Re: [PATCH v3] Add knot module

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dominick Grift <dac.override@gmail.com>
To: Alexander Miroshnichenko <alex@millerson.name>
Cc: selinux-refpolicy@vger.kernel.org, pebenito@ieee.org
Subject: Re: [PATCH v3] Add knot module
Date: Wed, 10 Jul 2019 12:52:54 +0200	[thread overview]
Message-ID: <20190710105254.GA5889@brutus.lan> (raw)
In-Reply-To: <20190710085520.14010-1-alex@millerson.name>

[-- Attachment #1: Type: text/plain, Size: 9625 bytes --]

On Wed, Jul 10, 2019 at 11:55:20AM +0300, Alexander Miroshnichenko wrote:
> Add a SELinux Reference Policy module for the
> Knot authoritative-only DNS server.

You forgot to make knotc init_system_domain() instead of init_daemon_domain()
also "file" should be plural "files": knot_read_config_files()

> 
> Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
> ---
>  policy/modules/roles/sysadm.te  |   5 ++
>  policy/modules/services/knot.fc |  11 +++
>  policy/modules/services/knot.if | 108 ++++++++++++++++++++++++++++
>  policy/modules/services/knot.te | 121 ++++++++++++++++++++++++++++++++
>  policy/modules/system/init.te   |   4 ++
>  5 files changed, 249 insertions(+)
>  create mode 100644 policy/modules/services/knot.fc
>  create mode 100644 policy/modules/services/knot.if
>  create mode 100644 policy/modules/services/knot.te
> 
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 8f891c83865f..1f986432e2af 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -550,6 +550,11 @@ optional_policy(`
>  	keystone_admin(sysadm_t, sysadm_r)
>  ')
>  
> +optional_policy(`
> +	knot_admin(sysadm_t, sysadm_r)
> +	knot_run_client(sysadm_t, sysadm_r)
> +')
> +
>  optional_policy(`
>  	kismet_admin(sysadm_t, sysadm_r)
>  ')
> diff --git a/policy/modules/services/knot.fc b/policy/modules/services/knot.fc
> new file mode 100644
> index 000000000000..bbf8a3526aeb
> --- /dev/null
> +++ b/policy/modules/services/knot.fc
> @@ -0,0 +1,11 @@
> +/etc/rc\.d/init\.d/knot	--	gen_context(system_u:object_r:knot_initrc_exec_t,s0)
> +
> +/etc/knot(/.*)?		gen_context(system_u:object_r:knot_conf_t,s0)
> +
> +/usr/sbin/knotd		--	gen_context(system_u:object_r:knotd_exec_t,s0)
> +
> +/usr/sbin/knotc		--      gen_context(system_u:object_r:knotc_exec_t,s0)
> +
> +/var/lib/knot(/.*)?	gen_context(system_u:object_r:knot_var_lib_t,s0)
> +
> +/run/knot(/.*)?		gen_context(system_u:object_r:knot_runtime_t,s0)
> diff --git a/policy/modules/services/knot.if b/policy/modules/services/knot.if
> new file mode 100644
> index 000000000000..93285a91a5da
> --- /dev/null
> +++ b/policy/modules/services/knot.if
> @@ -0,0 +1,108 @@
> +## <summary>high-performance authoritative-only DNS server.</summary>
> +
> +########################################
> +## <summary>
> +##      Execute knotc in the knotc domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +##      Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`knot_domtrans_client',`
> +	gen_require(`
> +		type knotc_t, knotc_exec_t;
> +	')
> +
> +	corecmd_search_bin($1)
> +	domtrans_pattern($1, knotc_exec_t, knotc_t)
> +')
> +
> +########################################
> +## <summary>
> +##      Execute knotc in the knotc domain, and
> +##      allow the specified role the knotc domain.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed to transition.
> +##      </summary>
> +## </param>
> +## <param name="role">
> +##      <summary>
> +##      Role allowed access.
> +##      </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`knot_run_client',`
> +	gen_require(`
> +		attribute_role knot_roles;
> +	')
> +
> +	knot_domtrans_client($1)
> +	roleattribute $2 knot_roles;
> +')
> +
> +########################################
> +## <summary>
> +##      Read knot config files.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`knot_read_config_file',`
> +	gen_require(`
> +		type knot_conf_t;
> +	')
> +
> +	read_files_pattern($1, knot_conf_t, knot_conf_t)
> +	files_search_etc($1)
> +')
> +
> +########################################
> +## <summary>
> +##      All of the rules required to
> +##      administrate an knot environment.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +## <param name="role">
> +##      <summary>
> +##      Role allowed access.
> +##      </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`knot_admin',`
> +	gen_require(`
> +		type knotc_t, knotd_t, knot_conf_t, knot_initrc_exec_t;
> +		type knot_runtime_t, knot_tmp_t, knot_var_lib_t;
> +	')
> +
> +	allow $1 knotc_t:process signal_perms;
> +	allow $1 knotd_t:process { ptrace signal_perms };
> +	ps_process_pattern($1, knotc_t)
> +	ps_process_pattern($1, knotd_t)
> +
> +	init_startstop_service($1, $2, knotd_t, knot_initrc_exec_t)
> +
> +	files_search_etc($1)
> +	admin_pattern($1, knot_conf_t)
> +
> +	files_search_pids($1)
> +	admin_pattern($1, knot_runtime_t)
> +
> +	files_search_tmp($1)
> +	admin_pattern($1, knot_tmp_t)
> +
> +	files_search_var_lib($1)
> +	admin_pattern($1, knot_var_lib_t)
> +')
> diff --git a/policy/modules/services/knot.te b/policy/modules/services/knot.te
> new file mode 100644
> index 000000000000..8749bed5c53d
> --- /dev/null
> +++ b/policy/modules/services/knot.te
> @@ -0,0 +1,121 @@
> +policy_module(knot, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +attribute_role knot_roles;
> +
> +type knotd_t;
> +type knotd_exec_t;
> +init_daemon_domain(knotd_t, knotd_exec_t)
> +
> +type knotc_t;
> +type knotc_exec_t;
> +application_domain(knotc_t, knotc_exec_t)
> +init_daemon_domain(knotc_t, knotc_exec_t)
> +role knot_roles types knotc_t;
> +
> +type knot_conf_t;
> +files_config_file(knot_conf_t)
> +
> +type knot_initrc_exec_t;
> +init_script_file(knot_initrc_exec_t)
> +
> +type knot_runtime_t;
> +files_pid_file(knot_runtime_t)
> +
> +type knot_var_lib_t;
> +files_type(knot_var_lib_t)
> +
> +type knot_tmp_t;
> +files_tmp_file(knot_tmp_t)
> +
> +########################################
> +#
> +# knotd local policy
> +#
> +allow knotd_t self:capability { dac_override dac_read_search setgid setpcap setuid };
> +allow knotd_t self:process { signal_perms getcap getsched setsched };
> +allow knotd_t self:tcp_socket create_stream_socket_perms;
> +allow knotd_t self:udp_socket create_socket_perms;
> +allow knotd_t self:unix_stream_socket create_stream_socket_perms;
> +
> +corenet_tcp_bind_generic_node(knotd_t)
> +corenet_udp_bind_generic_node(knotd_t)
> +
> +corenet_sendrecv_dns_server_packets(knotd_t)
> +corenet_tcp_bind_dns_port(knotd_t)
> +corenet_udp_bind_dns_port(knotd_t)
> +# Slave replication
> +corenet_tcp_connect_dns_port(knotd_t)
> +
> +kernel_read_kernel_sysctls(knotd_t)
> +
> +allow knotd_t knot_conf_t:file map;
> +knot_read_config_file(knotd_t)
> +
> +manage_dirs_pattern(knotd_t, knot_runtime_t, knot_runtime_t)
> +manage_files_pattern(knotd_t, knot_runtime_t, knot_runtime_t)
> +manage_lnk_files_pattern(knotd_t, knot_runtime_t, knot_runtime_t)
> +manage_sock_files_pattern(knotd_t, knot_runtime_t, knot_runtime_t)
> +files_pid_filetrans(knotd_t, knot_runtime_t, dir)
> +
> +allow knotd_t knot_tmp_t:file map;
> +allow knotd_t knot_tmp_t:file manage_file_perms;
> +allow knotd_t knot_tmp_t:dir manage_dir_perms;
> +files_tmp_filetrans(knotd_t, knot_tmp_t, { file dir })
> +
> +allow knotd_t knot_var_lib_t:file map;
> +manage_dirs_pattern(knotd_t, knot_var_lib_t, knot_var_lib_t)
> +manage_files_pattern(knotd_t, knot_var_lib_t, knot_var_lib_t)
> +manage_lnk_files_pattern(knotd_t, knot_var_lib_t, knot_var_lib_t)
> +files_var_lib_filetrans(knotd_t, knot_var_lib_t, dir)
> +
> +files_map_etc_files(knotd_t)
> +files_search_var_lib(knotd_t)
> +
> +fs_getattr_xattr_fs(knotd_t)
> +
> +fs_getattr_tmpfs(knotd_t)
> +
> +auth_use_nsswitch(knotd_t)
> +
> +logging_send_syslog_msg(knotd_t)
> +
> +miscfiles_read_localization(knotd_t)
> +
> +########################################
> +#
> +# knotc local policy
> +#
> +allow knotc_t self:capability { dac_override dac_read_search };
> +allow knotc_t self:process signal;
> +
> +stream_connect_pattern(knotc_t, knot_runtime_t, knot_runtime_t, knotd_t)
> +
> +allow knotc_t knot_conf_t:file map;
> +knot_read_config_file(knotc_t)
> +
> +allow knotc_t knot_tmp_t:file map;
> +allow knotc_t knot_tmp_t:file manage_file_perms;
> +allow knotc_t knot_tmp_t:dir manage_dir_perms;
> +files_tmp_filetrans(knotc_t, knot_tmp_t, { file dir })
> +
> +allow knotc_t knot_var_lib_t:file map;
> +manage_dirs_pattern(knotc_t, knot_var_lib_t, knot_var_lib_t)
> +manage_files_pattern(knotc_t, knot_var_lib_t, knot_var_lib_t)
> +manage_lnk_files_pattern(knotc_t, knot_var_lib_t, knot_var_lib_t)
> +
> +files_read_etc_files(knotc_t)
> +files_search_pids(knotc_t)
> +files_search_var_lib(knotc_t)
> +
> +fs_getattr_tmpfs(knotc_t)
> +
> +domain_use_interactive_fds(knotc_t)
> +
> +miscfiles_read_localization(knotc_t)
> +
> +userdom_use_user_ptys(knotc_t)
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index f4d27bff3ea2..5824281090ee 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -1158,6 +1158,10 @@ optional_policy(`
>  	kerberos_use(initrc_t)
>  ')
>  
> +optional_policy(`
> +	knot_read_config_file(initrc_t)
> +')
> +
>  optional_policy(`
>  	ldap_read_config(initrc_t)
>  	ldap_list_db(initrc_t)
> -- 
> 2.21.0
> 

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

next prev parent reply	other threads:[~2019-07-10 10:52 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-02 12:55 [PATCH] Add knot module Alexander Miroshnichenko
2019-07-02 15:58 ` Dominick Grift
2019-07-05 12:02   ` [PATCH v2] " Alexander Miroshnichenko
2019-07-09  0:47     ` Chris PeBenito
2019-07-10  8:55       ` [PATCH v3] " Alexander Miroshnichenko
2019-07-10 10:52         ` Dominick Grift [this message]
2019-07-10 12:54           ` [PATCH v4] " Alexander Miroshnichenko
2019-07-13 18:08             ` Chris PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190710105254.GA5889@brutus.lan \
    --to=dac.override@gmail.com \
    --cc=alex@millerson.name \
    --cc=pebenito@ieee.org \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.