Last active
December 17, 2022 18:40
-
-
Save nshenry03/1572be301a007d4c6bd9f1eff634781d to your computer and use it in GitHub Desktop.
JumpCloud MFA SELinux Policy - Tested on CentOS 7
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash - | |
#=============================================================================== | |
# | |
# FILE: jc-selinux.sh | |
# | |
# USAGE: ./jc-selinux.sh | |
# | |
# DESCRIPTION: | |
# | |
# OPTIONS: --- | |
# REQUIREMENTS: --- | |
# BUGS: --- | |
# NOTES: --- | |
# AUTHOR: Nick Henry (NSH), nicholas.henry@appdirect.com | |
# ORGANIZATION: AppDirect | |
# CREATED: 2019-03-07 11:18 | |
# REVISION: --- | |
#=============================================================================== | |
set -o nounset # treat unset variables as errors | |
#=============================================================================== | |
# GLOBAL DECLARATIONS | |
#=============================================================================== | |
declare -rx SCRIPT=${0##*/} # the name of this script | |
# Create a temporary directory | |
TMPDIR=${TMPDIR:-/tmp} # defaults to /tmp if unset | |
TEMPORARY_DIR=$(mktemp -d "${TMPDIR}/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX") || \ | |
{ echo "ERROR creating a temporary file"; exit 1; } | |
trap '[[ "${TEMPORARY_DIR}" ]] && rm --recursive --force "${TEMPORARY_DIR}"' 0 | |
#=============================================================================== | |
# SANITY CHECKS | |
#=============================================================================== | |
if [[ -z "${BASH}" ]] | |
then | |
printf "${SCRIPT}:${LINENO}: run this script with the BASH shell\n" >&2 | |
exit 192 | |
fi | |
if [[ ${EUID} -ne 0 ]] | |
then | |
printf "${SCRIPT}:${LINENO}: run this script as root\n" >&2 | |
exit 192 | |
fi | |
#=============================================================================== | |
# MAIN SCRIPT | |
#=============================================================================== | |
# Make sure you have /usr/share/selinux/devel/Makefile | |
yum -y install selinux-policy-devel | |
pushd ${TEMPORARY_DIR} | |
cat > sshd_google_authenticator.te <<-'EOM' | |
# Name and version, every module should have this. | |
policy_module(sshd_google_authenticator, 0.0.1) | |
# List of the types, class and everything else you are going to use in your module that is not defined in this .te file. | |
# If you are getting any errors when you compile your module that it is unable to find a type, you probably forgot to declare it here. | |
require { | |
type sshd_t; | |
type etc_t; | |
class dir { add_name write }; | |
class file { create read unlink }; | |
} | |
# This is where we define our type. A good practise is to append _t for all types. | |
# This is the type we are going to give our .google_authenticator file. | |
type sshd_google_authenticator_t; | |
# What role our type should have. This is almost always going to be object_r | |
role object_r types sshd_google_authenticator_t; | |
# What sshd_t (the context the ssh daemon runs as) should be able to do with our type (sshd_google_authenticator_t), | |
# as a file. rename, create and unlink are base definitions, rw_file_perms is a set of rules. | |
# The rw_file_perms group is defined in /usr/share/selinux/devel/include/support/obj_perm_sets.spt with a lot of other | |
# groups. Reading this files give you a good overview of what they allow. | |
allow sshd_t etc_t:file { create unlink }; | |
allow sshd_t sshd_google_authenticator_t:file { read write append rename create unlink rw_file_perms }; | |
allow sshd_t sshd_google_authenticator_t:dir { add_name remove_name read write rename create unlink rw_file_perms }; | |
# Without this, SELinux will be way too strict as default, as it won't know what this type really is. | |
# Remember that SELinux doesn’t only deal with files, but sockets and other filetypes as well. | |
# Leaving this out will still allow sshd_t to do its stuff, but you, in your shell will see a weird file. | |
# The only thing you will see is the file name. Even permissions will be hidden from you. (a fun trick to pull on your friends.. :] ) | |
# An overview of this is located at http://oss.tresys.com/docs/refpolicy/api/kernel_files.html. | |
files_type(sshd_google_authenticator_t) | |
filetrans_pattern(sshd_t, etc_t, sshd_google_authenticator_t, file, "*") | |
filetrans_pattern(sshd_t, etc_t, sshd_google_authenticator_t, dir, "*") | |
EOM | |
cat > sshd_google_authenticator.fc <<-'EOM' | |
/etc/ssh/jumpcloud_totp(/.*)? gen_context(system_u:object_r:sshd_google_authenticator_t,s0) | |
/etc/ssh/jumpcloud_totp/* -- gen_context(system_u:object_r:sshd_google_authenticator_t,s0) | |
EOM | |
# Create the module (.pp) | |
make -f /usr/share/selinux/devel/Makefile | |
# Load the module (the .pp file that was created) | |
semodule -i sshd_google_authenticator.pp | |
# Restore SELinux permissions to /etc/ssh | |
restorecon -R -v /etc/ssh | |
# Verify perms | |
ls -lZ /etc/ssh/jumpcloud_totp | |
reboot | |
#=============================================================================== | |
# STATISTICS / CLEANUP | |
#=============================================================================== | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment