aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKenton Groombridge <concord@gentoo.org>2024-06-27 10:34:25 -0400
committerJason Zaman <perfinion@gentoo.org>2024-09-21 15:28:29 -0700
commitbd4369a0e90ca62784e1176d0ffa5fe0fd706f51 (patch)
treedd2fea90b5c1978a720451911a33911a0afe33ff
parentinit: use pidfds from local login (diff)
downloadhardened-refpolicy-bd4369a0e90ca62784e1176d0ffa5fe0fd706f51.tar.gz
hardened-refpolicy-bd4369a0e90ca62784e1176d0ffa5fe0fd706f51.tar.bz2
hardened-refpolicy-bd4369a0e90ca62784e1176d0ffa5fe0fd706f51.zip
haproxy: initial policy
Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
-rw-r--r--policy/modules/services/haproxy.fc12
-rw-r--r--policy/modules/services/haproxy.if89
-rw-r--r--policy/modules/services/haproxy.te121
3 files changed, 222 insertions, 0 deletions
diff --git a/policy/modules/services/haproxy.fc b/policy/modules/services/haproxy.fc
new file mode 100644
index 00000000..63e1b8a4
--- /dev/null
+++ b/policy/modules/services/haproxy.fc
@@ -0,0 +1,12 @@
+/etc/rc\.d/init\.d/haproxy.* -- gen_context(system_u:object_r:haproxy_initrc_exec_t,s0)
+
+/etc/haproxy(/.*)? gen_context(system_u:object_r:haproxy_conf_t,s0)
+
+/usr/bin/haproxy -- gen_context(system_u:object_r:haproxy_exec_t,s0)
+/usr/sbin/haproxy -- gen_context(system_u:object_r:haproxy_exec_t,s0)
+
+/run/haproxy(/.*)? gen_context(system_u:object_r:haproxy_runtime_t,s0)
+/run/haproxy\.pid -- gen_context(system_u:object_r:haproxy_runtime_t,s0)
+/run/haproxy-master\.sock -s gen_context(system_u:object_r:haproxy_runtime_t,s0)
+
+/var/log/haproxy(/.*)? gen_context(system_u:object_r:haproxy_log_t,s0)
diff --git a/policy/modules/services/haproxy.if b/policy/modules/services/haproxy.if
new file mode 100644
index 00000000..45399bd2
--- /dev/null
+++ b/policy/modules/services/haproxy.if
@@ -0,0 +1,89 @@
+## <summary>A TCP/HTTP reverse proxy for high availability environments.</summary>
+
+########################################
+## <summary>
+## Execute haproxy in the haproxy domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`haproxy_domtrans',`
+ gen_require(`
+ type haproxy_t, haproxy_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, haproxy_exec_t, haproxy_t)
+')
+
+########################################
+## <summary>
+## Execute haproxy in the haproxy domain, and
+## allow the specified role the haproxy domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`haproxy_run',`
+ gen_require(`
+ type haproxy_t;
+ ')
+
+ haproxy_domtrans($1)
+ role $2 types haproxy_t;
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an haproxy environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`haproxy_admin',`
+ gen_require(`
+ type haproxy_t, haproxy_initrc_exec_t, haproxy_conf_t;
+ type haproxy_log_t, haproxy_runtime_t, haproxy_tmpfs_t;
+ ')
+
+ haproxy_run($1, $2)
+
+ init_startstop_service($1, $2, haproxy_t, haproxy_initrc_exec_t)
+
+ allow $1 haproxy_t:process { ptrace signal_perms };
+ ps_process_pattern($1, haproxy_t)
+
+ files_search_etc($1)
+ admin_pattern($1, haproxy_conf_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, haproxy_log_t)
+
+ fs_search_tmpfs($1)
+ admin_pattern($1, haproxy_tmpfs_t)
+
+ files_search_runtime($1)
+ admin_pattern($1, haproxy_runtime_t)
+')
diff --git a/policy/modules/services/haproxy.te b/policy/modules/services/haproxy.te
new file mode 100644
index 00000000..fd5bc380
--- /dev/null
+++ b/policy/modules/services/haproxy.te
@@ -0,0 +1,121 @@
+policy_module(haproxy)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether haproxy can bind to
+## all TCP ports.
+## </p>
+## </desc>
+gen_tunable(haproxy_bind_all_tcp_ports, false)
+
+## <desc>
+## <p>
+## Determine whether haproxy can bind to
+## kubernetes ports (typically 6443/tcp).
+## </p>
+## </desc>
+gen_tunable(haproxy_bind_kubernetes_port, false)
+
+## <desc>
+## <p>
+## Determine whether haproxy can connect to
+## all TCP ports.
+## </p>
+## </desc>
+gen_tunable(haproxy_connect_all_tcp_ports, false)
+
+## <desc>
+## <p>
+## Determine whether haproxy can connect to
+## kubernetes ports (typically 6443/tcp).
+## </p>
+## </desc>
+gen_tunable(haproxy_connect_kubernetes_port, false)
+
+type haproxy_t;
+type haproxy_exec_t;
+init_daemon_domain(haproxy_t, haproxy_exec_t)
+
+type haproxy_conf_t;
+files_config_file(haproxy_conf_t)
+
+type haproxy_initrc_exec_t;
+init_script_file(haproxy_initrc_exec_t)
+
+type haproxy_log_t;
+logging_log_file(haproxy_log_t)
+
+type haproxy_runtime_t;
+files_runtime_file(haproxy_runtime_t)
+
+type haproxy_tmpfs_t;
+files_tmpfs_file(haproxy_tmpfs_t)
+
+########################################
+#
+# haproxy local policy
+#
+
+allow haproxy_t self:process { getsched setrlimit signal };
+allow haproxy_t self:capability { kill setuid setgid };
+dontaudit haproxy_t self:capability net_admin;
+allow haproxy_t self:fifo_file rw_fifo_file_perms;
+allow haproxy_t self:tcp_socket create_stream_socket_perms;
+allow haproxy_t self:udp_socket create_socket_perms;
+allow haproxy_t self:unix_dgram_socket create_socket_perms;
+
+read_files_pattern(haproxy_t, haproxy_conf_t, haproxy_conf_t)
+
+create_dirs_pattern(haproxy_t, haproxy_log_t, haproxy_log_t)
+create_files_pattern(haproxy_t, haproxy_log_t, haproxy_log_t)
+append_files_pattern(haproxy_t, haproxy_log_t, haproxy_log_t)
+logging_log_filetrans(haproxy_t, haproxy_log_t, { dir file })
+
+manage_files_pattern(haproxy_t, haproxy_runtime_t, haproxy_runtime_t)
+manage_sock_files_pattern(haproxy_t, haproxy_runtime_t, haproxy_runtime_t)
+files_runtime_filetrans(haproxy_t, haproxy_runtime_t, { dir file sock_file })
+
+mmap_manage_files_pattern(haproxy_t, haproxy_tmpfs_t, haproxy_tmpfs_t)
+fs_tmpfs_filetrans(haproxy_t, haproxy_tmpfs_t, file)
+
+corenet_tcp_bind_http_port(haproxy_t)
+corenet_tcp_connect_http_port(haproxy_t)
+corenet_tcp_bind_generic_node(haproxy_t)
+
+corecmd_search_bin(haproxy_t)
+
+dev_dontaudit_read_sysfs(haproxy_t)
+
+kernel_read_kernel_sysctls(haproxy_t)
+kernel_read_state(haproxy_t)
+kernel_read_system_state(haproxy_t)
+
+auth_use_nsswitch(haproxy_t)
+
+miscfiles_read_generic_certs(haproxy_t)
+miscfiles_read_localization(haproxy_t)
+
+logging_send_syslog_msg(haproxy_t)
+
+can_exec(haproxy_t, haproxy_exec_t)
+
+tunable_policy(`haproxy_bind_all_tcp_ports',`
+ corenet_tcp_bind_all_ports(haproxy_t)
+')
+
+tunable_policy(`haproxy_bind_kubernetes_port',`
+ corenet_tcp_bind_kubernetes_port(haproxy_t)
+')
+
+tunable_policy(`haproxy_connect_all_tcp_ports',`
+ corenet_tcp_connect_all_ports(haproxy_t)
+')
+
+tunable_policy(`haproxy_connect_kubernetes_port',`
+ corenet_tcp_connect_kubernetes_port(haproxy_t)
+')