Merge pull request #970 from bcressey/persist-state

persist state for wicked, chrony, and systemd

packages/chrony/chrony-conf

@@ -1,8 +1,8 @@
 {{#each settings.ntp.time-servers}}
 pool {{this}} iburst
 {{/each}}
-driftfile /run/lib/chrony/drift
+driftfile /var/lib/chrony/drift
 makestep 1.0 3
 dumponexit
-dumpdir /run/lib/chrony/state
+dumpdir /var/lib/chrony
 user chrony

packages/chrony/chrony-tmpfiles.conf

@@ -0,0 +1,2 @@
+d /var/lib/chrony 0700 chrony chrony -
+Z /var/lib/chrony 0700 chrony chrony -

packages/chrony/chrony.spec

@@ -8,6 +8,7 @@ Source0: https://download.tuxfamily.org/chrony/chrony-3.5.tar.gz
 Source1: chronyd.service
 Source2: chrony-conf
 Source3: chrony-sysusers.conf
+Source4: chrony-tmpfiles.conf
 BuildRequires: %{_cross_os}glibc-devel
 BuildRequires: %{_cross_os}libcap-devel
 BuildRequires: %{_cross_os}libseccomp-devel
@@ -58,11 +59,13 @@ CC=%{_cross_target}-gcc \
 %make_install
 
 install -d %{buildroot}%{_cross_unitdir}
-install -p -m 0644 %{SOURCE1} %{buildroot}%{_cross_unitdir}/chronyd.service
+install -p -m 0644 %{S:1} %{buildroot}%{_cross_unitdir}/chronyd.service
 install -d %{buildroot}%{_cross_templatedir}
-install -p -m 0644 %{SOURCE2} %{buildroot}%{_cross_templatedir}/chrony-conf
+install -p -m 0644 %{S:2} %{buildroot}%{_cross_templatedir}/chrony-conf
 install -d %{buildroot}%{_cross_sysusersdir}
-install -p -m 0644 %{SOURCE3} %{buildroot}%{_cross_sysusersdir}/chrony.conf
+install -p -m 0644 %{S:3} %{buildroot}%{_cross_sysusersdir}/chrony.conf
+install -d %{buildroot}%{_cross_tmpfilesdir}
+install -p -m 0644 %{S:4} %{buildroot}%{_cross_tmpfilesdir}/chrony.conf
 
 %files
 %license COPYING
@@ -72,6 +75,7 @@ install -p -m 0644 %{SOURCE3} %{buildroot}%{_cross_sysusersdir}/chrony.conf
 %{_cross_templatedir}/chrony-conf
 %{_cross_unitdir}/chronyd.service
 %{_cross_sysusersdir}/chrony.conf
+%{_cross_tmpfilesdir}/chrony.conf
 %exclude %{_cross_mandir}
 
 %files tools

packages/chrony/chronyd.service

@@ -7,7 +7,6 @@ Requires=network-online.target configured.target
 [Service]
 Type=simple
 ExecStart=/usr/sbin/chronyd -d -F -1
-StateDirectory=chrony/state
 
 [Install]
 WantedBy=multi-user.target

packages/selinux-policy/fs.cil

@@ -40,14 +40,18 @@
 
 ; Label entry points.
 (filecon "/.*/usr/lib/systemd/systemd" file init_exec)
-(filecon "/.*/usr/bin/containerd.*" file runtime_exec)
-(filecon "/.*/usr/bin/docker.*" file runtime_exec)
-(filecon "/.*/usr/bin/host-ctr" file runtime_exec)
-(filecon "/.*/usr/sbin/runc" file runtime_exec)
 (filecon "/.*/usr/bin/apiserver" file api_exec)
 (filecon "/.*/usr/bin/early-boot-config" file api_exec)
 (filecon "/.*/usr/bin/migrator" file api_exec)
 (filecon "/.*/usr/bin/storewolf" file api_exec)
+(filecon "/.*/usr/bin/dbus-broker.*" file bus_exec)
+(filecon "/.*/usr/sbin/chronyd" file clock_exec)
+(filecon "/.*/usr/sbin/wicked.*" file network_exec)
+(filecon "/.*/usr/libexec/wicked/bin/wicked.*" file network_exec)
+(filecon "/.*/usr/bin/containerd.*" file runtime_exec)
+(filecon "/.*/usr/bin/docker.*" file runtime_exec)
+(filecon "/.*/usr/bin/host-ctr" file runtime_exec)
+(filecon "/.*/usr/sbin/runc" file runtime_exec)
 
 ; Label local storage mounts.
 (filecon "/local" any local)
@@ -57,6 +61,16 @@
 (filecon "/var" any local)
 (filecon "/var/.*" any ())
 
+; Label local state directories.
+(filecon "/var/lib/chrony" any measure)
+(filecon "/var/lib/chrony/.*" any measure)
+(filecon "/var/lib/systemd" any state)
+(filecon "/var/lib/systemd/.*" any state)
+(filecon "/var/lib/wicked" any lease)
+(filecon "/var/lib/wicked/.*" any lease)
+(filecon "/var/log/journal" any state)
+(filecon "/var/log/journal/.*" any state)
+
 ; Label kernel filesystem mounts.
 (filecon "/proc" any any)
 (filecon "/proc/.*" any ())

packages/selinux-policy/object.cil

@@ -18,6 +18,22 @@
 (roletype object_r api_exec_t)
 (context api_exec (system_u object_r api_exec_t s0))
 
+; Executable files for NTP daemons such as /usr/sbin/chronyd.
+(type clock_exec_t)
+(roletype object_r clock_exec_t)
+(context clock_exec (system_u object_r clock_exec_t s0))
+
+; Executable files for network daemons such as /usr/sbin/wickedd.
+(type network_exec_t)
+(roletype object_r network_exec_t)
+(context network_exec (system_u object_r network_exec_t s0))
+
+; Executable files for message bus daemons such as
+; /usr/bin/dbus-broker-launch.
+(type bus_exec_t)
+(roletype object_r bus_exec_t)
+(context bus_exec (system_u object_r bus_exec_t s0))
+
 ; Executable files for container runtimes such as /usr/sbin/runc.
 (type runtime_exec_t)
 (roletype object_r runtime_exec_t)
@@ -49,6 +65,21 @@
 (roletype object_r cache_t)
 (context cache (system_u object_r cache_t s0))
 
+; Files for saved DHCP leases.
+(type lease_t)
+(roletype object_r lease_t)
+(context lease (system_u object_r lease_t s0))
+
+; Files for saved clock measurements.
+(type measure_t)
+(roletype object_r measure_t)
+(context measure (system_u object_r measure_t s0))
+
+; Files for saved system state.
+(type state_t)
+(roletype object_r state_t)
+(context state (system_u object_r state_t s0))
+
 ; Files that are mount points for external filesystems.
 (type external_t)
 (roletype object_r external_t)
@@ -60,12 +91,14 @@
 
 ; Protected objects are files on local storage with special rules.
 (typeattribute protected_o)
-(typeattributeset protected_o (cache_t private_t))
+(typeattributeset protected_o (
+  cache_t private_t lease_t measure_t state_t))
 
 ; Immutable objects reside on read-only storage.
 (typeattribute immutable_o)
 (typeattributeset immutable_o (
-  os_t init_exec_t api_exec_t runtime_exec_t))
+  os_t init_exec_t api_exec_t clock_exec_t
+  network_exec_t bus_exec_t runtime_exec_t))
 
 ; Foreign objects reside on storage with a different lifecycle from
 ; the rest of the OS, such as EBS volumes and EFS filesystems.
@@ -75,6 +108,8 @@
 ; The set of all objects.
 (typeattribute all_o)
 (typeattributeset all_o (
-  os_t init_exec_t api_exec_t runtime_exec_t
+  os_t init_exec_t api_exec_t clock_exec_t
+  network_exec_t bus_exec_t runtime_exec_t
   any_t unlabeled_t external_t
-  local_t private_t cache_t))
+  local_t private_t cache_t
+  lease_t measure_t state_t))

packages/selinux-policy/rules.cil

@@ -31,6 +31,21 @@
 (allow init_t api_t (processes (transform)))
 (allow api_t api_exec_t (file (entrypoint)))
 
+; PID1 starts NTP daemons as "clock_t".
+(typetransition init_t clock_exec_t process clock_t)
+(allow init_t clock_t (processes (transform)))
+(allow clock_t clock_exec_t (file (entrypoint)))
+
+; PID1 starts network daemons as "network_t".
+(typetransition init_t network_exec_t process network_t)
+(allow init_t network_t (processes (transform)))
+(allow network_t network_exec_t (file (entrypoint)))
+
+; PID1 starts DBUS daemons as "bus_t".
+(typetransition init_t bus_exec_t process bus_t)
+(allow init_t bus_t (processes (transform)))
+(allow bus_t bus_exec_t (file (entrypoint)))
+
 ; PID 1 starts container runtimes as "runtime_t".
 ; The level range is adjusted to span all categories at the same time,
 ; to support Docker's use of MCS labels.
@@ -76,33 +91,42 @@
 (allow all_s ephemeral_o (files (mutate watch)))
 (allow all_s foreign_o (files (mutate watch mount)))
 
-; All subjects are allowed to write to, set watches for, and manage
-; mounts for most files and directories on /local.
-(allow all_s local_t (files (mutate watch mount)))
+; Most subjects are allowed to write to, set watches for, and manage
+; mounts for "local" files and directories on /local.
+(allow unconfined_s local_t (files (mutate watch mount)))
+
+; Confined subjects cannot modify these "local" files.
+(neverallow confined_s local_t (files (mutate watch mount)))
 
 ; Trusted components are allowed to manage mounts everywhere.
 (allow trusted_s global (files (mount)))
 
 ; Trusted components can set watches on immutable files, since we
-; expect this behavior from systemd and dbus-broker.
+; expect this behavior from systemd.
 (allow trusted_s immutable_o (files (watch)))
 
-; Only specific components can write to "private_t" or "cache_t", as
-; they provide a means to persist changes across container restarts
-; and reboots. We also restrict the ability to set watches as this
-; can be used to block access for another process.
+; dbus-broker watches /usr/share/dbus-1/system.d.
+(allow bus_t os_t (files (watch)))
+
+; Only specific components can write to these objects, as they
+; provide a means to persist changes across container restarts
+; and reboots. We also restrict the ability to set watches as
+; this can be used to block access for other processes.
 (allow api_s private_t (files (mutate watch)))
+(allow clock_s measure_t (files (mutate watch)))
+(allow network_s lease_t (files (mutate watch)))
 (allow runtime_s cache_t (files (mutate watch)))
+(allow system_s state_t (files (mutate watch)))
 
-; Untrusted processes should not be permitted to modify these files,
+; Other components should not be permitted to modify these files,
 ; set watches for them, or to manage mounts for these directories.
-(neverallow untrusted_s protected_o (files (mutate watch mount)))
-(neverallow untrusted_s immutable_o (files (watch)))
+(neverallow other_s protected_o (files (mutate watch mount)))
+(neverallow other_s immutable_o (files (watch)))
 
 ; Only trusted components are allowed to relabel files.
 (allow trusted_s global (files (relabel)))
 
-; Untrusted processes should not be permitted to relabel files.
+; Untrusted components are not allowed to relabel files.
 (neverallow untrusted_s global (files (relabel)))
 
 ; Containers are allowed to relax security constraints, since we
@@ -132,7 +156,7 @@
 (allow trusted_s global (sockets (relabel)))
 (allow trusted_s global (networks (relabel)))
 
-; Untrusted processes cannot relabel sockets or packets.
+; Untrusted components cannot relabel sockets or packets.
 (neverallow untrusted_s global (sockets (relabel)))
 (neverallow untrusted_s global (networks (relabel)))
 
@@ -142,8 +166,16 @@
 
 ; Only trusted components can use systems-level management functions.
 ; This includes interactions with SELinux-aware userspace programs
-; such as systemd and dbus-broker.
+; such as systemd.
 (allow trusted_s global (systems (manage)))
 
-; Untrusted processes cannot use systems-level management functions.
-(neverallow untrusted_s global (systems (manage)))
+; dbus-broker implements DBUS and uses SELinux for access control.
+(allow bus_t global (dbus (all)))
+(allow bus_t global (security (compute_av)))
+
+; wicked needs DBUS for IPC.
+(allow network_t bus_t (dbus (all)))
+(allow network_t network_t (dbus (all)))
+
+; Other components cannot use systems-level management functions.
+(neverallow other_s global (systems (manage)))

packages/selinux-policy/subject.cil

@@ -28,6 +28,21 @@
 (roletype system_r runtime_t)
 (context runtime (system_u system_r runtime_t s0))
 
+; Processes that manage network interfaces.
+(type network_t)
+(roletype system_r network_t)
+(context network (system_u system_r network_t s0))
+
+; Processes that manage the system clock.
+(type clock_t)
+(roletype system_r clock_t)
+(context clock (system_u system_r clock_t s0))
+
+; Processes that manage the system message bus.
+(type bus_t)
+(roletype system_r bus_t)
+(context bus (system_u system_r bus_t s0))
+
 ; Processes that run inside containers.
 (type container_t)
 (roletype system_r container_t)
@@ -41,15 +56,29 @@
 ; The set of all subjects.
 (typeattribute all_s)
 (typeattributeset all_s (
-  kernel_t init_t system_t api_t runtime_t container_t super_t))
+  kernel_t init_t system_t api_t
+  network_t clock_t bus_t runtime_t
+  container_t super_t))
 
-; Subjects that are treated as part of the OS.
+; Subjects that are treated as a trusted part of the OS.
 (typeattribute trusted_s)
-(typeattributeset trusted_s (not container_t))
+(typeattributeset trusted_s (not (untrusted_s)))
+
+; Subjects that are part of the OS, but confined through policy.
+(typeattribute confined_s)
+(typeattributeset confined_s (network_t clock_t bus_t))
+
+; Subjects that are not confined by policy.
+(typeattribute unconfined_s)
+(typeattributeset unconfined_s (not (confined_s)))
 
-; Subjects that are not treated as part of the OS.
+; Subjects that are not part of the OS.
+(typeattribute other_s)
+(typeattributeset other_s (container_t))
+
+; Subjects that are not treated as a trusted part of the OS.
 (typeattribute untrusted_s)
-(typeattributeset untrusted_s (not trusted_s))
+(typeattributeset untrusted_s (confined_s other_s))
 
 ; Subjects that are started from containers.
 (typeattribute container_s)
@@ -66,3 +95,15 @@
 ; Subjects that are treated as container runtimes.
 (typeattribute runtime_s)
 (typeattributeset runtime_s (runtime_t super_t))
+
+; Subjects that are allowed to manage the system clock.
+(typeattribute clock_s)
+(typeattributeset clock_s (clock_t system_t super_t))
+
+; Subjects that are allowed to manage network interfaces.
+(typeattribute network_s)
+(typeattributeset network_s (network_t system_t super_t))
+
+; Subjects that are allowed to manage system files.
+(typeattribute system_s)
+(typeattributeset system_s (system_t super_t))