MCorange/wings
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Minimal required SELinux policy

Browse Source
This commit is contained in:
Chance Callahan 2022-10-08 22:01:32 -04:00
parent 2b0a02facf
commit f41d85f566
2 changed files with 51 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
selinux/wings.fc
View File

@ -1,4 +1,9 @@
/usr/local/bin/wings -- gen_context(system_u:object_r:wings_exec_t,s0)
/etc/pterodactyl(/.*)? -- gen_context(system_u:object_r:wings_etc_t,s0)
/tmp/pterodactyl(/.*)? -- gen_context(system_u:object_r:wings_tmp_t,s0)
/var/lib/pterodactyl/volumes/.sftp(/.*)? -- gen_context(system_u:object_r:wings_etc_t,s0)
/var/lib/pterodactyl/wings.db -- gen_context(system_u:object_r:wings_etc_t,s0)
/var/lib/pterodactyl/volumes(/.*)? -- gen_context(system_u:object_r:container_file_t,s0)
/var/lib/pterodactyl/mounts(/.*)? -- gen_context(system_u:object_r:container_file_t,s0)
/var/lib/pterodactyl/mounts(/.*)? -- gen_context(system_u:object_r:container_file_t,s0)

48
selinux/wings.te
View File

@ -8,7 +8,8 @@ policy_module(wings, 1.0.0)
type wings_t;
type wings_exec_t;
type wings_etc_t;
init_daemon_domain(wings_t, wings_exec_t, wings_etc_t)
type wings_tmp_t;
init_daemon_domain(wings_t, wings_exec_t, wings_etc_t, wings_tmp_t)
permissive wings_t;
@ -18,15 +19,56 @@ permissive wings_t;
#
allow wings_t self:fifo_file rw_fifo_file_perms;
allow wings_t self:unix_stream_socket create_stream_socket_perms;
allow wings_t wings_exec_t:file execmod;
allow wings_t container_file_t:file { open read setattr write };
allow wings_t container_runtime_t:unix_stream_socket connectto;
allow wings_t container_var_run_t:sock_file write;
allow wings_t http_cache_port_t:tcp_socket name_bind;
allow wings_t http_port_t:tcp_socket name_connect;
allow wings_t node_t:tcp_socket node_bind;
allow wings_t passwd_file_t:file { open read };
allow wings_t self:capability { chown dac_override dac_read_search };
allow wings_t self:netlink_route_socket { bind create getattr nlmsg_read };
allow wings_t self:process execmem;
allow wings_t self:tcp_socket { accept bind connect create getattr getopt listen setopt };
allow wings_t sysctl_net_t:dir search;
allow wings_t sysctl_net_t:file { open read };
allow wings_t sysfs_t:file { open read };
allow wings_t unreserved_port_t:tcp_socket name_bind;
allow wings_t var_lib_t:dir { read setattr };
allow wings_t var_lib_t:file { open read };
allow wings_t var_log_t:file open;
allow wings_t wings_etc_t:file { getattr lock open read write };
domain_use_interactive_fds(wings_t)
files_read_etc_files(wings_t)
miscfiles_read_localization(wings_t)
files_manage_mounttab(wings_t)
files_rw_var_lib_dirs(wings_t)
require {
type wings_exec_t;
class file { execmod map };
type container_file_t;
type container_runtime_t;
type container_var_run_t;
type http_cache_port_t;
type http_port_t;
type node_t;
type passwd_file_t;
type wings_t;
type wings_etc_t;
type sysctl_net_t;
type sysfs_t;
type unreserved_port_t;
type var_lib_t;
type var_log_t;
class process execmem;
class tcp_socket { accept bind connect create getattr getopt listen setopt };
class capability { chown dac_override dac_read_search };
class netlink_route_socket { bind create getattr nlmsg_read };
class file { getattr lock open read setattr write };
}