plautrba.fedorapeople.org
plautrba.fedorapeople.org

Manage local SELinux policy in Cockpit

in Cockpit

Manage/configure local SELinux policy in Cockpit Scope As a System administrator I want to configure certain elements of SELinux policy in Cockpit so that I can manage SELinux policy on a system without requiring recompilation from policy sources. For the rest of the document lets assume that "certain elements …

Manage/configure local SELinux policy in Cockpit

Scope

As a System administrator I want to configure certain elements of SELinux policy in Cockpit so that I can manage SELinux policy on a system without requiring recompilation from policy sources. For the rest of the document lets assume that "certain elements" are:

  • login

  • user

  • port

  • fcontext

  • boolean

Certain elements of SELinux policy can be configured without requiring modification to or recompilation from policy sources. This includes the mapping from Linux usernames to SELinux user identities (which controls the initial security context assigned to Linux users when they login and bounds their authorized role set) as well as security context mappings for various kinds of objects, such as network ports, interfaces, infiniband pkeys and endports, and nodes (hosts) as well as the file context mapping.

Acceptance Criteria

  • Verify that Cockpit provides an interface when a user can:

    • List current state of certain elements of SELinux policy

    • List certain local policy modifications

    • Add policy modifications

    • Change policy modifications

View Current State of Certain Element of SELinux

As a System administrator I want to see the current state of SELinux elements in Cockpit so that I keep track of the current SELinux policy configuration.

Acceptance Criteria

  • Verify that I can view certain elements of local SELinux policy in Cockpit

View Local Policy Modifications

As a System administrator I want to see local policy modifications in Cockpit so that I keep track of the local changes.

Acceptance Criteria

  • Verify that I can see local policy modifications in Cockpit

Add Local Policy Modifications

As a System administrator I want to be able to configure certain elements of SELinux policy in Cockpit so that I can manage SELinux policy on a system using Cockpit interface.

Acceptance Criteria

  • Verify that I can add local policy modifications

  • Verify that I can change local policy modifications

Implementation

Available interfaces

Command line

All data are available via semanage command, e.g:

  • show login mappings 

    ^_^ sudo semanage login -l -n
__default__          staff_u              s0-s0:c0.c1023       *
plautrba             staff_u              s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *

  • show local login mappings customizations 

    ^_^ sudo semanage login -l -C -n
__default__          staff_u              s0-s0:c0.c1023       *
plautrba             staff_u              s0-s0:c0.c1023       *

  • Drop all local port mapping modifications 

    ^_^ sudo semanage port -D

  • Add a file context mapping 

    ^_^ sudo semanage fcontext -a -f a -t cockpit_ws_exec_t '/usr/libexec/cockpit-ssh'

DBUS

policycoreutils-dbus package provides org.selinux DBUS interface with the following two methods:

  • customized() -> s

    Returns output of semanage export

  • semanage(s: semanage_import_string)

    Sends semanage_import_string to semanage import

These methods can be use for manipulating local SELinux policy in the way as it’s done via shell using semanage export and semanage import commands. Few examples:

  • List all local modifications 

    ^_^ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.customized
method return time=1506428975.961835 sender=:1.523 -> destination=:1.522 serial=8 reply_serial=2
   string "boolean -D
login -D
interface -D
user -D
port -D
node -D
fcontext -D
module -D
boolean -m -1 selinuxuser_tcp_server
login -a -s staff_u -r 's0-s0:c0.c1023' __default__
login -a -s root -r 's0-s0:c0.c1023' root
user -a -L s0 -r s0-s0:c0.c1023 -R 'secadm_r staff_r sysadm_r system_r unconfined_r' staff_u
port -a -t ipp_port_t -p udp 22161
fcontext -a -f a -t ddclient_initrc_exec_t '/usr/bin/redhat-internal-ddns-client.sh'
fcontext -a -f a -t shell_exec_t '/usr/local/bin/zsh-secadm'

  • Drop all local port mapping modifications 

    ^_^ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.semanage "string:port -D"
method return time=1506429330.312157 sender=:1.534 -> destination=:1.533 serial=8 reply_serial=2

  • Add a file context mapping 

    ^_^ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.semanage "string:fcontext -a -f a -t cockpit_ws_exec_t '/usr/libexec/cockpit-ssh'"
method return time=1506429550.568289 sender=:1.552 -> destination=:1.556 serial=12 reply_serial=2

Know Issues

Some list can be really long

List of fcontext mappings, boolean and `port`s can be really long:

^_^ semanage fcontext -l | wc -l
6581
^_^ semanage boolean -l | wc -l
320

Limits of current DBUS interface

  • Currently there’s no DBUS interface to list particular elements of SELinux policy, only local modifications are listed.

  • The current interface is just a wrapper around semanage [export|import] commands. A frontend which would want to use it would need to be able to parse output of semanage export

Receive Updates

ATOM