policy help

policy help

[Greg Norris]

[-- Attachment #1: Type: text/plain, Size: 1726 bytes --]

I'm trying to put together a policy (current draft attached) for
dnsmasq, and am having problems with the networking piece.  I expect
that I'm overlooking something obvious (this is my first such attempt),
but can't seem to wrap my mind around it.  Anyone willing to take a
look, and point me in the right direction?

Basically, dnsmasq is acting as the DNS and DHCP server for my local
network, and needs to be able to take on all comers.  To that end I'm
using the following entries, in an attempt to allow UDP connectivity to
anywhere.

   allow dnsmasq_t netif_type:netif { udp_send udp_recv };
   allow dnsmasq_t node_type:node { udp_send udp_recv };
   allow dnsmasq_t port_type:udp_socket { send_msg recv_msg };

These should allow it to service the appropriate ports (53 and 67).

   allow dnsmasq_t dhcpd_port_t:udp_socket { name_bind recv_msg send_msg };
   allow dnsmasq_t dns_port_t:udp_socket { name_bind recv_msg send_msg };

Unfortunately, I still get LOTS of errors such as the ones below. I'm
definitely overlooking something... :-(

   Jun 29 20:44:39 sasami kernel: audit(1088559879.376:0): avc:  denied
     { send_msg } for  pid=27877 exe=/usr/sbin/dnsmasq saddr=192.168.0.1
     src=67 daddr=192.168.0.129 dest=68 netif=eth1
     scontext=system_u:system_r:dnsmasq_t
     tcontext=system_u:object_r:dhcpc_port_t tclass=udp_socket
   Jun 29 20:44:47 sasami kernel: audit(1088559826.952:0): avc:  denied
     { recv_msg } for  pid=27877 exe=/usr/sbin/dnsmasq saddr=127.0.0.1
     src=53 daddr=127.0.0.1 dest=39013 netif=lo
     scontext=system_u:system_r:initrc_t
     tcontext=system_u:object_r:dns_port_t tclass=udp_socket

Suggestions (and/or pointers to the FM to R) would be most appreciated. 
Thanx!

[-- Attachment #2: dnsmasq.te --]
[-- Type: text/plain, Size: 1527 bytes --]

daemon_domain(dnsmasq);
type dnsmasq_lease_t, file_type, sysadmfile;
type dhcpd_port_t, port_type;
type dns_port_t, port_type;

# misc. requirements
allow dnsmasq_t self:capability { net_bind_service net_raw setgid setuid };
allow dnsmasq_t urandom_device_t:chr_file { read };

# network-related goodies
allow dnsmasq_t self:packet_socket { create write };
allow dnsmasq_t self:udp_socket create_socket_perms;
allow dnsmasq_t self:unix_dgram_socket { connect create write };
allow dnsmasq_t self:unix_stream_socket { connect create };

# The intent here is to allow UDP to/from any port... doesn't seem to be
# working.
allow dnsmasq_t netif_type:netif { udp_send udp_recv };
allow dnsmasq_t node_type:node { udp_send udp_recv };
allow dnsmasq_t port_type:udp_socket { send_msg recv_msg };

# By default, dnsmasq binds to the wildcard address to listen for DNS requests.
# Comment out the following entry if you don't want to allow this behaviour.
allow dnsmasq_t node_inaddr_any_t:udp_socket { node_bind };

# specific ports where the magic happens
allow dnsmasq_t dhcpd_port_t:udp_socket { name_bind recv_msg send_msg };
allow dnsmasq_t dns_port_t:udp_socket { name_bind recv_msg send_msg };

# allow access to dnsmasq.conf and resolv.conf
allow dnsmasq_t etc_t:file { getattr read };
allow dnsmasq_t net_conf_t:file { getattr read };

# dhcp leases
allow dnsmasq_t var_lib_t:dir { search };
allow dnsmasq_t dnsmasq_lease_t:file { append create getattr read write };
type_transition dnsmasq_t var_lib_t:file dnsmasq_lease_t;

Re: policy help

[Russell Coker]

On Wed, 30 Jun 2004 12:28, Greg Norris <haphazard@kc.rr.com> wrote:
> Basically, dnsmasq is acting as the DNS and DHCP server for my local
> network, and needs to be able to take on all comers.  To that end I'm
> using the following entries, in an attempt to allow UDP connectivity to
> anywhere.
>
>    allow dnsmasq_t netif_type:netif { udp_send udp_recv };
>    allow dnsmasq_t node_type:node { udp_send udp_recv };

Use can_network(dnsmasq_t) for this and more.

It my be easiest to just derive your work from the dhcpd.te file.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy help

[Greg Norris]

On Wed, Jun 30, 2004 at 01:27:35PM +1000, Russell Coker wrote:
> >    allow dnsmasq_t netif_type:netif { udp_send udp_recv };
> >    allow dnsmasq_t node_type:node { udp_send udp_recv };
> 
> Use can_network(dnsmasq_t) for this and more.

Thanx.  I switched to that approach, and everything seems to be working
as intended now.  I was avoiding can_network originally, because I was
trying to strictly limit network permissions... dnsmasq doesn't use
TCP, for example, so I didn't want to allow it.  I might revisit this
later (after working through some unrelated policies), although I'm not
at all sure it's worth the effort in this case. ;-)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.