Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Adding a jenkinsworker SELinux config:
- (17:26:46) grift: ok so this: https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/guest.te
- (17:27:12) grift: thats a module that creates the most restricted login user in fedora
- (17:27:35) grift: we can "clone" that and use that as a base for our new jenkinsworker user
- (17:27:49) grift: something like this:
- (17:28:00) grift: cat > jenkinsworker.te <<EOF
- (17:28:19) grift: policy_module(jenkinsworker,1.0.0)
- (17:28:29) grift: role jenkinsworker_r;
- (17:28:54) grift: userdom_restricted_user_template(jenkinsworker)
- (17:29:20) grift: gen_user(jenkinsworker_u, user, jenkinsworker_r, s0, s0)
- (17:29:22) grift: EOF
- (17:29:40) grift: make -f /usr/share/selinux/devel/Makefile jenkinsworker.pp
- (18:10:00) grift: jimklimov: load the jenkinsworker.pp in like this: sudo semodule -i jenkinsworker.pp
- (18:11:59) grift: jimklimov: its persistent installed to the module store which can be managed with the semodule command
- (18:12:08) grift: sudo semodule -l | grep jenkins
- (18:12:17) grift: to uninstall semodule -r jenkinsworker
- (18:16:59) grift: jimklimov: create this file:
- (18:17:15) grift: touch /etc/selinux/targeted/contexts/users/jenkinsworker_u
- (18:17:23) grift: in there add the following one line:
- (18:18:06) grift: system_r:sshd_t:s0 jenkinsworker_r:jenkinsworker_t:s0
- (18:23:32) grift: jimklimov: well not important but do a `restorecon /etc/selinux/targeted/contexts/users/jenkinsworker_u
- (18:18:37) grift: useradd -Z jenkinsuser joe
- (18:18:39) grift: passwd joe
- (18:18:49) grift: ssh joe@localhost 'id -Z'
- (18:45:17) jimklimov: yep, that finally works :) says jenkinsworker_u:jenkinsworker_rjenkinsworker_t:s0
- (18:47:33) grift: jimklimov: switch to permissive mode and tell jenkins master to deploy and agent in that users home dir
- To start a new pam session with another user context try:
- machinectl shell otheruser@.host $@
- (20:04:29) grift: sudo -u root -r sysadm_r -t sysadm_t id -Z
- (20:04:41) grift: ie switch context when you switch user
- (20:04:42) jimklimov: ah, also -t explicit?
- (20:04:47) grift: it depends
- (20:05:05) grift: theres a file called default_type in /etc/selinux/targeted/context
- (20:05:13) grift: sudo will look at this file
- (20:05:22) grift: and if theres a combination like this in there:
- (20:05:26) grift: sysadm_r:sysadm_t
- (20:05:36) grift: then you can ommit the -t for -r sysadm_r
- (20:05:42) grift: because it correlates it
- (20:05:52) grift: but if that is missing then yes you have to specify the -t
- (20:05:54) jimklimov: staff_u:jenkinsworker_r:jenkinsworker_t:so is not a valid context
- (20:06:06) grift: yes well that also for other reasons
- (20:06:18) grift: because that is not authorized
- (20:06:46) grift: ie staff_u is not authorized to associate with jenkinsworker_r in policy
- (20:06:57) grift: you would need to authorize it
- (20:07:19) grift: and then add jenkinsworker_r:jenkinsworker_t to defaul_type so that sudo can find that combo
- (20:09:09) grift: anyway to authorise staff_u to associate with jenkinsworker_r you could use semanage user -m staff_u ...
- (20:09:52) grift: another way (but this is in cil syntax) echo '(userrole staff_u jenkinsworker_r)' > mytest.cil && sudo semodule -i mytest.cil
- (20:10:22) grift: but then you need another rule
- (20:10:43) grift: to allow the staff_r role to change to the jenkinsworker_r role
- (20:11:01) grift: selinux wants to you be very specific about these things
- (20:11:17) grift: (roleallow staff_r jenkinsworker_r)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement