!42 restore ima selinux type when perform new configuration

From: @xucee Reviewed-by: @HuaxinLuGitee Signed-off-by: @HuaxinLuGitee
2024-12-02 09:08:22 +00:00 · 2024-12-02 09:08:22 +00:00 · 266ba061b6
commit 266ba061b6
parent ef46c59df3 76198ceb8e
2 changed files with 134 additions and 2 deletions
--- a/restore-ima-selinux-type-when-perform-new-configurat.patch
+++ b/restore-ima-selinux-type-when-perform-new-configurat.patch
@ -0,0 +1,127 @@
+From 7adb0853596e1ec546ef33aba26b69e31a695041 Mon Sep 17 00:00:00 2001
+From: xuce <xuce10@h-partners.com>
+Date: Mon, 2 Dec 2024 16:16:40 +0800
+Subject: [PATCH] restore ima selinux type when perform new configuration
+
+Signed-off-by: xuce <xuce10@h-partners.com>
+---
+ secpaver-secconf-1.0.0/secconf/gen/gen_ima | 73 ++++++++++++----------
+ 1 file changed, 40 insertions(+), 33 deletions(-)
+
+diff --git a/secpaver-secconf-1.0.0/secconf/gen/gen_ima b/secpaver-secconf-1.0.0/secconf/gen/gen_ima
+index a657614..d40dce6 100644
+--- a/secpaver-secconf-1.0.0/secconf/gen/gen_ima
+++ b/secpaver-secconf-1.0.0/secconf/gen/gen_ima
+@@ -14,7 +14,7 @@ measure_list+=({{.}})
+ {{end}}
+ 
+ needReboot=false
+-packages=("ima-evm-utils" "digest-list-tools")
+packages=("ima-evm-utils" "digest-list-tools" "selinux-policy" "selinux-policy-targeted" "policycoreutils")
+ for pkg in "${packages[@]}"; do
+     get_usr_input "${pkg} is about to installed?【Y/N】"
+     if [ $? -eq 1 ]; then
+@@ -33,14 +33,14 @@ rm_kernel_param()
+     for param in "${@}"; do
+         cmdline_contains_param=$(grep -q "${param}" /proc/cmdline && echo "true" || echo "false")
+         grub_contains_param=$(grep -q "${param}" "${grub_path}" && echo "true" || echo "false")
+-	if [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "true" ]]; then
+-	    sed -i "s/ \<${param}\>//g" ${grub_path}
+-	    needReboot=true
+-	elif [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "true" ]]; then
+-	    sed -i "s/ \<${param}\>//g" ${grub_path}
+-	elif [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "false" ]]; then
+-	    needReboot=true
+-	fi
+        if [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "true" ]]; then
+            sed -i "s/ \<${param}\>//g" ${grub_path}
+            needReboot=true
+        elif [[ "$cmdline_contains_param" == "false" && "$grub_contains_param" == "true" ]]; then
+            sed -i "s/ \<${param}\>//g" ${grub_path}
+        elif [[ "$cmdline_contains_param" == "true" && "$grub_contains_param" == "false" ]]; then
+            needReboot=true
+        fi
+     done
+ }
+ 
+@@ -60,8 +60,39 @@ set_kernel_param()
+     done
+ }
+ 
+set_selinux_type()
+{
+    module_name=$(echo "$1" | awk -F'_' '{print $1 "_" $2}')
+    semodule -l | grep $module_name > /dev/null
+    if [ $? -eq 1 ]; then
+        file=/tmp/${module_name}.cil
+        cat <<EOF > $file
+(type $1)
+(roletype object_r $1)
+(typeattributeset file_type ($1))
+(allow domain $1 (file (append execmod ioctl mounton relabelfrom swapon watch_reads audit_access execute link open relabelto unlink watch_sb create execute_no_trans lock quotaon rename watch watch_with_perm entrypoint getattr map read setattr watch_mount write)))
+EOF
+
+        semodule -i $file
+        echo "selinux type $1 has been successfully created"
+        rm $file
+    fi
+    chcon -t $1 $2
+}
+
+restore_selinux_type()
+{
+    for type in "$@"; do
+        find / -context "*${type}*" -exec restorecon -v {} \; &>/dev/null
+    done
+}
+
+ appraise_param=("ima_appraise=enforce" "ima_appraise_digest_list=digest-nometadata")
+ measure_param=("ima_digest_list_pcr=11" "ima_template=ima-ng")
+measure_type=ima_measure_bprm_t
+appraise_type=ima_appraise_bprm_t
+all_type=ima_all_bprm_t
+restore_selinux_type $measure_type $appraise_type $all_type
+ 
+ if [[ ${#appraise_list[@]} -eq 0 && ${#measure_list[@]} -eq 0 ]]; then
+     rm_kernel_param "${appraise_param[@]}"
+@@ -82,27 +113,6 @@ if [[ $needReboot == "true" ]]; then
+     return 0
+ fi
+ 
+-
+-set_selinux_type()
+-{
+-    module_name=$(echo "$1" | awk -F'_' '{print $1 "_" $2}')
+-    semodule -l | grep $module_name > /dev/null
+-    if [ $? -eq 1 ]; then
+-        file=/tmp/${module_name}.cil
+-        cat <<EOF > $file
+-(type $1)
+-(roletype object_r $1)
+-(typeattributeset file_type ($1))
+-(allow domain $1 (file (append execmod ioctl mounton relabelfrom swapon watch_reads audit_access execute link open relabelto unlink watch_sb create execute_no_trans lock quotaon rename watch watch_with_perm entrypoint getattr map read setattr watch_mount write)))
+-EOF
+-
+-	semodule -i $file
+-        echo "selinux type $1 has been successfully created"
+-	rm $file
+-    fi
+-    chcon -t $1 $2
+-}
+-
+ unique() {
+     echo "$@" | tr ' ' '\n' | sort -u | tr '\n' ' '
+ }
+@@ -124,9 +134,6 @@ if [[ ${#common_list[@]} -eq 0 && ${#appraise_list[@]} -eq 0 && ${#measure_list[
+     echo "IMA is disabled!"
+     return 0
+ fi
+-measure_type=ima_measure_bprm_t
+-appraise_type=ima_appraise_bprm_t
+-all_type=ima_all_bprm_t
+ 
+ for measure_file in "${measure_list[@]}"; do
+     set_selinux_type $measure_type $measure_file
+-- 
+2.33.0
+
--- a/secpaver.spec
+++ b/secpaver.spec
@ -2,7 +2,7 @@
 Name: secpaver
 Summary: Security policy development tool
 Version: 1.0.2
-Release: 13
+Release: 14
 License: MulanPSL-2.0
 URL: https://gitee.com/openeuler/secpaver
 Source: https://gitee.com/openeuler/secpaver/repository/archive/%{name}-%{version}.tar.gz
@ -16,6 +16,7 @@ Patch0003: support-clang-build.patch
 Patch0004: fix-go-build-ref-cldflags.patch
 Patch0005: remove-unused-socket.patch
 Patch0006: Add-example-of-how-to-import-digest-list-when-using-.patch
+Patch0007: restore-ima-selinux-type-when-perform-new-configurat.patch
 %ifarch riscv64 loongarch64
 Patch1000: 1000-fix-build-on-riscv64.patch
 %endif
@ -59,6 +60,7 @@ unzip %{SOURCE2}
 %patch0004 -p1
 %patch0005 -p1
 %patch0006 -p1
+%patch0007 -p1
 %ifarch riscv64 loongarch64
 %patch1000 -p1
 %endif
@ -117,7 +119,10 @@ make test
 %systemd_postun_with_restart pavd.service

 %changelog
-* Thu Nov 28 2024 jinlun <xuce10@h-partners.com> - 1.0.2-13
+* Mon Dec 2 2024 xuce <xuce10@h-partners.com> - 1.0.2-14
+- restore ima selinux type when perform new configuration 
+
+* Thu Nov 28 2024 xuce <xuce10@h-partners.com> - 1.0.2-13
 - Add example of how to import digest list when using IMA appraise

 * Mon Nov 25 2024 jinlun <jinlun@huawei.com> - 1.0.2-12