Base SELinux Policy for Wings

selinux/wings.fc

@@ -0,0 +1,9 @@
+/usr/local/bin/wings		--	gen_context(system_u:object_r:wings_exec_t,s0)
+/etc/pterodactyl(/.*)?      --  gen_context(system_u:object_r:wings_etc_t,s0)
+/tmp/pterodactyl(/.*)?      --  gen_context(system_u:object_r:wings_tmp_t,s0)
+
+/var/lib/pterodactyl/volumes/.sftp(/.*)?  --  gen_context(system_u:object_r:wings_etc_t,s0)
+/var/lib/pterodactyl/wings.db  --  gen_context(system_u:object_r:wings_etc_t,s0)
+
+/var/lib/pterodactyl/volumes(/.*)?  --  gen_context(system_u:object_r:container_file_t,s0)
+/var/lib/pterodactyl/mounts(/.*)?   --  gen_context(system_u:object_r:container_file_t,s0)

selinux/wings.if

@@ -0,0 +1,40 @@
+
+## <summary>policy for wings</summary>
+
+########################################
+## <summary>
+##	Execute wings_exec_t in the wings domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`wings_domtrans',`
+	gen_require(`
+		type wings_t, wings_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, wings_exec_t, wings_t)
+')
+
+######################################
+## <summary>
+##	Execute wings in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wings_exec',`
+	gen_require(`
+		type wings_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, wings_exec_t)
+')

selinux/wings.sh

@@ -0,0 +1,52 @@
+#!/bin/sh -e
+
+DIRNAME=`dirname $0`
+cd $DIRNAME
+USAGE="$0 [ --update ]"
+if [ `id -u` != 0 ]; then
+echo 'You must be root to run this script'
+exit 1
+fi
+
+if [ $# -eq 1 ]; then
+	if [ "$1" = "--update" ] ; then
+		time=`ls -l --time-style="+%x %X" wings.te | awk '{ printf "%s %s", $6, $7 }'`
+		rules=`ausearch --start $time -m avc --raw -se wings`
+		if [ x"$rules" != "x" ] ; then
+			echo "Found avc's to update policy with"
+			echo -e "$rules" | audit2allow -R
+			echo "Do you want these changes added to policy [y/n]?"
+			read ANS
+			if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then
+				echo "Updating policy"
+				echo -e "$rules" | audit2allow -R >> wings.te
+				# Fall though and rebuild policy
+			else
+				exit 0
+			fi
+		else
+			echo "No new avcs found"
+			exit 0
+		fi
+	else
+		echo -e $USAGE
+		exit 1
+	fi
+elif [ $# -ge 2 ] ; then
+	echo -e $USAGE
+	exit 1
+fi
+
+echo "Building and Loading Policy"
+set -x
+make -f /usr/share/selinux/devel/Makefile wings.pp || exit
+/usr/sbin/semodule -i wings.pp
+
+# Generate a man page off the installed module
+sepolicy manpage -p . -d wings_t
+# Fixing the file context on /usr/local/bin/wings
+/sbin/restorecon -F -R -v /usr/local/bin/wings
+# Generate a rpm package for the newly generated policy
+
+pwd=$(pwd)
+rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build"  -ba wings_selinux.spec

selinux/wings.te

@@ -0,0 +1,72 @@
+policy_module(wings, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type wings_t;
+type wings_exec_t;
+type wings_etc_t;
+type wings_tmp_t;
+init_daemon_domain(wings_t, wings_exec_t, wings_etc_t, wings_tmp_t)
+
+########################################
+#
+# wings local policy
+#
+allow wings_t self:fifo_file rw_fifo_file_perms;
+allow wings_t self:unix_stream_socket create_stream_socket_perms;
+
+allow wings_t wings_exec_t:file execmod;
+
+allow wings_t container_file_t:file { open read setattr write };
+allow wings_t container_runtime_t:unix_stream_socket connectto;
+allow wings_t container_var_run_t:sock_file write;
+allow wings_t http_cache_port_t:tcp_socket name_bind;
+allow wings_t http_port_t:tcp_socket name_connect;
+allow wings_t node_t:tcp_socket node_bind;
+allow wings_t passwd_file_t:file { write open read };
+allow wings_t self:capability { chown dac_override dac_read_search };
+allow wings_t self:netlink_route_socket { bind create getattr nlmsg_read };
+allow wings_t self:process execmem;
+allow wings_t self:tcp_socket { accept bind connect create getattr getopt listen setopt };
+allow wings_t sysctl_net_t:dir search;
+allow wings_t sysctl_net_t:file { open read };
+allow wings_t sysfs_t:file { open read };
+allow wings_t unreserved_port_t:tcp_socket name_bind;
+allow wings_t var_lib_t:dir { read setattr };
+allow wings_t var_lib_t:file { open read };
+allow wings_t var_log_t:file open;
+allow wings_t wings_etc_t:file { getattr lock open read write };
+
+domain_use_interactive_fds(wings_t)
+
+files_read_etc_files(wings_t)
+
+miscfiles_read_localization(wings_t)
+
+files_manage_mounttab(wings_t)
+files_rw_var_lib_dirs(wings_t)
+
+require {
+        type container_file_t;
+        type container_runtime_t;
+        type container_var_run_t;
+        type http_cache_port_t;
+        type http_port_t;
+        type node_t;
+        type passwd_file_t;
+        type wings_t;
+        type wings_etc_t;
+        type sysctl_net_t;
+        type sysfs_t;
+        type unreserved_port_t;
+        type var_lib_t;
+        type var_log_t;
+        class process execmem;
+        class tcp_socket { accept bind connect create getattr getopt listen setopt };
+        class capability { chown dac_override dac_read_search };
+        class netlink_route_socket { bind create getattr nlmsg_read };
+        class file { getattr lock open read setattr write };
+}

selinux/wings_selinux.spec

@@ -0,0 +1,70 @@
+# vim: sw=4:ts=4:et
+
+
+%define relabel_files() \
+restorecon -R /usr/local/bin/wings; \
+
+%define selinux_policyver 34.1.29-1
+
+Name:   wings_selinux
+Version:	1.0
+Release:	1%{?dist}
+Summary:	SELinux policy module for wings
+
+Group:	System Environment/Base		
+License:	GPLv2+	
+# This is an example. You will need to change it.
+URL:		http://HOSTNAME
+Source0:	wings.pp
+Source1:	wings.if
+Source2:	wings_selinux.8
+
+
+Requires: policycoreutils, libselinux-utils
+Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils
+Requires(postun): policycoreutils
+BuildArch: noarch
+
+%description
+This package installs and sets up the  SELinux policy security module for wings.
+
+%install
+install -d %{buildroot}%{_datadir}/selinux/packages
+install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
+install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
+install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
+install -d %{buildroot}%{_mandir}/man8/
+install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/wings_selinux.8
+install -d %{buildroot}/etc/selinux/targeted/contexts/users/
+
+
+%post
+semodule -n -i %{_datadir}/selinux/packages/wings.pp
+if /usr/sbin/selinuxenabled ; then
+    /usr/sbin/load_policy
+    %relabel_files
+
+fi;
+exit 0
+
+%postun
+if [ $1 -eq 0 ]; then
+    semodule -n -r wings
+    if /usr/sbin/selinuxenabled ; then
+       /usr/sbin/load_policy
+       %relabel_files
+
+    fi;
+fi;
+exit 0
+
+%files
+%attr(0600,root,root) %{_datadir}/selinux/packages/wings.pp
+%{_datadir}/selinux/devel/include/contrib/wings.if
+%{_mandir}/man8/wings_selinux.8.*
+
+
+%changelog
+* Thu Oct  6 2022 YOUR NAME <YOUR@EMAILADDRESS> 1.0-1
+- Initial version
+