diff --git a/bin/admin/install b/bin/admin/install index 408d407..d1f379e 100755 --- a/bin/admin/install +++ b/bin/admin/install @@ -23,6 +23,7 @@ set_default_options() opt[regen-hostkeys]=0 opt[logrotate]=1 opt[overwrite-logrotate]=1 + # special case: # If $autodetect_startup_system is 1, we'll autodetect whether we will install the # systemd units (preferred) or the init.d files. @@ -33,6 +34,16 @@ set_default_options() opt[init]=0 opt[systemd-units]=0 # /special + + # special case 2: + # If $autodetect_selinux is 1, we'll autodetect whether we're running on a system + # supporting SELinux, and if yes, we'll proceed in deploying the module to make it + # possible to use TOTP MFA on those systems. + # Any specification of --[no-]install-selinux-module will inhibit this behavior + autodetect_selinux=1 + opt[install-selinux-module]=0 + # /special case 2 + opt[profile]=1 opt[cron]=1 opt[overwrite-cron]=1 @@ -66,6 +77,7 @@ while [ -n "$1" ]; do opt[logrotate]=0 opt[overwrite-logrotate]=0 autodetect_startup_system=0 + autodetect_selinux=0 opt[profile]=0 opt[cron]=0 opt[overwrite-cron]=0 @@ -77,6 +89,7 @@ while [ -n "$1" ]; do opt[logrotate]=1 opt[overwrite-logrotate]=0 autodetect_startup_system=1 + autodetect_selinux=1 opt[profile]=0 opt[cron]=1 opt[overwrite-cron]=1 @@ -89,7 +102,8 @@ while [ -n "$1" ]; do for allowedopt in modify-banner modify-sshd-config modify-ssh-config modify-motd modify-umask \ modify-pam-lastlog remove-weak-moduli regen-hostkeys overwrite-logrotate overwrite-cron \ overwrite-syslog-ng logrotate cron syslog-ng migration-grant-aclkeeper-to-gatekeepers \ - init systemd-units profile modify-pam-sshd wait check-ttyrec install-fake-ttyrec + init systemd-units profile modify-pam-sshd wait check-ttyrec install-fake-ttyrec \ + install-selinux-module do if [ "$1" = "--no-$allowedopt" ]; then opt[$allowedopt]=0 @@ -102,6 +116,10 @@ while [ -n "$1" ]; do # see "special case" comment above for more information autodetect_startup_system=0 fi + if [ "$1" = "install-selinux-module" ]; then + # see "special case 2" comment above for more information + autodetect_selinux=0 + fi done if [ "$foundoption" != 1 ]; then echo "$0: Unrecognized option '$1'" @@ -1188,6 +1206,34 @@ if [ "${opt[systemd-units]}" = 1 ]; then action_done fi +if [ "$autodetect_selinux" = 1 ]; then + action_doing "Autodetecting SELinux..." + if command -v setenforce >/dev/null; then + action_done "found" + opt[install-selinux-module]=1 + else + action_done "not found" + opt[install-selinux-module]=0 + fi +fi + +if [ "${opt[install-selinux-module]}" = 1 ]; then + action_doing "Installing SELinux module" + if ! command -v semodule >/dev/null; then + action_error "Missing \`semodule' tool, please install it (it's usually found in the 'policycoreutils' package)" + else + if semodule -l | grep -q the-bastion; then + action_na "module is already installed" + else + if semodule -i "$basedir/etc/selinux/the-bastion.pp"; then + action_done "module installed" + else + action_error "semodule returned an error" + fi + fi + fi +fi + if [ "${opt[profile]}" = 1 ]; then action_doing "Copy profile.d files if applicable" if [ -d $ETC_DIR/profile.d ]; then diff --git a/etc/bastion/bastion.conf.dist b/etc/bastion/bastion.conf.dist index 9086c78..5cee36a 100644 --- a/etc/bastion/bastion.conf.dist +++ b/etc/bastion/bastion.conf.dist @@ -30,7 +30,7 @@ "defaultLogin": "", # # adminAccounts (list of accounts names), deprecated alias: adminLogins -# DESC: The list of accounts that are Admins of the bastion. Admins can't be deleted or have their ingress keys reset by non-admins. They also gain access to special dangerous/sensitive --osh commands. Note that an admin is also always considered as a Super Owner, which means they can override allchecks of group administrative commands. Don't forget to add them to the osh-admin group too, or they won't really be considered as admins (additional security measure). Tule of thumb: only add here people that have root@localhost access to the bastion +# DESC: The list of accounts that are Admins of the bastion. Admins can't be deleted or have their ingress keys reset by non-admins. They also gain access to special dangerous/sensitive --osh commands. Note that an admin is also always considered as a Super Owner, which means they can override allchecks of group administrative commands. Don't forget to add them to the osh-admin group too, or they won't really be considered as admins (additional security measure). Rule of thumb: only add here people that have root@localhost access to the bastion # DEFAULT: [] "adminAccounts": [], # diff --git a/etc/selinux/the-bastion.pp b/etc/selinux/the-bastion.pp new file mode 100644 index 0000000..b124542 Binary files /dev/null and b/etc/selinux/the-bastion.pp differ diff --git a/etc/selinux/the-bastion.te b/etc/selinux/the-bastion.te new file mode 100644 index 0000000..0924d14 --- /dev/null +++ b/etc/selinux/the-bastion.te @@ -0,0 +1,15 @@ +module the-bastion 1.0; + +require { +type var_t; +type sshd_t; +type user_home_t; +type user_home_dir_t; +class file { create getattr rename setattr unlink open read write }; +} + +# needed for user TOTP (~/.totp and ~/.totp~XXXXXX temporary file) +allow sshd_t user_home_dir_t:file { create getattr rename setattr unlink open read write }; +allow sshd_t user_home_t:file unlink; +# needed for root TOTP (/var/otp/root and /var/otp/root~XXXXXX temporary file) +allow sshd_t var_t:file { create getattr rename setattr unlink open read write };