From fb380e621dea3dcb736ae1bb37328b41ed4f88b4 Mon Sep 17 00:00:00 2001 From: Michael Engel Date: Mon, 9 Sep 2024 16:34:32 +0200 Subject: [PATCH] Updated readthedocs for SELinux policy Signed-off-by: Michael Engel --- Makefile | 2 +- doc/docs/security/selinux.md | 53 ++++++++++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index f22d56e650..055700336e 100644 --- a/Makefile +++ b/Makefile @@ -5,7 +5,7 @@ BUILDDIR=builddir CODESPELL_PARAMS=\ -S Makefile,imgtype,copy,AUTHORS,bin,.git,CHANGELOG.md,changelog.txt,.cirrus.yml,"*.xz,*.gz,*.tar,*.tgz,*ico,*.png,*.1,*.5,*.orig,*.rej,*.xml,*xsl",build.ninja,intro-targets.json,./tests/tests/tier0/proxy-service-fails-on-typo-in-file/systemd/simple.service,tags,./builddir,./subprojects,\ - -L keypair,flate,uint,iff,od,ERRO,crate\ + -L keypair,flate,uint,iff,od,ERRO,crate,te \ --ignore-regex=".*codespell-ignore$$" build: diff --git a/doc/docs/security/selinux.md b/doc/docs/security/selinux.md index 13aa45532e..48aa1a83e2 100644 --- a/doc/docs/security/selinux.md +++ b/doc/docs/security/selinux.md @@ -1,4 +1,5 @@ + # BlueChi's SELinux policy BlueChi provides a custom SELinux policy, limiting access of the `bluechi-controller` and `bluechi-agent`. It can be installed via @@ -42,3 +43,55 @@ semanage permissive -a bluechi_t # add the permissive property to bluechi-agent semanage permissive -a bluechi_agent_t ``` + +## Allowing access to restricted units + +The SELinux policy of BlueChi allows it to manage all systemd units. + +However, when installing some applications and their respective systemd units, e.g. via `dnf`, there might also be additional SELinux Policies installed which prevent BlueChi from managing these. For example, when installing `httpd` on Fedora, it installs also the systemd unit `httpd.service` and the [policy module for apache](https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/apache.te). When trying to start the service via `bluechictl`, the policy will prevent certain operations: + +```bash +# The apache policy prevents BlueChi from managing the httpd service +$ bluechictl stop httpd.service +Failed to issue method call: SELinux policy denies access: Permission denied + +# However, using systemctl works as this is enabled by default in the apache policy +$ systemctl stop httpd.service +``` + +In order to allow BlueChi to manage the `httpd.service`, the necessary allow rule(s) need to be added. The [audit2allow](https://man7.org/linux/man-pages/man1/audit2allow.1.html) tool can be used to generate these rules based on AVCs. + +First, run all operations with BlueChi that should be allowed. These will fail and create the AVCs used by `audit2allow`. Then use `audit2allow` to generate the allow rules and create the policy package (.pp) which can be installed via `semodule`. The following snippet shows an example for the httpd.service: + +```bash +# generate AVC for the status operation +$ bluechictl status httpd.service +Failed to issue method call: SELinux policy denies access: Permission denied + +# generate AVC for the stop operation +$ bluechictl stop httpd.service +Failed to issue method call: SELinux policy denies access: Permission denied + +# view the type enforcement rule that allows the denied operations +$ audit2allow -a +#============= bluechi_agent_t ============== + +allow bluechi_agent_t httpd_unit_file_t:service { status stop }; + +# create the policy package (.pp) and type enforcement file (.te) +$ audit2allow -a -M httpd-allow +******************** IMPORTANT *********************** +To make this policy package active, execute: + +semodule -i httpd-allow.pp + +$ ls +httpd-allow.pp httpd-allow.te + +# install policy package and run the previously prevented operation +$ semodule -i httpd-allow.pp +$ bluechictl status httpd.service +UNIT | LOADED | ACTIVE | SUBSTATE | FREEZERSTATE | ENABLED | +--------------------------------------------------------------------------------- +httpd.service | loaded | inactive | dead | running | disabled | +```