feat: install: add SELinux module for TOTP MFA

Fixes #26

bin/admin/install

@@ -23,6 +23,7 @@ set_default_options()
     opt[regen-hostkeys]=0
     opt[logrotate]=1
     opt[overwrite-logrotate]=1
+
     # special case:
     # If $autodetect_startup_system is 1, we'll autodetect whether we will install the
     # systemd units (preferred) or the init.d files.
@@ -33,6 +34,16 @@ set_default_options()
     opt[init]=0
     opt[systemd-units]=0
     # /special
+
+    # special case 2:
+    # If $autodetect_selinux is 1, we'll autodetect whether we're running on a system
+    # supporting SELinux, and if yes, we'll proceed in deploying the module to make it
+    # possible to use TOTP MFA on those systems.
+    # Any specification of --[no-]install-selinux-module will inhibit this behavior
+    autodetect_selinux=1
+    opt[install-selinux-module]=0
+    # /special case 2
+
     opt[profile]=1
     opt[cron]=1
     opt[overwrite-cron]=1
@@ -66,6 +77,7 @@ while [ -n "$1" ]; do
         opt[logrotate]=0
         opt[overwrite-logrotate]=0
         autodetect_startup_system=0
+        autodetect_selinux=0
         opt[profile]=0
         opt[cron]=0
         opt[overwrite-cron]=0
@@ -77,6 +89,7 @@ while [ -n "$1" ]; do
         opt[logrotate]=1
         opt[overwrite-logrotate]=0
         autodetect_startup_system=1
+        autodetect_selinux=1
         opt[profile]=0
         opt[cron]=1
         opt[overwrite-cron]=1
@@ -89,7 +102,8 @@ while [ -n "$1" ]; do
         for allowedopt in modify-banner modify-sshd-config modify-ssh-config modify-motd modify-umask \
             modify-pam-lastlog remove-weak-moduli regen-hostkeys overwrite-logrotate overwrite-cron \
             overwrite-syslog-ng logrotate cron syslog-ng migration-grant-aclkeeper-to-gatekeepers \
-            init systemd-units profile modify-pam-sshd wait check-ttyrec install-fake-ttyrec
+            init systemd-units profile modify-pam-sshd wait check-ttyrec install-fake-ttyrec \
+            install-selinux-module
         do
             if [ "$1" = "--no-$allowedopt" ]; then
                 opt[$allowedopt]=0
@@ -102,6 +116,10 @@ while [ -n "$1" ]; do
                 # see "special case" comment above for more information
                 autodetect_startup_system=0
             fi
+            if [ "$1" = "install-selinux-module" ]; then
+                # see "special case 2" comment above for more information
+                autodetect_selinux=0
+            fi
         done
         if [ "$foundoption" != 1 ]; then
             echo "$0: Unrecognized option '$1'"
@@ -1174,6 +1192,34 @@ if [ "${opt[systemd-units]}" = 1 ]; then
     action_done
 fi
 
+if [ "$autodetect_selinux" = 1 ]; then
+    action_doing "Autodetecting SELinux..."
+    if command -v setenforce >/dev/null; then
+        action_done "found"
+        opt[install-selinux-module]=1
+    else
+        action_done "not found"
+        opt[install-selinux-module]=0
+    fi
+fi
+
+if [ "${opt[install-selinux-module]}" = 1 ]; then
+    action_doing "Installing SELinux module"
+    if ! command -v semodule >/dev/null; then
+        action_error "Missing \`semodule' tool, please install it (it's usually found in the 'policycoreutils' package)"
+    else
+        if semodule -l | grep -q the-bastion; then
+            action_na "module is already installed"
+        else
+            if semodule -i "$basedir/etc/selinux/the-bastion.pp"; then
+                action_done "module installed"
+            else
+                action_error "semodule returned an error"
+            fi
+        fi
+    fi
+fi
+
 if [ "${opt[profile]}" = 1 ]; then
     action_doing "Copy profile.d files if applicable"
     if [ -d $ETC_DIR/profile.d ]; then

etc/bastion/bastion.conf.dist

@@ -30,7 +30,7 @@
 "defaultLogin": "",
 #
 # adminAccounts (list of accounts names), deprecated alias: adminLogins
-#     DESC: The list of accounts that are Admins of the bastion. Admins can't be deleted or have their ingress keys reset by non-admins. They also gain access to special dangerous/sensitive --osh commands. Note that an admin is also always considered as a Super Owner, which means they can override allchecks of group administrative commands. Don't forget to add them to the osh-admin group too, or they won't really be considered as admins (additional security measure). Tule of thumb: only add here people that have root@localhost access to the bastion
+#     DESC: The list of accounts that are Admins of the bastion. Admins can't be deleted or have their ingress keys reset by non-admins. They also gain access to special dangerous/sensitive --osh commands. Note that an admin is also always considered as a Super Owner, which means they can override allchecks of group administrative commands. Don't forget to add them to the osh-admin group too, or they won't really be considered as admins (additional security measure). Rule of thumb: only add here people that have root@localhost access to the bastion
 #  DEFAULT: []
 "adminAccounts": [],
 #

etc/selinux/the-bastion.te

@@ -0,0 +1,15 @@
+module the-bastion 1.0;
+
+require {
+type var_t;
+type sshd_t;
+type user_home_t;
+type user_home_dir_t;
+class file { create getattr rename setattr unlink open read write };
+}
+
+# needed for user TOTP (~/.totp and ~/.totp~XXXXXX temporary file)
+allow sshd_t user_home_dir_t:file { create getattr rename setattr unlink open read write };
+allow sshd_t user_home_t:file     unlink;
+# needed for root TOTP (/var/otp/root and /var/otp/root~XXXXXX temporary file)
+allow sshd_t var_t:file           { create getattr rename setattr unlink open read write };