From 46fc5a9df5f9da1feeea30fd80a81a896b7b46c8 Mon Sep 17 00:00:00 2001 From: Karuboniru Date: Wed, 24 Jan 2024 15:09:37 +0000 Subject: [PATCH] add selinux modification --- cils/adguardhome.cil | 25 +++++++++++++++++++++++++ cils/cloudflare_with_socket_access.cil | 11 +++++++++++ cils/comiclib.cil | 7 +++++++ cils/container_caddy.cil | 11 +++++++++++ cils/container_hath.cil | 14 ++++++++++++++ cils/container_rohome_allbind.cil | 7 +++++++ cils/container_rwhome_allbind.cil | 7 +++++++ cils/container_wireguard.cil | 7 +++++++ server.yaml | 25 ++++++++++++++++++++++++- 9 files changed, 113 insertions(+), 1 deletion(-) create mode 100644 cils/adguardhome.cil create mode 100644 cils/cloudflare_with_socket_access.cil create mode 100644 cils/comiclib.cil create mode 100644 cils/container_caddy.cil create mode 100644 cils/container_hath.cil create mode 100644 cils/container_rohome_allbind.cil create mode 100644 cils/container_rwhome_allbind.cil create mode 100644 cils/container_wireguard.cil diff --git a/cils/adguardhome.cil b/cils/adguardhome.cil new file mode 100644 index 0000000..08927ec --- /dev/null +++ b/cils/adguardhome.cil @@ -0,0 +1,25 @@ +(block adguardhome + (blockinherit container) + (blockinherit restricted_net_container) + (allow process process ( capability ( net_bind_service ))) + + (allow process dns_port_t ( tcp_socket ( name_bind ))) + (allow process dns_port_t ( udp_socket ( name_bind ))) + (allow process dhcpd_port_t ( udp_socket ( name_bind ))) + (allow process dhcpc_port_t ( udp_socket ( name_bind ))) + (allow process http_port_t ( tcp_socket ( name_bind ))) + (allow process http_port_t ( tcp_socket ( name_bind ))) + (allow process reserved_port_t ( udp_socket ( name_bind ))) + (allow process hi_reserved_port_t ( udp_socket ( name_bind ))) + (allow process ntop_port_t ( tcp_socket ( name_bind ))) + (allow process ntop_port_t ( udp_socket ( name_bind ))) + (allow process unreserved_port_t ( tcp_socket ( name_bind ))) + (allow process unreserved_port_t ( udp_socket ( name_bind ))) + + (allow process port_type ( tcp_socket ( name_connect recv_msg send_msg ))) + (allow process port_type ( udp_socket ( recv_msg send_msg ))) + + (allow process cert_t ( dir ( watch getattr open read search ))) + (allow process cert_t ( file ( watch getattr open read ))) + (allow process cert_t ( lnk_file ( read ))) +) diff --git a/cils/cloudflare_with_socket_access.cil b/cils/cloudflare_with_socket_access.cil new file mode 100644 index 0000000..4d93a88 --- /dev/null +++ b/cils/cloudflare_with_socket_access.cil @@ -0,0 +1,11 @@ +(block cloudflare_with_socket_access + (blockinherit container) + (blockinherit net_container) + + (allow process node_t ( icmp_socket ( node_bind ))) + + (allow process var_run_t ( sock_file ( write ))) + (allow process comiclib.process ( unix_stream_socket ( connectto ))) + (allow process cockpit_ws_t ( unix_stream_socket ( connectto ))) + (allow process container_caddy.process ( unix_stream_socket ( connectto ))) +) diff --git a/cils/comiclib.cil b/cils/comiclib.cil new file mode 100644 index 0000000..7863747 --- /dev/null +++ b/cils/comiclib.cil @@ -0,0 +1,7 @@ +(block comiclib + (blockinherit container) + + + (allow process user_home_t ( dir ( watch getattr ioctl lock open read search ))) + (allow process user_home_t ( file ( watch getattr ioctl lock open read ))) +) diff --git a/cils/container_caddy.cil b/cils/container_caddy.cil new file mode 100644 index 0000000..a948c50 --- /dev/null +++ b/cils/container_caddy.cil @@ -0,0 +1,11 @@ +(block container_caddy + (blockinherit container) + (blockinherit net_container) + (allow process process ( capability ( net_bind_service ))) + + (allow process user_home_t ( dir ( watch getattr ioctl lock open read search ))) + (allow process user_home_t ( file ( watch getattr ioctl lock open read ))) + + (allow process var_run_t ( sock_file ( write ))) + (allow process cockpit_ws_t ( unix_stream_socket ( connectto ))) +) diff --git a/cils/container_hath.cil b/cils/container_hath.cil new file mode 100644 index 0000000..2ca0f9b --- /dev/null +++ b/cils/container_hath.cil @@ -0,0 +1,14 @@ +(block container_hath + (blockinherit container) + (blockinherit restricted_net_container) + (allow process process ( capability ( net_bind_service ))) + + (allow process port_type ( tcp_socket ( name_connect recv_msg send_msg ))) + (allow process port_type ( udp_socket ( recv_msg send_msg ))) + + (allow process http_port_t ( tcp_socket ( name_bind ))) + + (allow process user_home_t ( dir ( watch add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process user_home_t ( file ( watch append create getattr ioctl lock map open read rename setattr unlink write ))) + +) diff --git a/cils/container_rohome_allbind.cil b/cils/container_rohome_allbind.cil new file mode 100644 index 0000000..6e4b08c --- /dev/null +++ b/cils/container_rohome_allbind.cil @@ -0,0 +1,7 @@ +(block container_rohome_allbind + (blockinherit container) + (blockinherit net_container) + + (allow process user_home_t ( dir ( watch getattr ioctl lock open read search ))) + (allow process user_home_t ( file ( watch getattr ioctl lock open read ))) +) diff --git a/cils/container_rwhome_allbind.cil b/cils/container_rwhome_allbind.cil new file mode 100644 index 0000000..f701d7a --- /dev/null +++ b/cils/container_rwhome_allbind.cil @@ -0,0 +1,7 @@ +(block container_rwhome_allbind + (blockinherit container) + (blockinherit net_container) + + (allow process user_home_t ( dir ( watch add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process user_home_t ( file ( watch append create getattr ioctl lock map open read rename setattr unlink write ))) +) diff --git a/cils/container_wireguard.cil b/cils/container_wireguard.cil new file mode 100644 index 0000000..b9c6e00 --- /dev/null +++ b/cils/container_wireguard.cil @@ -0,0 +1,7 @@ +(block container_wireguard + (blockinherit container) + (allow process process ( capability ( net_admin ))) + + (allow process container_wireguard.process ( netlink_route_socket ( nlmsg_write ))) + +) diff --git a/server.yaml b/server.yaml index 2c9677c..0b92703 100644 --- a/server.yaml +++ b/server.yaml @@ -222,4 +222,27 @@ postprocess: echo "root" | passwd --stdin root mkdir -p /etc/ssh/sshd_config.d echo "PasswordAuthentication no" > /etc/ssh/sshd_config.d/99-password-authentication.conf - \ No newline at end of file + semanage fcontext -a -f a -t user_home_t -r 's0' '/media/storage(/.*)?' + semodule -i /etc/cils/*.cil /usr/share/udica/templates/{base_container.cil,net_container.cil} + rm -rf /etc/cils + +add-files: + [ + ["cils/adguardhome.cil", "/etc/cils/adguardhome.cil"], + [ + "cils/cloudflare_with_socket_access.cil", + "/etc/cils/cloudflare_with_socket_access.cil", + ], + ["cils/comiclib.cil", "/etc/cils/comiclib.cil"], + ["cils/container_caddy.cil", "/etc/cils/container_caddy.cil"], + ["cils/container_hath.cil", "/etc/cils/container_hath.cil"], + [ + "cils/container_rohome_allbind.cil", + "/etc/cils/container_rohome_allbind.cil", + ], + [ + "cils/container_rwhome_allbind.cil", + "/etc/cils/container_rwhome_allbind.cil", + ], + ["cils/container_wireguard.cil", "/etc/cils/container_wireguard.cil"], + ]