diff options
author | Kenton Groombridge <concord@gentoo.org> | 2024-06-27 10:34:25 -0400 |
---|---|---|
committer | Jason Zaman <perfinion@gentoo.org> | 2024-09-21 15:28:29 -0700 |
commit | bd4369a0e90ca62784e1176d0ffa5fe0fd706f51 (patch) | |
tree | dd2fea90b5c1978a720451911a33911a0afe33ff | |
parent | init: use pidfds from local login (diff) | |
download | hardened-refpolicy-bd4369a0e90ca62784e1176d0ffa5fe0fd706f51.tar.gz hardened-refpolicy-bd4369a0e90ca62784e1176d0ffa5fe0fd706f51.tar.bz2 hardened-refpolicy-bd4369a0e90ca62784e1176d0ffa5fe0fd706f51.zip |
haproxy: initial policy
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
-rw-r--r-- | policy/modules/services/haproxy.fc | 12 | ||||
-rw-r--r-- | policy/modules/services/haproxy.if | 89 | ||||
-rw-r--r-- | policy/modules/services/haproxy.te | 121 |
3 files changed, 222 insertions, 0 deletions
diff --git a/policy/modules/services/haproxy.fc b/policy/modules/services/haproxy.fc new file mode 100644 index 00000000..63e1b8a4 --- /dev/null +++ b/policy/modules/services/haproxy.fc @@ -0,0 +1,12 @@ +/etc/rc\.d/init\.d/haproxy.* -- gen_context(system_u:object_r:haproxy_initrc_exec_t,s0) + +/etc/haproxy(/.*)? gen_context(system_u:object_r:haproxy_conf_t,s0) + +/usr/bin/haproxy -- gen_context(system_u:object_r:haproxy_exec_t,s0) +/usr/sbin/haproxy -- gen_context(system_u:object_r:haproxy_exec_t,s0) + +/run/haproxy(/.*)? gen_context(system_u:object_r:haproxy_runtime_t,s0) +/run/haproxy\.pid -- gen_context(system_u:object_r:haproxy_runtime_t,s0) +/run/haproxy-master\.sock -s gen_context(system_u:object_r:haproxy_runtime_t,s0) + +/var/log/haproxy(/.*)? gen_context(system_u:object_r:haproxy_log_t,s0) diff --git a/policy/modules/services/haproxy.if b/policy/modules/services/haproxy.if new file mode 100644 index 00000000..45399bd2 --- /dev/null +++ b/policy/modules/services/haproxy.if @@ -0,0 +1,89 @@ +## <summary>A TCP/HTTP reverse proxy for high availability environments.</summary> + +######################################## +## <summary> +## Execute haproxy in the haproxy domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`haproxy_domtrans',` + gen_require(` + type haproxy_t, haproxy_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, haproxy_exec_t, haproxy_t) +') + +######################################## +## <summary> +## Execute haproxy in the haproxy domain, and +## allow the specified role the haproxy domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`haproxy_run',` + gen_require(` + type haproxy_t; + ') + + haproxy_domtrans($1) + role $2 types haproxy_t; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an haproxy environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`haproxy_admin',` + gen_require(` + type haproxy_t, haproxy_initrc_exec_t, haproxy_conf_t; + type haproxy_log_t, haproxy_runtime_t, haproxy_tmpfs_t; + ') + + haproxy_run($1, $2) + + init_startstop_service($1, $2, haproxy_t, haproxy_initrc_exec_t) + + allow $1 haproxy_t:process { ptrace signal_perms }; + ps_process_pattern($1, haproxy_t) + + files_search_etc($1) + admin_pattern($1, haproxy_conf_t) + + logging_search_logs($1) + admin_pattern($1, haproxy_log_t) + + fs_search_tmpfs($1) + admin_pattern($1, haproxy_tmpfs_t) + + files_search_runtime($1) + admin_pattern($1, haproxy_runtime_t) +') diff --git a/policy/modules/services/haproxy.te b/policy/modules/services/haproxy.te new file mode 100644 index 00000000..fd5bc380 --- /dev/null +++ b/policy/modules/services/haproxy.te @@ -0,0 +1,121 @@ +policy_module(haproxy) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether haproxy can bind to +## all TCP ports. +## </p> +## </desc> +gen_tunable(haproxy_bind_all_tcp_ports, false) + +## <desc> +## <p> +## Determine whether haproxy can bind to +## kubernetes ports (typically 6443/tcp). +## </p> +## </desc> +gen_tunable(haproxy_bind_kubernetes_port, false) + +## <desc> +## <p> +## Determine whether haproxy can connect to +## all TCP ports. +## </p> +## </desc> +gen_tunable(haproxy_connect_all_tcp_ports, false) + +## <desc> +## <p> +## Determine whether haproxy can connect to +## kubernetes ports (typically 6443/tcp). +## </p> +## </desc> +gen_tunable(haproxy_connect_kubernetes_port, false) + +type haproxy_t; +type haproxy_exec_t; +init_daemon_domain(haproxy_t, haproxy_exec_t) + +type haproxy_conf_t; +files_config_file(haproxy_conf_t) + +type haproxy_initrc_exec_t; +init_script_file(haproxy_initrc_exec_t) + +type haproxy_log_t; +logging_log_file(haproxy_log_t) + +type haproxy_runtime_t; +files_runtime_file(haproxy_runtime_t) + +type haproxy_tmpfs_t; +files_tmpfs_file(haproxy_tmpfs_t) + +######################################## +# +# haproxy local policy +# + +allow haproxy_t self:process { getsched setrlimit signal }; +allow haproxy_t self:capability { kill setuid setgid }; +dontaudit haproxy_t self:capability net_admin; +allow haproxy_t self:fifo_file rw_fifo_file_perms; +allow haproxy_t self:tcp_socket create_stream_socket_perms; +allow haproxy_t self:udp_socket create_socket_perms; +allow haproxy_t self:unix_dgram_socket create_socket_perms; + +read_files_pattern(haproxy_t, haproxy_conf_t, haproxy_conf_t) + +create_dirs_pattern(haproxy_t, haproxy_log_t, haproxy_log_t) +create_files_pattern(haproxy_t, haproxy_log_t, haproxy_log_t) +append_files_pattern(haproxy_t, haproxy_log_t, haproxy_log_t) +logging_log_filetrans(haproxy_t, haproxy_log_t, { dir file }) + +manage_files_pattern(haproxy_t, haproxy_runtime_t, haproxy_runtime_t) +manage_sock_files_pattern(haproxy_t, haproxy_runtime_t, haproxy_runtime_t) +files_runtime_filetrans(haproxy_t, haproxy_runtime_t, { dir file sock_file }) + +mmap_manage_files_pattern(haproxy_t, haproxy_tmpfs_t, haproxy_tmpfs_t) +fs_tmpfs_filetrans(haproxy_t, haproxy_tmpfs_t, file) + +corenet_tcp_bind_http_port(haproxy_t) +corenet_tcp_connect_http_port(haproxy_t) +corenet_tcp_bind_generic_node(haproxy_t) + +corecmd_search_bin(haproxy_t) + +dev_dontaudit_read_sysfs(haproxy_t) + +kernel_read_kernel_sysctls(haproxy_t) +kernel_read_state(haproxy_t) +kernel_read_system_state(haproxy_t) + +auth_use_nsswitch(haproxy_t) + +miscfiles_read_generic_certs(haproxy_t) +miscfiles_read_localization(haproxy_t) + +logging_send_syslog_msg(haproxy_t) + +can_exec(haproxy_t, haproxy_exec_t) + +tunable_policy(`haproxy_bind_all_tcp_ports',` + corenet_tcp_bind_all_ports(haproxy_t) +') + +tunable_policy(`haproxy_bind_kubernetes_port',` + corenet_tcp_bind_kubernetes_port(haproxy_t) +') + +tunable_policy(`haproxy_connect_all_tcp_ports',` + corenet_tcp_connect_all_ports(haproxy_t) +') + +tunable_policy(`haproxy_connect_kubernetes_port',` + corenet_tcp_connect_kubernetes_port(haproxy_t) +') |