfs" ino=783 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:device_t:s0 tclass=file permissive=0

Signed-off-by: Dave Sugar <[email protected]>
@dsugar100
Add watches
c6d904f 
node=localhost type=AVC msg=audit(1701960388.658:45746): avc:  denied  { watch } for  pid=7282 comm="cockpit-bridge" path="/" dev="dm-1" ino=2 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0
node=localhost type=AVC msg=audit(1701960389.457:46142): avc:  denied  { watch } for  pid=7282 comm="cockpit-bridge" path="/etc/motd" dev="dm-1" ino=524363 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
node=localhost type=AVC msg=audit(1701960389.538:46261): avc:  denied  { watch } for  pid=7282 comm="cockpit-bridge" path="/var" dev="dm-9" ino=2 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0
node=localhost type=AVC msg=audit(1701960389.539:46264): avc:  denied  { watch } for  pid=7282 comm="cockpit-bridge" path="/var/lib" dev="dm-9" ino=262145 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0
node=localhost type=AVC msg=audit(1701960389.472:46167): avc:  denied  { watch } for  pid=7282 comm="cockpit-bridge" path="/run/systemd" dev="tmpfs" ino=2 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=0
node=localhost type=AVC msg=audit(1701960389.473:46170): avc:  denied  { watch } for  pid=7282 comm="cockpit-bridge" path="/run/systemd/shutdown" dev="tmpfs" ino=99 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=0
node=localhost type=AVC msg=audit(1701966176.317:51985): avc:  denied  { watch } for  pid=7186 comm="cockpit-bridge" path="/run/utmp" dev="tmpfs" ino=94 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:initrc_runtime_t:s0 tclass=file permissive=0

Signed-off-by: Dave Sugar <[email protected]>
@dsugar100
Additional access for systemctl
a95feb6 
Nov 26 16:23:29 localhost.localdomain audisp-syslog[1662]: node=localhost type=AVC msg=audit(1701015809.183:8712): avc:  denied  { search } for  pid=2071 comm="systemctl" name="kernel" dev="proc" ino=5 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir permissive=1
Nov 26 16:23:29 localhost.localdomain audisp-syslog[1662]: node=localhost type=AVC msg=audit(1701015809.183:8712): avc:  denied  { read } for  pid=2071 comm="systemctl" name="cap_last_cap" dev="proc" ino=65 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1
Nov 26 16:23:29 localhost.localdomain audisp-syslog[1662]: node=localhost type=AVC msg=audit(1701015809.183:8712): avc:  denied  { open } for  pid=2071 comm="systemctl" path="/proc/sys/kernel/cap_last_cap" dev="proc" ino=65 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <[email protected]>
@dsugar100
Denial during cockpit use
d80c8f4 
node=localhost type=USER_AVC msg=audit(1702256090.674:226515): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" function="mac_selinux_filter" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=?  terminal=?' UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root"

Signed-off-by: Dave Sugar <[email protected]>
@dsugar100
Fix password changing from cockpit login screen
08ea302 
node=localhost type=AVC msg=audit(1705071167.616:1344): avc:  denied  { write } for  pid=6560 comm="cockpit-session" name="etc" dev="dm-1" ino=393220 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
node=localhost type=AVC msg=audit(1705071268.820:1383): avc:  denied  { write } for  pid=6588 comm="cockpit-session" name="etc" dev="dm-1" ino=393220 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705071268.820:1383): avc:  denied  { add_name } for  pid=6588 comm="cockpit-session" name="nshadow" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705071268.826:1384): avc:  denied  { remove_name } for  pid=6588 comm="cockpit-session" name="nshadow" dev="dm-1" ino=393552 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1

Signed-off-by: Dave Sugar <[email protected]>
@dsugar100
Resolve error when cockpit initiate shutdown
882830d 
node=localhost type=AVC msg=audit(1705937785.855:1258): avc:  denied  { create } for  pid=1741 comm="systemd-logind" name=".#scheduleddAhZqh" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=0
node=localhost type=AVC msg=audit(1705937817.548:1268): avc:  denied  { create } for  pid=1741 comm="systemd-logind" name=".#scheduledOLXyXT" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705937817.548:1268): avc:  denied  { read write open } for  pid=1741 comm="systemd-logind" path="/run/systemd/shutdown/.#scheduledOLXyXT" dev="tmpfs" ino=1803 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705937817.548:1269): avc:  denied  { setattr } for  pid=1741 comm="systemd-logind" name=".#scheduledOLXyXT" dev="tmpfs" ino=1803 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705937817.548:1270): avc:  denied  { getattr } for  pid=1741 comm="systemd-logind" path="/run/systemd/shutdown/.#scheduledOLXyXT" dev="tmpfs" ino=1803 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705937817.548:1271): avc:  denied  { rename } for  pid=1741 comm="systemd-logind" name=".#scheduledOLXyXT" dev="tmpfs" ino=1803 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705937817.549:1272): avc:  denied  { write } for  pid=1741 comm="systemd-logind" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705937817.549:1272): avc:  denied  { add_name } for  pid=1741 comm="systemd-logind" name=".#nologin0EGTLr" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705937817.549:1273): avc:  denied  { remove_name } for  pid=1741 comm="systemd-logind" name=".#nologin3EGTLr" dev="tmpfs" ino=1804 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1

Signed-off-by: Dave Sugar <[email protected]>
@dsugar100
Copy link
Contributor Author

Ok, I have updated based on the three comments about the ifdef, chronyd_status and reordering. Let me know if anything else is needed.

@dsugar100 dsugar100 requested a review from pebenito January 27, 2024 03:02
@pebenito pebenito merged commit 504feb7 into SELinuxProject:main Jan 30, 2024
56 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@0xC0ncord 0xC0ncord 0xC0ncord left review comments

@pebenito pebenito pebenito approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dsugar100 @pebenito @0xC0ncord