From 7f1dcc09bf3f729107fb4448a0e87f04aafa560b Mon Sep 17 00:00:00 2001 From: Chance Callahan Date: Wed, 14 Sep 2022 19:24:51 -0400 Subject: [PATCH 01/10] Updating to 1.7.0 --- rpm/ptero-wings.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rpm/ptero-wings.spec b/rpm/ptero-wings.spec index 124af83..1bd595d 100644 --- a/rpm/ptero-wings.spec +++ b/rpm/ptero-wings.spec @@ -1,5 +1,5 @@ Name: ptero-wings -Version: 1.5.3 +Version: 1.7.0 Release: 1%{?dist} Summary: The server control plane for Pterodactyl Panel. Written from the ground-up with security, speed, and stability in mind. BuildArch: x86_64 @@ -91,6 +91,9 @@ rm -rf /var/log/pterodactyl wings --version %changelog +* Wed Sep 14 2022 Chance Callahan - 1.7.0-1 +- Updating specfile to match stable release. + * Wed Oct 27 2021 Capitol Hosting Solutions Systems Engineering - 1.5.3-1 - specfile by Capitol Hosting Solutions, Upstream by Pterodactyl - Rebased for https://github.com/pterodactyl/wings/releases/tag/v1.5.3 From 1374c7bd45913172aa65bbc60d3bd323513f68c7 Mon Sep 17 00:00:00 2001 From: Chance Callahan Date: Thu, 6 Oct 2022 11:35:41 -0400 Subject: [PATCH 02/10] Base SELinux template. --- selinux/wings.fc | 1 + selinux/wings.if | 40 ++++++++++++++++++++++ selinux/wings.sh | 52 ++++++++++++++++++++++++++++ selinux/wings.te | 25 ++++++++++++++ selinux/wings_selinux.spec | 70 ++++++++++++++++++++++++++++++++++++++ 5 files changed, 188 insertions(+) create mode 100644 selinux/wings.fc create mode 100644 selinux/wings.if create mode 100644 selinux/wings.sh create mode 100644 selinux/wings.te create mode 100644 selinux/wings_selinux.spec diff --git a/selinux/wings.fc b/selinux/wings.fc new file mode 100644 index 0000000..09c7b28 --- /dev/null +++ b/selinux/wings.fc @@ -0,0 +1 @@ +/usr/local/bin/wings -- gen_context(system_u:object_r:wings_exec_t,s0) diff --git a/selinux/wings.if b/selinux/wings.if new file mode 100644 index 0000000..d267364 --- /dev/null +++ b/selinux/wings.if @@ -0,0 +1,40 @@ + +## policy for wings + +######################################## +## +## Execute wings_exec_t in the wings domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`wings_domtrans',` + gen_require(` + type wings_t, wings_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, wings_exec_t, wings_t) +') + +###################################### +## +## Execute wings in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`wings_exec',` + gen_require(` + type wings_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, wings_exec_t) +') diff --git a/selinux/wings.sh b/selinux/wings.sh new file mode 100644 index 0000000..b9cedfb --- /dev/null +++ b/selinux/wings.sh @@ -0,0 +1,52 @@ +#!/bin/sh -e + +DIRNAME=`dirname $0` +cd $DIRNAME +USAGE="$0 [ --update ]" +if [ `id -u` != 0 ]; then +echo 'You must be root to run this script' +exit 1 +fi + +if [ $# -eq 1 ]; then + if [ "$1" = "--update" ] ; then + time=`ls -l --time-style="+%x %X" wings.te | awk '{ printf "%s %s", $6, $7 }'` + rules=`ausearch --start $time -m avc --raw -se wings` + if [ x"$rules" != "x" ] ; then + echo "Found avc's to update policy with" + echo -e "$rules" | audit2allow -R + echo "Do you want these changes added to policy [y/n]?" + read ANS + if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then + echo "Updating policy" + echo -e "$rules" | audit2allow -R >> wings.te + # Fall though and rebuild policy + else + exit 0 + fi + else + echo "No new avcs found" + exit 0 + fi + else + echo -e $USAGE + exit 1 + fi +elif [ $# -ge 2 ] ; then + echo -e $USAGE + exit 1 +fi + +echo "Building and Loading Policy" +set -x +make -f /usr/share/selinux/devel/Makefile wings.pp || exit +/usr/sbin/semodule -i wings.pp + +# Generate a man page off the installed module +sepolicy manpage -p . -d wings_t +# Fixing the file context on /usr/local/bin/wings +/sbin/restorecon -F -R -v /usr/local/bin/wings +# Generate a rpm package for the newly generated policy + +pwd=$(pwd) +rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build" -ba wings_selinux.spec diff --git a/selinux/wings.te b/selinux/wings.te new file mode 100644 index 0000000..92da82b --- /dev/null +++ b/selinux/wings.te @@ -0,0 +1,25 @@ +policy_module(wings, 1.0.0) + +######################################## +# +# Declarations +# + +type wings_t; +type wings_exec_t; +init_daemon_domain(wings_t, wings_exec_t) + +permissive wings_t; + +######################################## +# +# wings local policy +# +allow wings_t self:fifo_file rw_fifo_file_perms; +allow wings_t self:unix_stream_socket create_stream_socket_perms; + +domain_use_interactive_fds(wings_t) + +files_read_etc_files(wings_t) + +miscfiles_read_localization(wings_t) diff --git a/selinux/wings_selinux.spec b/selinux/wings_selinux.spec new file mode 100644 index 0000000..c97967a --- /dev/null +++ b/selinux/wings_selinux.spec @@ -0,0 +1,70 @@ +# vim: sw=4:ts=4:et + + +%define relabel_files() \ +restorecon -R /usr/local/bin/wings; \ + +%define selinux_policyver 34.1.29-1 + +Name: wings_selinux +Version: 1.0 +Release: 1%{?dist} +Summary: SELinux policy module for wings + +Group: System Environment/Base +License: GPLv2+ +# This is an example. You will need to change it. +URL: http://HOSTNAME +Source0: wings.pp +Source1: wings.if +Source2: wings_selinux.8 + + +Requires: policycoreutils, libselinux-utils +Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils +Requires(postun): policycoreutils +BuildArch: noarch + +%description +This package installs and sets up the SELinux policy security module for wings. + +%install +install -d %{buildroot}%{_datadir}/selinux/packages +install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages +install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib +install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/ +install -d %{buildroot}%{_mandir}/man8/ +install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/wings_selinux.8 +install -d %{buildroot}/etc/selinux/targeted/contexts/users/ + + +%post +semodule -n -i %{_datadir}/selinux/packages/wings.pp +if /usr/sbin/selinuxenabled ; then + /usr/sbin/load_policy + %relabel_files + +fi; +exit 0 + +%postun +if [ $1 -eq 0 ]; then + semodule -n -r wings + if /usr/sbin/selinuxenabled ; then + /usr/sbin/load_policy + %relabel_files + + fi; +fi; +exit 0 + +%files +%attr(0600,root,root) %{_datadir}/selinux/packages/wings.pp +%{_datadir}/selinux/devel/include/contrib/wings.if +%{_mandir}/man8/wings_selinux.8.* + + +%changelog +* Thu Oct 6 2022 YOUR NAME 1.0-1 +- Initial version + From 98d57b284977d4e63f8f9346b97e3e4410059aee Mon Sep 17 00:00:00 2001 From: Chance Callahan Date: Thu, 6 Oct 2022 11:50:59 -0400 Subject: [PATCH 03/10] Added execmod to wings_exec_t --- selinux/wings.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/selinux/wings.fc b/selinux/wings.fc index 09c7b28..b2bf9d3 100644 --- a/selinux/wings.fc +++ b/selinux/wings.fc @@ -1 +1,2 @@ /usr/local/bin/wings -- gen_context(system_u:object_r:wings_exec_t,s0) +/etc/pterodactyl(/.*)? -- gen_context(system_u:object_r:wings_etc_t,s0) \ No newline at end of file From 22c4d038df650a151d6e3f3dc3979a2cc3c726b9 Mon Sep 17 00:00:00 2001 From: Chance Callahan Date: Thu, 6 Oct 2022 11:51:03 -0400 Subject: [PATCH 04/10] Same as previous. --- selinux/wings.te | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/selinux/wings.te b/selinux/wings.te index 92da82b..5fd77aa 100644 --- a/selinux/wings.te +++ b/selinux/wings.te @@ -7,7 +7,8 @@ policy_module(wings, 1.0.0) type wings_t; type wings_exec_t; -init_daemon_domain(wings_t, wings_exec_t) +type wings_etc_t; +init_daemon_domain(wings_t, wings_exec_t, wings_etc_t) permissive wings_t; @@ -23,3 +24,9 @@ domain_use_interactive_fds(wings_t) files_read_etc_files(wings_t) miscfiles_read_localization(wings_t) + +require { + type wings_exec_t; + type bin_t; + class file execmod; +} From 2981c0a5e069c2389ce1c7f55d7f680e2b8df16f Mon Sep 17 00:00:00 2001 From: Chance Callahan Date: Thu, 6 Oct 2022 11:59:02 -0400 Subject: [PATCH 05/10] Adding to policy. --- selinux/wings.te | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/selinux/wings.te b/selinux/wings.te index 5fd77aa..0c3c0c6 100644 --- a/selinux/wings.te +++ b/selinux/wings.te @@ -27,6 +27,5 @@ miscfiles_read_localization(wings_t) require { type wings_exec_t; - type bin_t; - class file execmod; + class file { execmod map }; } From 8928103cae57db20b9087f3fa91437264a068848 Mon Sep 17 00:00:00 2001 From: Chance Callahan Date: Thu, 6 Oct 2022 12:01:03 -0400 Subject: [PATCH 06/10] Tweaking policy. --- selinux/wings.te | 1 + 1 file changed, 1 insertion(+) diff --git a/selinux/wings.te b/selinux/wings.te index 0c3c0c6..5597b56 100644 --- a/selinux/wings.te +++ b/selinux/wings.te @@ -18,6 +18,7 @@ permissive wings_t; # allow wings_t self:fifo_file rw_fifo_file_perms; allow wings_t self:unix_stream_socket create_stream_socket_perms; +allow wings_exec_t:file execmod; domain_use_interactive_fds(wings_t) From 2b0a02facf0ac78ffe5663069ced8103be5088a4 Mon Sep 17 00:00:00 2001 From: Chance Callahan Date: Thu, 6 Oct 2022 12:26:16 -0400 Subject: [PATCH 07/10] Wings runs, have not tested if it can read/write --- selinux/wings.fc | 4 +++- selinux/wings.te | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/selinux/wings.fc b/selinux/wings.fc index b2bf9d3..1969022 100644 --- a/selinux/wings.fc +++ b/selinux/wings.fc @@ -1,2 +1,4 @@ /usr/local/bin/wings -- gen_context(system_u:object_r:wings_exec_t,s0) -/etc/pterodactyl(/.*)? -- gen_context(system_u:object_r:wings_etc_t,s0) \ No newline at end of file +/etc/pterodactyl(/.*)? -- gen_context(system_u:object_r:wings_etc_t,s0) +/var/lib/pterodactyl/volumes(/.*)? -- gen_context(system_u:object_r:container_file_t,s0) +/var/lib/pterodactyl/mounts(/.*)? -- gen_context(system_u:object_r:container_file_t,s0) \ No newline at end of file diff --git a/selinux/wings.te b/selinux/wings.te index 5597b56..2c15d71 100644 --- a/selinux/wings.te +++ b/selinux/wings.te @@ -18,7 +18,7 @@ permissive wings_t; # allow wings_t self:fifo_file rw_fifo_file_perms; allow wings_t self:unix_stream_socket create_stream_socket_perms; -allow wings_exec_t:file execmod; +allow wings_t wings_exec_t:file execmod; domain_use_interactive_fds(wings_t) From f41d85f566c0c369f9136e93d3fc2b5be6e419e6 Mon Sep 17 00:00:00 2001 From: Chance Callahan Date: Sat, 8 Oct 2022 22:01:32 -0400 Subject: [PATCH 08/10] Minimal required SELinux policy --- selinux/wings.fc | 7 ++++++- selinux/wings.te | 48 +++++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 51 insertions(+), 4 deletions(-) diff --git a/selinux/wings.fc b/selinux/wings.fc index 1969022..12aee63 100644 --- a/selinux/wings.fc +++ b/selinux/wings.fc @@ -1,4 +1,9 @@ /usr/local/bin/wings -- gen_context(system_u:object_r:wings_exec_t,s0) /etc/pterodactyl(/.*)? -- gen_context(system_u:object_r:wings_etc_t,s0) +/tmp/pterodactyl(/.*)? -- gen_context(system_u:object_r:wings_tmp_t,s0) + +/var/lib/pterodactyl/volumes/.sftp(/.*)? -- gen_context(system_u:object_r:wings_etc_t,s0) +/var/lib/pterodactyl/wings.db -- gen_context(system_u:object_r:wings_etc_t,s0) + /var/lib/pterodactyl/volumes(/.*)? -- gen_context(system_u:object_r:container_file_t,s0) -/var/lib/pterodactyl/mounts(/.*)? -- gen_context(system_u:object_r:container_file_t,s0) \ No newline at end of file +/var/lib/pterodactyl/mounts(/.*)? -- gen_context(system_u:object_r:container_file_t,s0) diff --git a/selinux/wings.te b/selinux/wings.te index 2c15d71..f9d9547 100644 --- a/selinux/wings.te +++ b/selinux/wings.te @@ -8,7 +8,8 @@ policy_module(wings, 1.0.0) type wings_t; type wings_exec_t; type wings_etc_t; -init_daemon_domain(wings_t, wings_exec_t, wings_etc_t) +type wings_tmp_t; +init_daemon_domain(wings_t, wings_exec_t, wings_etc_t, wings_tmp_t) permissive wings_t; @@ -18,15 +19,56 @@ permissive wings_t; # allow wings_t self:fifo_file rw_fifo_file_perms; allow wings_t self:unix_stream_socket create_stream_socket_perms; + allow wings_t wings_exec_t:file execmod; +allow wings_t container_file_t:file { open read setattr write }; +allow wings_t container_runtime_t:unix_stream_socket connectto; +allow wings_t container_var_run_t:sock_file write; +allow wings_t http_cache_port_t:tcp_socket name_bind; +allow wings_t http_port_t:tcp_socket name_connect; +allow wings_t node_t:tcp_socket node_bind; +allow wings_t passwd_file_t:file { open read }; +allow wings_t self:capability { chown dac_override dac_read_search }; +allow wings_t self:netlink_route_socket { bind create getattr nlmsg_read }; +allow wings_t self:process execmem; +allow wings_t self:tcp_socket { accept bind connect create getattr getopt listen setopt }; +allow wings_t sysctl_net_t:dir search; +allow wings_t sysctl_net_t:file { open read }; +allow wings_t sysfs_t:file { open read }; +allow wings_t unreserved_port_t:tcp_socket name_bind; +allow wings_t var_lib_t:dir { read setattr }; +allow wings_t var_lib_t:file { open read }; +allow wings_t var_log_t:file open; +allow wings_t wings_etc_t:file { getattr lock open read write }; + domain_use_interactive_fds(wings_t) files_read_etc_files(wings_t) miscfiles_read_localization(wings_t) +files_manage_mounttab(wings_t) +files_rw_var_lib_dirs(wings_t) + require { - type wings_exec_t; - class file { execmod map }; + type container_file_t; + type container_runtime_t; + type container_var_run_t; + type http_cache_port_t; + type http_port_t; + type node_t; + type passwd_file_t; + type wings_t; + type wings_etc_t; + type sysctl_net_t; + type sysfs_t; + type unreserved_port_t; + type var_lib_t; + type var_log_t; + class process execmem; + class tcp_socket { accept bind connect create getattr getopt listen setopt }; + class capability { chown dac_override dac_read_search }; + class netlink_route_socket { bind create getattr nlmsg_read }; + class file { getattr lock open read setattr write }; } From b72ef489ec76fe6f64915504120751c4e61e4139 Mon Sep 17 00:00:00 2001 From: Chance Callahan Date: Sat, 8 Oct 2022 22:02:48 -0400 Subject: [PATCH 09/10] Forgot to remove permissiveness. --- selinux/wings.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/selinux/wings.te b/selinux/wings.te index f9d9547..9e1ac5e 100644 --- a/selinux/wings.te +++ b/selinux/wings.te @@ -11,8 +11,6 @@ type wings_etc_t; type wings_tmp_t; init_daemon_domain(wings_t, wings_exec_t, wings_etc_t, wings_tmp_t) -permissive wings_t; - ######################################## # # wings local policy From d7229091a4dfcdd89b4073c59f63796c6b60ee6a Mon Sep 17 00:00:00 2001 From: Chance Callahan Date: Sun, 9 Oct 2022 08:35:10 -0400 Subject: [PATCH 10/10] Allow wings to write to passwd_file_t --- selinux/wings.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/selinux/wings.te b/selinux/wings.te index 9e1ac5e..18e5170 100644 --- a/selinux/wings.te +++ b/selinux/wings.te @@ -26,7 +26,7 @@ allow wings_t container_var_run_t:sock_file write; allow wings_t http_cache_port_t:tcp_socket name_bind; allow wings_t http_port_t:tcp_socket name_connect; allow wings_t node_t:tcp_socket node_bind; -allow wings_t passwd_file_t:file { open read }; +allow wings_t passwd_file_t:file { write open read }; allow wings_t self:capability { chown dac_override dac_read_search }; allow wings_t self:netlink_route_socket { bind create getattr nlmsg_read }; allow wings_t self:process execmem;