Add SELinux policy for cockpit

policy/modules/admin/sudo.if

@@ -76,6 +76,7 @@ template(`sudo_role_template',`
 
 	# allow getting the process group of the parent process
 	allow $1_sudo_t $2:process getpgid;
+	allow $1_sudo_t $2:unix_stream_socket rw_socket_perms;
 
 	# allow accessing /proc/pid/stat of the calling domain
 	ps_process_pattern($1_sudo_t, $2)
@@ -199,7 +200,7 @@ template(`sudo_role_template',`
 	')
 
 	optional_policy(`
-		dbus_system_bus_client($1_sudo_t)
+		auth_use_pam_systemd($1_sudo_t)
 
 		ifdef(`init_systemd',`
 			init_dbus_chat($1_sudo_t)

policy/modules/kernel/corecommands.fc

@@ -327,6 +327,7 @@ ifdef(`distro_debian',`
 /usr/share/cluster/.*\.sh		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cluster/ocf-shellfuncs --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cockpit/motd/update-motd    -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cvs/contrib/rcs2log	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/e16/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gedit/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)

policy/modules/kernel/devices.if

@@ -262,6 +262,24 @@ interface(`dev_dontaudit_list_all_dev_nodes',`
 	dontaudit $1 device_t:dir list_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Dontaudit attempts to execute device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_execute_dev_nodes',`
+	gen_require(`
+		type device_t;
+	')
+
+	dontaudit $1 device_t:file execute;
+')
+
 ########################################
 ## <summary>
 ##	Add entries to directories in /dev.

policy/modules/kernel/files.if

@@ -2927,6 +2927,25 @@ interface(`files_dontaudit_read_default_files',`
 	dontaudit $1 default_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to execute files
+##	with the default file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_execute_default_files',`
+	gen_require(`
+		type default_t;
+	')
+
+	dontaudit $1 default_t:file execute;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete files with
@@ -3756,6 +3775,26 @@ interface(`files_dontaudit_read_etc_runtime_files',`
 	dontaudit $1 etc_runtime_t:file { getattr read };
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to execuite files
+##	in /etc that are dynamically
+##	created on boot, such as mtab.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_execuite_etc_runtime_files',`
+	gen_require(`
+		type etc_runtime_t;
+	')
+
+	dontaudit $1 etc_runtime_t:file execute;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read files
@@ -6869,6 +6908,24 @@ interface(`files_rw_runtime_dirs',`
 	rw_dirs_pattern($1, var_run_t, var_run_t)
 ')
 
+########################################
+## <summary>
+##	Watch /var/lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_watch_var_lib_dirs',`
+	gen_require(`
+		type var_lib_t;
+	')
+
+	allow $1 var_lib_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Watch /var/run directories.
@@ -6887,6 +6944,24 @@ interface(`files_watch_runtime_dirs',`
 	allow $1 var_run_t:dir watch;
 ')
 
+########################################
+## <summary>
+##	Watch /var directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_watch_var_dirs',`
+	gen_require(`
+		type var_t;
+	')
+
+	allow $1 var_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Read generic runtime files.
@@ -6925,6 +7000,24 @@ interface(`files_exec_runtime',`
 	exec_files_pattern($1, var_run_t, var_run_t)
 ')
 
+########################################
+## <summary>
+##	Dontaudit attempt to execute generic programs in /var/run in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_exec_runtime',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	dontaudit $1 var_run_t:file execute;
+')
+
 ########################################
 ## <summary>
 ##	Read and write generic runtime files.

policy/modules/roles/sysadm.te

@@ -283,6 +283,10 @@ optional_policy(`
 	cobbler_admin(sysadm_t, sysadm_r)
 ')
 
+optional_policy(`
+	cockpit_admin(sysadm_t)
+')
+
 optional_policy(`
 	collectd_admin(sysadm_t, sysadm_r)
 ')

policy/modules/services/chronyd.if

@@ -257,6 +257,7 @@ interface(`chronyd_enabledisable',`
 		class service { enable disable };
 	')
 
+	chronyd_status($1)
 	allow $1 chronyd_unit_t:service { enable disable };
 ')
 
@@ -276,6 +277,7 @@ interface(`chronyd_startstop',`
 		class service { start stop };
 	')
 
+	chronyd_status($1)
 	allow $1 chronyd_unit_t:service { start stop };
 ')
 

policy/modules/services/cockpit.fc

@@ -0,0 +1,20 @@
+# cockpit stuff
+
+/etc/cockpit/ws-certs\.d(/.*)?			gen_context(system_u:object_r:cockpit_cert_t,s0)
+
+/run/cockpit(/.*)?						gen_context(system_u:object_r:cockpit_runtime_t,s0)
+/run/cockpit/certificate-helper(/.*)	gen_context(system_u:object_r:cockpit_cert_t,s0)
+
+/usr/lib/systemd/system/cockpit.*		--	gen_context(system_u:object_r:cockpit_unit_t,s0)
+
+/usr/libexec/cockpit-certificate-ensure	--	gen_context(system_u:object_r:cockpit_cert_manage_exec_t,s0)
+/usr/libexec/cockpit-ws		--	gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+/usr/libexec/cockpit-tls	--	gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+/usr/libexec/cockpit-wsinstance-factory	--	gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+/usr/libexec/cockpit-session	--	gen_context(system_u:object_r:cockpit_session_exec_t,s0)
+/usr/libexec/cockpit-ssh	--	gen_context(system_u:object_r:cockpit_session_exec_t,s0)
+
+/var/lib/cockpit(/.*)?      gen_context(system_u:object_r:cockpit_state_t,s0)
+
+/var/run/cockpit(/.*)?   gen_context(system_u:object_r:cockpit_runtime_t,s0)
+/var/run/cockpit-ws(/.*)?   gen_context(system_u:object_r:cockpit_runtime_t,s0)