From: Arran Cudbard-Bell Date: Thu, 5 Sep 2024 03:17:15 +0000 (-0600) Subject: Add custom selinux module to our RPMs X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e90ff41ee088c420a4a5ef943291fc2029ded938;p=thirdparty%2Ffreeradius-server.git Add custom selinux module to our RPMs --- diff --git a/redhat/freeradius.spec b/redhat/freeradius.spec index 24865a5c596..b0cb1f0059b 100644 --- a/redhat/freeradius.spec +++ b/redhat/freeradius.spec @@ -1,3 +1,6 @@ +# Selinux type we're building for +%global selinuxtype targeted + # Optional modules and libraries %bcond_with rlm_cache_memcached %bcond_with rlm_idn @@ -140,6 +143,7 @@ Requires(post): /sbin/chkconfig /usr/sbin/setsebool Requires(preun): /sbin/chkconfig Requires: freeradius-config = %{version}-%{release} Requires: freeradius-common = %{version}-%{release} +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) %if %{with freeradius_openssl} Requires: freeradius-openssl %else @@ -213,6 +217,21 @@ of the server, and let you decide if they satisfy your needs. Support for RFC and VSA Attributes Additional server configuration attributes Selecting a particular configuration Authentication methods +# No requirements here, as selinux is installed by the base package +# as are any of the utilities we need to compile/manage policies. +%package selinux +Summary: A custom selinux policy for FreeRADIUS which adds multiple bools +Requires: %{name} = %{version}-%{release} +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +%{?selinux_requires} + +%description selinux +This packages installs a custom selinux policy to allow the FreeRADIUS +daemon to operate on additional ports, and communicate with other services +directly using unix sockets. + %package snmp Summary: SNMP MIBs and SNMP utilities used by FreeRADIUS Requires: net-snmp-utils @@ -708,6 +727,9 @@ export RADIUSD_VERSION_RELEASE="%{release}" # Do not use %__make here, as we may be using the non-system make make %{?_smp_mflags} +# Compile the selinux policy and produce the .bz2 containing the compiled policy +make -f redhat/selinux/Makefile + %install %__rm -rf $RPM_BUILD_ROOT %__mkdir_p $RPM_BUILD_ROOT/var/run/radiusd @@ -791,6 +813,9 @@ Please reference that document. EOF +# Install the selinux module +%__install -D -m 0644 -t %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} redhat/selinux/%{name}.pp.bz2 + %clean %__rm -rf $RPM_BUILD_ROOT @@ -806,10 +831,12 @@ getent group radiusd >/dev/null || /usr/sbin/groupadd -r -g 95 radiusd getent passwd radiusd >/dev/null || /usr/sbin/useradd -r -g radiusd -u 95 -c "radiusd user" -s /sbin/nologin radiusd > /dev/null 2>&1 exit 0 +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} %post if [ $1 = 1 ]; then - /usr/sbin/setsebool -P radius_use_jit=1 &> /dev/null || : + %selinux_set_booleans -s %{selinuxtype} radius_use_jit=on %if %{?_unitdir:1}%{!?_unitdir:0} /bin/systemctl enable radiusd %else @@ -824,6 +851,10 @@ if [ $1 = 1 ]; then fi fi +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +%selinux_relabel_post -s %{selinuxtype} + %preun if [ $1 = 0 ]; then %if %{?_unitdir:1}%{!?_unitdir:0} @@ -837,6 +868,15 @@ fi if [ $1 -ge 1 ]; then /sbin/service radiusd condrestart >/dev/null 2>&1 || : fi +%selinux_unset_booleans -s %{selinuxtype} radius_jit + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{name} +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} %files %defattr(-,root,root) @@ -1162,6 +1202,10 @@ fi %{_datadir}/snmp/mibs/* %dir %attr(750,radiusd,radiusd) %{_sharedstatedir}/radiusd/snmp +%files selinux +%defattr(-,root,root,0755) +%attr(0644,root,root) %{_datadir}/selinux/packages/%{selinuxtype}/*.pp.bz2 + %files perl-util %defattr(-,root,root) /usr/bin/rlm_sqlippool_tool diff --git a/redhat/selinux/.gitignore b/redhat/selinux/.gitignore new file mode 100644 index 00000000000..4a6459a56aa --- /dev/null +++ b/redhat/selinux/.gitignore @@ -0,0 +1 @@ +*.pp.bz2 diff --git a/redhat/selinux/Makefile b/redhat/selinux/Makefile new file mode 100644 index 00000000000..974f8231cff --- /dev/null +++ b/redhat/selinux/Makefile @@ -0,0 +1,16 @@ +our_path:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST)))) + +all: ${our_path}/freeradius.pp.bz2 + +%.mod: %.te + @checkmodule -M -m -o $@ $< + +%.pp: %.mod + @semodule_package -o $@ -m $< + +%.pp.bz2: %.pp + @bzip2 -9 $< + +.PHONY: clean +clean: + @cd "${our_path}"; \ diff --git a/redhat/selinux/freeradius.te b/redhat/selinux/freeradius.te new file mode 100644 index 00000000000..8373aa8b9fe --- /dev/null +++ b/redhat/selinux/freeradius.te @@ -0,0 +1,34 @@ +module freeradius 1.0; + +bool radius_slapd_unix false; + +require { + type radiusd_t; + + # Connect to OpenLDAP + type slapd_t; + type slapd_var_run_t; + class sock_file write; + class unix_stream_socket connectto; + + # Allow logging + type syslogd_port_t; + class tcp_socket name_connect; + + # Kill children + class process getpgid; +} + +if (radius_slapd_unix) { + # Allow FreeRADIUS to connect to OpenLDAP via a unix socket + allow radiusd_t slapd_t:unix_stream_socket connectto; + + # Allow FreeRADIUS to write to OpenLDAP's unix socket + allow radiusd_t slapd_var_run_t:sock_file write; +} + +# Allow FreeRADIUS to call getpgid so it can indiscriminately kill its children on exit +allow radiusd_t self:process getpgid; + +# Always allow FreeRADIUS to write to syslog +allow radiusd_t syslogd_port_t:tcp_socket name_connect;