* First forays in to writing a module to lock down PowerDNS.
@ 2011-11-29 15:56 Tom
2011-11-29 16:14 ` Daniel J Walsh
0 siblings, 1 reply; 10+ messages in thread
From: Tom @ 2011-11-29 15:56 UTC (permalink / raw)
To: SELinux
Greetings,
This is my first attempt at writing an selinux module. I've basically
done it by trying to confine the powerdns service, and then worked
through all of the problems I've had in the audit log. At this point,
my powerdns service seems to work well with full functionality, however,
I'm sure there's about a million things I could be doing to make it
better. I'm still a bit shaky on the way I've done the domain
transition, and also, I'm sure there are a loads of macros which I could
be using, although I'm not sure whether those types of things are
distribution dependent. I'm using CentOS 5.7, and have written this to
fit in to the targeted polifcy.
I'd be glad of any advice on how to do this type of thing in a more
efficient way.
Many thanks. Tom.
# cat pdns.te
# PowerDNS targeted enforcement module
policy_module(pdns,1.0.0)
require {
type etc_t;
type lib_t;
type usr_t;
type ld_so_cache_t;
type ld_so_t;
type lib_t;
type locale_t;
type var_run_t;
type devlog_t;
type syslogd_t;
type initrc_var_run_t;
type dns_port_t;
type inaddr_any_node_t;
type transproxy_port_t;
type mysqld_port_t;
type mssql_port_t;
}
type pdns_t;
type pdns_exec_t;
domain_type(pdns_t)
domain_entry_file(pdns_t, pdns_exec_t)
init_daemon_domain(pdns_t, pdns_exec_t)
# /etc/pdns/pdns.conf
type pdns_conf_t;
files_config_file(pdns_conf_t)
# /var/run/pdns.pid
type pdns_var_run_t;
files_pid_file(pdns_var_run_t)
allow pdns_t etc_t:dir search;
allow pdns_t etc_t:file { getattr read };
allow pdns_t usr_t:dir search;
allow pdns_t usr_t:file { write create read getattr };
allow pdns_t lib_t:dir { search getattr };
allow pdns_t lib_t:lnk_file read;
allow pdns_t lib_t:file { read getattr execute };
allow pdns_t ld_so_cache_t:file read;
allow pdns_t ld_so_cache_t:file getattr;
allow pdns_t ld_so_t:file { read execute };
allow pdns_t locale_t:file { read getattr };
allow pdns_t pdns_conf_t:file read;
allow pdns_t var_run_t:dir { write remove_name add_name };
allow pdns_t var_run_t:sock_file { unlink create setattr };
allow pdns_t var_run_t:file { write create };
allow pdns_t devlog_t:sock_file write;
allow pdns_t syslogd_t:unix_dgram_socket sendto;
allow pdns_t initrc_var_run_t:file write;
allow pdns_t pdns_exec_t:file execute_no_trans;
allow pdns_t self:process sigkill;
allow pdns_t self:fifo_file { getattr read ioctl write };
allow pdns_t self:capability { chown fsetid net_bind_service setuid
setgid kill };
allow pdns_t self:unix_dgram_socket { create connect write };
allow pdns_t self:udp_socket { create bind read getattr write };
allow pdns_t self:tcp_socket { create bind read getattr write setopt
listen connect shutdown accept getopt ioctl };
allow pdns_t inaddr_any_node_t:udp_socket node_bind;
allow pdns_t inaddr_any_node_t:tcp_socket node_bind;
# TCP + UDP Port 53
allow pdns_t dns_port_t:udp_socket name_bind;
allow pdns_t dns_port_t:tcp_socket name_bind;
# TCP 8081 for PDNS Web Server
allow pdns_t transproxy_port_t:tcp_socket name_bind;
# DB Connectivity
allow pdns_t mysqld_port_t:tcp_socket name_connect;
allow pdns_t mssql_port_t:tcp_socket name_connect;
# cat pdns.fc
/usr/sbin/pdns_server -- gen_context(system_u:object_r:pdns_exec_t,s0)
/var/run/pdns.pid -- gen_context(system_u:object_r:pdns_var_run_t,s0)
/etc/pdns/pdns.conf -- gen_context(system_u:object_r:pdns_conf_t,s0)
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: First forays in to writing a module to lock down PowerDNS.
2011-11-29 15:56 First forays in to writing a module to lock down PowerDNS Tom
@ 2011-11-29 16:14 ` Daniel J Walsh
2011-11-29 16:27 ` Tom
0 siblings, 1 reply; 10+ messages in thread
From: Daniel J Walsh @ 2011-11-29 16:14 UTC (permalink / raw)
To: Tom; +Cc: SELinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/29/2011 10:56 AM, Tom wrote:
> Greetings,
>
> This is my first attempt at writing an selinux module. I've
> basically done it by trying to confine the powerdns service, and
> then worked through all of the problems I've had in the audit log.
> At this point, my powerdns service seems to work well with full
> functionality, however, I'm sure there's about a million things I
> could be doing to make it better. I'm still a bit shaky on the way
> I've done the domain transition, and also, I'm sure there are a
> loads of macros which I could be using, although I'm not sure
> whether those types of things are distribution dependent. I'm
> using CentOS 5.7, and have written this to fit in to the targeted
> polifcy.
>
> I'd be glad of any advice on how to do this type of thing in a
> more efficient way.
>
> Many thanks. Tom.
>
> # cat pdns.te # PowerDNS targeted enforcement module
>
> policy_module(pdns,1.0.0)
>
> require { type etc_t; type lib_t; type usr_t; type ld_so_cache_t;
> type ld_so_t; type lib_t; type locale_t; type var_run_t; type
> devlog_t; type syslogd_t; type initrc_var_run_t; type dns_port_t;
> type inaddr_any_node_t; type transproxy_port_t; type
> mysqld_port_t; type mssql_port_t; }
>
> type pdns_t; type pdns_exec_t;
>
> domain_type(pdns_t) domain_entry_file(pdns_t, pdns_exec_t)
> init_daemon_domain(pdns_t, pdns_exec_t)
>
> # /etc/pdns/pdns.conf type pdns_conf_t;
> files_config_file(pdns_conf_t)
>
> # /var/run/pdns.pid type pdns_var_run_t;
> files_pid_file(pdns_var_run_t)
>
> allow pdns_t etc_t:dir search; allow pdns_t etc_t:file { getattr
> read }; allow pdns_t usr_t:dir search; allow pdns_t usr_t:file {
> write create read getattr }; allow pdns_t lib_t:dir { search
> getattr }; allow pdns_t lib_t:lnk_file read; allow pdns_t
> lib_t:file { read getattr execute }; allow pdns_t
> ld_so_cache_t:file read; allow pdns_t ld_so_cache_t:file getattr;
> allow pdns_t ld_so_t:file { read execute }; allow pdns_t
> locale_t:file { read getattr }; allow pdns_t pdns_conf_t:file
> read; allow pdns_t var_run_t:dir { write remove_name add_name };
> allow pdns_t var_run_t:sock_file { unlink create setattr }; allow
> pdns_t var_run_t:file { write create }; allow pdns_t
> devlog_t:sock_file write; allow pdns_t syslogd_t:unix_dgram_socket
> sendto; allow pdns_t initrc_var_run_t:file write; allow pdns_t
> pdns_exec_t:file execute_no_trans;
>
> allow pdns_t self:process sigkill; allow pdns_t self:fifo_file {
> getattr read ioctl write }; allow pdns_t self:capability { chown
> fsetid net_bind_service setuid setgid kill }; allow pdns_t
> self:unix_dgram_socket { create connect write }; allow pdns_t
> self:udp_socket { create bind read getattr write }; allow pdns_t
> self:tcp_socket { create bind read getattr write setopt listen
> connect shutdown accept getopt ioctl };
>
> allow pdns_t inaddr_any_node_t:udp_socket node_bind; allow pdns_t
> inaddr_any_node_t:tcp_socket node_bind;
>
> # TCP + UDP Port 53 allow pdns_t dns_port_t:udp_socket name_bind;
> allow pdns_t dns_port_t:tcp_socket name_bind;
>
> # TCP 8081 for PDNS Web Server allow pdns_t
> transproxy_port_t:tcp_socket name_bind;
>
> # DB Connectivity allow pdns_t mysqld_port_t:tcp_socket
> name_connect; allow pdns_t mssql_port_t:tcp_socket name_connect;
>
>
> # cat pdns.fc /usr/sbin/pdns_server --
> gen_context(system_u:object_r:pdns_exec_t,s0) /var/run/pdns.pid
> -- gen_context(system_u:object_r:pdns_var_run_t,s0)
> /etc/pdns/pdns.conf --
> gen_context(system_u:object_r:pdns_conf_t,s0)
>
>
>
>
>
> -- This message was distributed to subscribers of the selinux
> mailing list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux"
> without quotes as the message.
Tom try to remove the entire require block. You should be using
interfaces and not using the types directly in your policy.
All interfaces are available under /usr/share/selinux/devel/include/...
For example.
> allow pdns_t etc_t:dir search; allow pdns_t etc_t:file { getattr
> read }; allow pdns_t usr_t:dir search; allow pdns_t usr_t:file {
> write create read getattr };
Should be
files_read_etc_files(pdns_t)
files_read_usr_files(pdns_t)
> allow pdns_t transproxy_port_t:tcp_socket name_bind;
Should be
corenet_tcp_bind_transproxy_port(pdns_t)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7VBQEACgkQrlYvE4MpobNlsQCgzgTOtpHRHWA0Cdu6CCAkffsp
WpgAoLxVE0feBnk2hxEmmuIZACR9N6GU
=c39n
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: First forays in to writing a module to lock down PowerDNS.
2011-11-29 16:14 ` Daniel J Walsh
@ 2011-11-29 16:27 ` Tom
2011-11-30 10:45 ` Tom
0 siblings, 1 reply; 10+ messages in thread
From: Tom @ 2011-11-29 16:27 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SELinux
Hi Daniel,
Thanks for this. I'm just about to leave work, but I'll be looking
again in the morning, and I'll get back to you and see what you think of
version 1.0.1! :)
Thanks again. Tom.
On 29/11/11 16:14, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 11/29/2011 10:56 AM, Tom wrote:
>> Greetings,
>>
>> This is my first attempt at writing an selinux module. I've
>> basically done it by trying to confine the powerdns service, and
>> then worked through all of the problems I've had in the audit log.
>> At this point, my powerdns service seems to work well with full
>> functionality, however, I'm sure there's about a million things I
>> could be doing to make it better. I'm still a bit shaky on the way
>> I've done the domain transition, and also, I'm sure there are a
>> loads of macros which I could be using, although I'm not sure
>> whether those types of things are distribution dependent. I'm
>> using CentOS 5.7, and have written this to fit in to the targeted
>> polifcy.
>>
>> I'd be glad of any advice on how to do this type of thing in a
>> more efficient way.
>>
>> Many thanks. Tom.
>>
>> # cat pdns.te # PowerDNS targeted enforcement module
>>
>> policy_module(pdns,1.0.0)
>>
>> require { type etc_t; type lib_t; type usr_t; type ld_so_cache_t;
>> type ld_so_t; type lib_t; type locale_t; type var_run_t; type
>> devlog_t; type syslogd_t; type initrc_var_run_t; type dns_port_t;
>> type inaddr_any_node_t; type transproxy_port_t; type
>> mysqld_port_t; type mssql_port_t; }
>>
>> type pdns_t; type pdns_exec_t;
>>
>> domain_type(pdns_t) domain_entry_file(pdns_t, pdns_exec_t)
>> init_daemon_domain(pdns_t, pdns_exec_t)
>>
>> # /etc/pdns/pdns.conf type pdns_conf_t;
>> files_config_file(pdns_conf_t)
>>
>> # /var/run/pdns.pid type pdns_var_run_t;
>> files_pid_file(pdns_var_run_t)
>>
>> allow pdns_t etc_t:dir search; allow pdns_t etc_t:file { getattr
>> read }; allow pdns_t usr_t:dir search; allow pdns_t usr_t:file {
>> write create read getattr }; allow pdns_t lib_t:dir { search
>> getattr }; allow pdns_t lib_t:lnk_file read; allow pdns_t
>> lib_t:file { read getattr execute }; allow pdns_t
>> ld_so_cache_t:file read; allow pdns_t ld_so_cache_t:file getattr;
>> allow pdns_t ld_so_t:file { read execute }; allow pdns_t
>> locale_t:file { read getattr }; allow pdns_t pdns_conf_t:file
>> read; allow pdns_t var_run_t:dir { write remove_name add_name };
>> allow pdns_t var_run_t:sock_file { unlink create setattr }; allow
>> pdns_t var_run_t:file { write create }; allow pdns_t
>> devlog_t:sock_file write; allow pdns_t syslogd_t:unix_dgram_socket
>> sendto; allow pdns_t initrc_var_run_t:file write; allow pdns_t
>> pdns_exec_t:file execute_no_trans;
>>
>> allow pdns_t self:process sigkill; allow pdns_t self:fifo_file {
>> getattr read ioctl write }; allow pdns_t self:capability { chown
>> fsetid net_bind_service setuid setgid kill }; allow pdns_t
>> self:unix_dgram_socket { create connect write }; allow pdns_t
>> self:udp_socket { create bind read getattr write }; allow pdns_t
>> self:tcp_socket { create bind read getattr write setopt listen
>> connect shutdown accept getopt ioctl };
>>
>> allow pdns_t inaddr_any_node_t:udp_socket node_bind; allow pdns_t
>> inaddr_any_node_t:tcp_socket node_bind;
>>
>> # TCP + UDP Port 53 allow pdns_t dns_port_t:udp_socket name_bind;
>> allow pdns_t dns_port_t:tcp_socket name_bind;
>>
>> # TCP 8081 for PDNS Web Server allow pdns_t
>> transproxy_port_t:tcp_socket name_bind;
>>
>> # DB Connectivity allow pdns_t mysqld_port_t:tcp_socket
>> name_connect; allow pdns_t mssql_port_t:tcp_socket name_connect;
>>
>>
>> # cat pdns.fc /usr/sbin/pdns_server --
>> gen_context(system_u:object_r:pdns_exec_t,s0) /var/run/pdns.pid
>> -- gen_context(system_u:object_r:pdns_var_run_t,s0)
>> /etc/pdns/pdns.conf --
>> gen_context(system_u:object_r:pdns_conf_t,s0)
>>
>>
>>
>>
>>
>> -- This message was distributed to subscribers of the selinux
>> mailing list. If you no longer wish to subscribe, send mail to
>> majordomo@tycho.nsa.gov with the words "unsubscribe selinux"
>> without quotes as the message.
>
> Tom try to remove the entire require block. You should be using
> interfaces and not using the types directly in your policy.
>
> All interfaces are available under /usr/share/selinux/devel/include/...
>
> For example.
>> allow pdns_t etc_t:dir search; allow pdns_t etc_t:file { getattr
>> read }; allow pdns_t usr_t:dir search; allow pdns_t usr_t:file {
>> write create read getattr };
> Should be
>
> files_read_etc_files(pdns_t)
> files_read_usr_files(pdns_t)
>
>
>> allow pdns_t transproxy_port_t:tcp_socket name_bind;
> Should be
>
> corenet_tcp_bind_transproxy_port(pdns_t)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk7VBQEACgkQrlYvE4MpobNlsQCgzgTOtpHRHWA0Cdu6CCAkffsp
> WpgAoLxVE0feBnk2hxEmmuIZACR9N6GU
> =c39n
> -----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: First forays in to writing a module to lock down PowerDNS.
2011-11-29 16:27 ` Tom
@ 2011-11-30 10:45 ` Tom
2011-11-30 16:36 ` Daniel J Walsh
0 siblings, 1 reply; 10+ messages in thread
From: Tom @ 2011-11-30 10:45 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SELinux
Hi Again,
I've followed your advice, and I've removed all but one requirement for
var_run_t:sock_file. I couldn't find any interfaces which would simply
give me access to that, but it's certainly looking a lot better, and a
lot more readable! It could probably do with some more re-factoring,
but it's working well at the moment!
I haven't really thought too much about the file labelling. I've only
done the daemon binary, config file and /var/run/pdns.pid file. I'm not
sure I've followed best practices there at all.
# PowerDNS targeted enforcement module
policy_module(pdns,1.0.0)
require {
type var_run_t;
}
type pdns_t;
type pdns_exec_t;
allow pdns_t pdns_exec_t:file execute_no_trans;
init_daemon_domain(pdns_t, pdns_exec_t)
# /etc/pdns/pdns.conf
type pdns_conf_t;
files_config_file(pdns_conf_t)
# /var/run/pdns.pid
type pdns_var_run_t;
files_pid_file(pdns_var_run_t)
# General self privs
allow pdns_t self:capability { setuid chown fsetid kill setgid };
allow pdns_t self:fifo_file { read getattr ioctl };
allow pdns_t self:process sigkill;
allow pdns_t self:tcp_socket { setopt read bind create accept write
ioctl connect getopt listen };
allow pdns_t self:udp_socket { read bind create write getattr };
# Cannot figure out an interface to use with this one:
allow pdns_t var_run_t:sock_file { create setattr };
# General files access Macros
files_read_etc_files(pdns_t)
files_manage_usr_files(pdns_t)
files_read_default_files(pdns_t)
files_rw_generic_pids(pdns_t)
files_delete_all_pids(pdns_t)
files_read_config_files(pdns_t)
libs_use_lib_files(pdns_t)
libs_use_ld_so(pdns_t)
miscfiles_read_localization(pdns_t)
# Core Network
corenet_udp_bind_all_nodes(pdns_t)
corenet_tcp_bind_all_nodes(pdns_t)
# Syslog
logging_send_syslog_msg(pdns_t)
# Inbound DNS
corenet_udp_bind_dns_port(pdns_t)
corenet_udp_sendrecv_dns_port(pdns_t)
corenet_tcp_bind_dns_port(pdns_t)
corenet_tcp_sendrecv_dns_port(pdns_t)
# Inbound TCP 8081 for PDNS Web Server
corenet_tcp_bind_transproxy_port(pdns_t)
corenet_tcp_sendrecv_transproxy_port(pdns_t)
# Outbound DB Connectivity
corenet_tcp_connect_mysqld_port(pdns_t)
corenet_tcp_connect_mssql_port(pdns_t)
Thanks again for your advice.
Tom.
On 29/11/11 16:27, Tom wrote:
> Hi Daniel,
>
> Thanks for this. I'm just about to leave work, but I'll be looking
> again in the morning, and I'll get back to you and see what you think
> of version 1.0.1! :)
>
> Thanks again. Tom.
>
>
> On 29/11/11 16:14, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 11/29/2011 10:56 AM, Tom wrote:
>>> Greetings,
>>>
>>> This is my first attempt at writing an selinux module. I've
>>> basically done it by trying to confine the powerdns service, and
>>> then worked through all of the problems I've had in the audit log.
>>> At this point, my powerdns service seems to work well with full
>>> functionality, however, I'm sure there's about a million things I
>>> could be doing to make it better. I'm still a bit shaky on the way
>>> I've done the domain transition, and also, I'm sure there are a
>>> loads of macros which I could be using, although I'm not sure
>>> whether those types of things are distribution dependent. I'm
>>> using CentOS 5.7, and have written this to fit in to the targeted
>>> polifcy.
>>>
>>> I'd be glad of any advice on how to do this type of thing in a
>>> more efficient way.
>>>
>>> Many thanks. Tom.
>>>
>>> # cat pdns.te # PowerDNS targeted enforcement module
>>>
>>> policy_module(pdns,1.0.0)
>>>
>>> require { type etc_t; type lib_t; type usr_t; type ld_so_cache_t;
>>> type ld_so_t; type lib_t; type locale_t; type var_run_t; type
>>> devlog_t; type syslogd_t; type initrc_var_run_t; type dns_port_t;
>>> type inaddr_any_node_t; type transproxy_port_t; type
>>> mysqld_port_t; type mssql_port_t; }
>>>
>>> type pdns_t; type pdns_exec_t;
>>>
>>> domain_type(pdns_t) domain_entry_file(pdns_t, pdns_exec_t)
>>> init_daemon_domain(pdns_t, pdns_exec_t)
>>>
>>> # /etc/pdns/pdns.conf type pdns_conf_t;
>>> files_config_file(pdns_conf_t)
>>>
>>> # /var/run/pdns.pid type pdns_var_run_t;
>>> files_pid_file(pdns_var_run_t)
>>>
>>> allow pdns_t etc_t:dir search; allow pdns_t etc_t:file { getattr
>>> read }; allow pdns_t usr_t:dir search; allow pdns_t usr_t:file {
>>> write create read getattr }; allow pdns_t lib_t:dir { search
>>> getattr }; allow pdns_t lib_t:lnk_file read; allow pdns_t
>>> lib_t:file { read getattr execute }; allow pdns_t
>>> ld_so_cache_t:file read; allow pdns_t ld_so_cache_t:file getattr;
>>> allow pdns_t ld_so_t:file { read execute }; allow pdns_t
>>> locale_t:file { read getattr }; allow pdns_t pdns_conf_t:file
>>> read; allow pdns_t var_run_t:dir { write remove_name add_name };
>>> allow pdns_t var_run_t:sock_file { unlink create setattr }; allow
>>> pdns_t var_run_t:file { write create }; allow pdns_t
>>> devlog_t:sock_file write; allow pdns_t syslogd_t:unix_dgram_socket
>>> sendto; allow pdns_t initrc_var_run_t:file write; allow pdns_t
>>> pdns_exec_t:file execute_no_trans;
>>>
>>> allow pdns_t self:process sigkill; allow pdns_t self:fifo_file {
>>> getattr read ioctl write }; allow pdns_t self:capability { chown
>>> fsetid net_bind_service setuid setgid kill }; allow pdns_t
>>> self:unix_dgram_socket { create connect write }; allow pdns_t
>>> self:udp_socket { create bind read getattr write }; allow pdns_t
>>> self:tcp_socket { create bind read getattr write setopt listen
>>> connect shutdown accept getopt ioctl };
>>>
>>> allow pdns_t inaddr_any_node_t:udp_socket node_bind; allow pdns_t
>>> inaddr_any_node_t:tcp_socket node_bind;
>>>
>>> # TCP + UDP Port 53 allow pdns_t dns_port_t:udp_socket name_bind;
>>> allow pdns_t dns_port_t:tcp_socket name_bind;
>>>
>>> # TCP 8081 for PDNS Web Server allow pdns_t
>>> transproxy_port_t:tcp_socket name_bind;
>>>
>>> # DB Connectivity allow pdns_t mysqld_port_t:tcp_socket
>>> name_connect; allow pdns_t mssql_port_t:tcp_socket name_connect;
>>>
>>>
>>> # cat pdns.fc /usr/sbin/pdns_server --
>>> gen_context(system_u:object_r:pdns_exec_t,s0) /var/run/pdns.pid
>>> -- gen_context(system_u:object_r:pdns_var_run_t,s0)
>>> /etc/pdns/pdns.conf --
>>> gen_context(system_u:object_r:pdns_conf_t,s0)
>>>
>>>
>>>
>>>
>>>
>>> -- This message was distributed to subscribers of the selinux
>>> mailing list. If you no longer wish to subscribe, send mail to
>>> majordomo@tycho.nsa.gov with the words "unsubscribe selinux"
>>> without quotes as the message.
>>
>> Tom try to remove the entire require block. You should be using
>> interfaces and not using the types directly in your policy.
>>
>> All interfaces are available under /usr/share/selinux/devel/include/...
>>
>> For example.
>>> allow pdns_t etc_t:dir search; allow pdns_t etc_t:file { getattr
>>> read }; allow pdns_t usr_t:dir search; allow pdns_t usr_t:file {
>>> write create read getattr };
>> Should be
>>
>> files_read_etc_files(pdns_t)
>> files_read_usr_files(pdns_t)
>>
>>
>>> allow pdns_t transproxy_port_t:tcp_socket name_bind;
>> Should be
>>
>> corenet_tcp_bind_transproxy_port(pdns_t)
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.11 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iEYEARECAAYFAk7VBQEACgkQrlYvE4MpobNlsQCgzgTOtpHRHWA0Cdu6CCAkffsp
>> WpgAoLxVE0feBnk2hxEmmuIZACR9N6GU
>> =c39n
>> -----END PGP SIGNATURE-----
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: First forays in to writing a module to lock down PowerDNS.
2011-11-30 10:45 ` Tom
@ 2011-11-30 16:36 ` Daniel J Walsh
2011-12-01 11:51 ` Tom
0 siblings, 1 reply; 10+ messages in thread
From: Daniel J Walsh @ 2011-11-30 16:36 UTC (permalink / raw)
To: Tom; +Cc: SELinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/30/2011 05:45 AM, Tom wrote:
> Hi Again,
>
> I've followed your advice, and I've removed all but one requirement
> for var_run_t:sock_file. I couldn't find any interfaces which
> would simply give me access to that, but it's certainly looking a
> lot better, and a lot more readable! It could probably do with
> some more re-factoring, but it's working well at the moment!
>
> I haven't really thought too much about the file labelling. I've
> only done the daemon binary, config file and /var/run/pdns.pid
> file. I'm not sure I've followed best practices there at all.
>
>
Ok the next rule you need to follow, is if you need to write to a
"Generic" type, then you need to create your own type and potentially
transition to it.
> # PowerDNS targeted enforcement module
>
> policy_module(pdns,1.0.0)
>
> require { type var_run_t; }
>
> type pdns_t; type pdns_exec_t; allow pdns_t pdns_exec_t:file
> execute_no_trans;
>
> init_daemon_domain(pdns_t, pdns_exec_t)
>
> # /etc/pdns/pdns.conf type pdns_conf_t;
> files_config_file(pdns_conf_t)
>
> # /var/run/pdns.pid type pdns_var_run_t;
> files_pid_file(pdns_var_run_t)
>
> # General self privs allow pdns_t self:capability { setuid chown
> fsetid kill setgid }; allow pdns_t self:fifo_file { read getattr
> ioctl };
allow pdns_t self:fifo_file rw_fifo_file_perms;
> allow pdns_t self:process sigkill;
Might want to just add signal_perms;
> allow pdns_t self:tcp_socket { setopt read bind create accept
> write ioctl connect getopt listen };
allow pdns_t self:tcp_socket create_stream_socket_perms;
> allow pdns_t self:udp_socket { read bind create write getattr };
allow pdns_t self:udp_socket create_socket_perms;
>
> # Cannot figure out an interface to use with this one: allow pdns_t
> var_run_t:sock_file { create setattr };
>
See below
> # General files access Macros files_read_etc_files(pdns_t)
> files_manage_usr_files(pdns_t)
You should have you own type? Whar file in /usr are you rewriting?
> files_read_default_files(pdns_t) files_rw_generic_pids(pdns_t)
> files_delete_all_pids(pdns_t)
Are you actually deleting other peoples content in /var/run? Or do
you have your own content in /var/run?
For example something like
manage_dirs_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
manage_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
manage_sock_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
files_pid_filetrans(pdns_t, pdns_var_run_t, { dir file sock_file })
Then add a matching content in the fc file.
> files_read_config_files(pdns_t) libs_use_lib_files(pdns_t)
> libs_use_ld_so(pdns_t) miscfiles_read_localization(pdns_t)
>
> # Core Network corenet_udp_bind_all_nodes(pdns_t)
> corenet_tcp_bind_all_nodes(pdns_t)
>
> # Syslog logging_send_syslog_msg(pdns_t)
>
> # Inbound DNS corenet_udp_bind_dns_port(pdns_t)
> corenet_udp_sendrecv_dns_port(pdns_t)
> corenet_tcp_bind_dns_port(pdns_t)
> corenet_tcp_sendrecv_dns_port(pdns_t)
>
> # Inbound TCP 8081 for PDNS Web Server
> corenet_tcp_bind_transproxy_port(pdns_t)
> corenet_tcp_sendrecv_transproxy_port(pdns_t)
>
> # Outbound DB Connectivity corenet_tcp_connect_mysqld_port(pdns_t)
> corenet_tcp_connect_mssql_port(pdns_t)
>
>
> Thanks again for your advice.
>
> Tom.
>
>
> On 29/11/11 16:27, Tom wrote:
>> Hi Daniel,
>>
>> Thanks for this. I'm just about to leave work, but I'll be
>> looking again in the morning, and I'll get back to you and see
>> what you think of version 1.0.1! :)
>>
>> Thanks again. Tom.
>>
>>
>> On 29/11/11 16:14, Daniel J Walsh wrote:
> On 11/29/2011 10:56 AM, Tom wrote:
>>>>> Greetings,
>>>>>
>>>>> This is my first attempt at writing an selinux module.
>>>>> I've basically done it by trying to confine the powerdns
>>>>> service, and then worked through all of the problems I've
>>>>> had in the audit log. At this point, my powerdns service
>>>>> seems to work well with full functionality, however, I'm
>>>>> sure there's about a million things I could be doing to
>>>>> make it better. I'm still a bit shaky on the way I've done
>>>>> the domain transition, and also, I'm sure there are a loads
>>>>> of macros which I could be using, although I'm not sure
>>>>> whether those types of things are distribution dependent.
>>>>> I'm using CentOS 5.7, and have written this to fit in to
>>>>> the targeted polifcy.
>>>>>
>>>>> I'd be glad of any advice on how to do this type of thing
>>>>> in a more efficient way.
>>>>>
>>>>> Many thanks. Tom.
>>>>>
>>>>> # cat pdns.te # PowerDNS targeted enforcement module
>>>>>
>>>>> policy_module(pdns,1.0.0)
>>>>>
>>>>> require { type etc_t; type lib_t; type usr_t; type
>>>>> ld_so_cache_t; type ld_so_t; type lib_t; type locale_t;
>>>>> type var_run_t; type devlog_t; type syslogd_t; type
>>>>> initrc_var_run_t; type dns_port_t; type inaddr_any_node_t;
>>>>> type transproxy_port_t; type mysqld_port_t; type
>>>>> mssql_port_t; }
>>>>>
>>>>> type pdns_t; type pdns_exec_t;
>>>>>
>>>>> domain_type(pdns_t) domain_entry_file(pdns_t, pdns_exec_t)
>>>>> init_daemon_domain(pdns_t, pdns_exec_t)
>>>>>
>>>>> # /etc/pdns/pdns.conf type pdns_conf_t;
>>>>> files_config_file(pdns_conf_t)
>>>>>
>>>>> # /var/run/pdns.pid type pdns_var_run_t;
>>>>> files_pid_file(pdns_var_run_t)
>>>>>
>>>>> allow pdns_t etc_t:dir search; allow pdns_t etc_t:file {
>>>>> getattr read }; allow pdns_t usr_t:dir search; allow pdns_t
>>>>> usr_t:file { write create read getattr }; allow pdns_t
>>>>> lib_t:dir { search getattr }; allow pdns_t lib_t:lnk_file
>>>>> read; allow pdns_t lib_t:file { read getattr execute };
>>>>> allow pdns_t ld_so_cache_t:file read; allow pdns_t
>>>>> ld_so_cache_t:file getattr; allow pdns_t ld_so_t:file {
>>>>> read execute }; allow pdns_t locale_t:file { read getattr
>>>>> }; allow pdns_t pdns_conf_t:file read; allow pdns_t
>>>>> var_run_t:dir { write remove_name add_name }; allow pdns_t
>>>>> var_run_t:sock_file { unlink create setattr }; allow pdns_t
>>>>> var_run_t:file { write create }; allow pdns_t
>>>>> devlog_t:sock_file write; allow pdns_t
>>>>> syslogd_t:unix_dgram_socket sendto; allow pdns_t
>>>>> initrc_var_run_t:file write; allow pdns_t pdns_exec_t:file
>>>>> execute_no_trans;
>>>>>
>>>>> allow pdns_t self:process sigkill; allow pdns_t
>>>>> self:fifo_file { getattr read ioctl write }; allow pdns_t
>>>>> self:capability { chown fsetid net_bind_service setuid
>>>>> setgid kill }; allow pdns_t self:unix_dgram_socket { create
>>>>> connect write }; allow pdns_t self:udp_socket { create bind
>>>>> read getattr write }; allow pdns_t self:tcp_socket { create
>>>>> bind read getattr write setopt listen connect shutdown
>>>>> accept getopt ioctl };
>>>>>
>>>>> allow pdns_t inaddr_any_node_t:udp_socket node_bind; allow
>>>>> pdns_t inaddr_any_node_t:tcp_socket node_bind;
>>>>>
>>>>> # TCP + UDP Port 53 allow pdns_t dns_port_t:udp_socket
>>>>> name_bind; allow pdns_t dns_port_t:tcp_socket name_bind;
>>>>>
>>>>> # TCP 8081 for PDNS Web Server allow pdns_t
>>>>> transproxy_port_t:tcp_socket name_bind;
>>>>>
>>>>> # DB Connectivity allow pdns_t mysqld_port_t:tcp_socket
>>>>> name_connect; allow pdns_t mssql_port_t:tcp_socket
>>>>> name_connect;
>>>>>
>>>>>
>>>>> # cat pdns.fc /usr/sbin/pdns_server --
>>>>> gen_context(system_u:object_r:pdns_exec_t,s0)
>>>>> /var/run/pdns.pid --
>>>>> gen_context(system_u:object_r:pdns_var_run_t,s0)
>>>>> /etc/pdns/pdns.conf --
>>>>> gen_context(system_u:object_r:pdns_conf_t,s0)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> -- This message was distributed to subscribers of the
>>>>> selinux mailing list. If you no longer wish to subscribe,
>>>>> send mail to majordomo@tycho.nsa.gov with the words
>>>>> "unsubscribe selinux" without quotes as the message.
>
> Tom try to remove the entire require block. You should be using
> interfaces and not using the types directly in your policy.
>
> All interfaces are available under
> /usr/share/selinux/devel/include/...
>
> For example.
>>>>> allow pdns_t etc_t:dir search; allow pdns_t etc_t:file {
>>>>> getattr read }; allow pdns_t usr_t:dir search; allow pdns_t
>>>>> usr_t:file { write create read getattr };
> Should be
>
> files_read_etc_files(pdns_t) files_read_usr_files(pdns_t)
>
>
>>>>> allow pdns_t transproxy_port_t:tcp_socket name_bind;
> Should be
>
> corenet_tcp_bind_transproxy_port(pdns_t)
>>
>>
>> -- This message was distributed to subscribers of the selinux
>> mailing list. If you no longer wish to subscribe, send mail to
>> majordomo@tycho.nsa.gov with the words "unsubscribe selinux"
>> without quotes as the message.
>
>
> -- This message was distributed to subscribers of the selinux
> mailing list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux"
> without quotes as the message.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7WW3YACgkQrlYvE4MpobO1DgCgsHHTO6M+oMRKm6XEIDroPdy1
q4gAoLUwdZEqg4RZ4XztIGH8jlpq53P6
=O79Q
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: First forays in to writing a module to lock down PowerDNS.
2011-11-30 16:36 ` Daniel J Walsh
@ 2011-12-01 11:51 ` Tom
2011-12-01 14:18 ` Daniel J Walsh
0 siblings, 1 reply; 10+ messages in thread
From: Tom @ 2011-12-01 11:51 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SELinux
Hi again,
Thanks again for all your help. I'm enjoying refactoring this, making
it better each time! I've learned a lot so far, and am starting to look
ready for tackling my next module, which will be for an in-house
application we use here at work.
I'm hoping to test this on a production server very soon. I'm also
chipping away at my colleagues whose only experience with selinux is to
turn it off! Some of them aren't too keen on the idea of me introducing
selinux on to our platform, but I'm just going to introduce it bit by
bit and make sure it's all documented well, and that they understand
what I'm up to.
# PowerDNS targeted enforcement module
policy_module(pdns,1.0.2)
type pdns_t;
type pdns_exec_t;
can_exec(pdns_t, pdns_exec_t)
init_daemon_domain(pdns_t, pdns_exec_t)
# /etc/pdns/pdns.conf
type pdns_conf_t;
files_config_file(pdns_conf_t)
read_files_pattern(pdns_t, pdns_conf_t, pdns_conf_t)
files_etc_filetrans(pdns_t, pdns_conf_t, file)
# /var/run/pdns.pid /var/run/pdns.controlsocket /var/run/subsys/pdns
type pdns_var_run_t;
files_pid_file(pdns_var_run_t)
manage_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
manage_dirs_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
manage_sock_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
files_pid_filetrans(pdns_t, pdns_var_run_t, { dir file sock_file })
# General self privs
allow pdns_t self:capability { setuid chown fsetid kill setgid };
allow pdns_t self:fifo_file rw_fifo_file_perms;
allow pdns_t self:process signal_perms;
allow pdns_t self:tcp_socket create_stream_socket_perms;
allow pdns_t self:udp_socket create_socket_perms;
# General files access Macros
files_read_etc_files(pdns_t)
files_read_usr_files(pdns_t)
files_read_default_files(pdns_t)
libs_use_lib_files(pdns_t)
libs_use_ld_so(pdns_t)
miscfiles_read_localization(pdns_t)
# General Networky stuff
corenet_udp_bind_all_nodes(pdns_t)
corenet_tcp_bind_all_nodes(pdns_t)
# Syslog
logging_send_syslog_msg(pdns_t)
# Inbound DNS
corenet_udp_bind_dns_port(pdns_t)
corenet_udp_sendrecv_dns_port(pdns_t)
corenet_tcp_bind_dns_port(pdns_t)
corenet_tcp_sendrecv_dns_port(pdns_t)
# Inbound TCP 8081 for PDNS Web Server
corenet_tcp_bind_transproxy_port(pdns_t)
corenet_tcp_sendrecv_transproxy_port(pdns_t)
# Outbound DB Connectivity
corenet_tcp_connect_mysqld_port(pdns_t)
corenet_tcp_connect_mssql_port(pdns_t)
On 30/11/11 16:36, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 11/30/2011 05:45 AM, Tom wrote:
>> Hi Again,
>>
>> I've followed your advice, and I've removed all but one requirement
>> for var_run_t:sock_file. I couldn't find any interfaces which
>> would simply give me access to that, but it's certainly looking a
>> lot better, and a lot more readable! It could probably do with
>> some more re-factoring, but it's working well at the moment!
>>
>> I haven't really thought too much about the file labelling. I've
>> only done the daemon binary, config file and /var/run/pdns.pid
>> file. I'm not sure I've followed best practices there at all.
>>
>>
> Ok the next rule you need to follow, is if you need to write to a
> "Generic" type, then you need to create your own type and potentially
> transition to it.
>
>> # PowerDNS targeted enforcement module
>>
>> policy_module(pdns,1.0.0)
>>
>> require { type var_run_t; }
>>
>> type pdns_t; type pdns_exec_t; allow pdns_t pdns_exec_t:file
>> execute_no_trans;
>>
>> init_daemon_domain(pdns_t, pdns_exec_t)
>>
>> # /etc/pdns/pdns.conf type pdns_conf_t;
>> files_config_file(pdns_conf_t)
>>
>> # /var/run/pdns.pid type pdns_var_run_t;
>> files_pid_file(pdns_var_run_t)
>>
>> # General self privs allow pdns_t self:capability { setuid chown
>> fsetid kill setgid }; allow pdns_t self:fifo_file { read getattr
>> ioctl };
> allow pdns_t self:fifo_file rw_fifo_file_perms;
>> allow pdns_t self:process sigkill;
> Might want to just add signal_perms;
>> allow pdns_t self:tcp_socket { setopt read bind create accept
>> write ioctl connect getopt listen };
> allow pdns_t self:tcp_socket create_stream_socket_perms;
>
>> allow pdns_t self:udp_socket { read bind create write getattr };
> allow pdns_t self:udp_socket create_socket_perms;
>> # Cannot figure out an interface to use with this one: allow pdns_t
>> var_run_t:sock_file { create setattr };
>>
> See below
>> # General files access Macros files_read_etc_files(pdns_t)
>> files_manage_usr_files(pdns_t)
> You should have you own type? Whar file in /usr are you rewriting?
>
>> files_read_default_files(pdns_t) files_rw_generic_pids(pdns_t)
>> files_delete_all_pids(pdns_t)
> Are you actually deleting other peoples content in /var/run? Or do
> you have your own content in /var/run?
>
> For example something like
>
> manage_dirs_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
> manage_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
> manage_sock_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
> files_pid_filetrans(pdns_t, pdns_var_run_t, { dir file sock_file })
>
> Then add a matching content in the fc file.
>
>> files_read_config_files(pdns_t) libs_use_lib_files(pdns_t)
>> libs_use_ld_so(pdns_t) miscfiles_read_localization(pdns_t)
>>
>> # Core Network corenet_udp_bind_all_nodes(pdns_t)
>> corenet_tcp_bind_all_nodes(pdns_t)
>>
>> # Syslog logging_send_syslog_msg(pdns_t)
>>
>> # Inbound DNS corenet_udp_bind_dns_port(pdns_t)
>> corenet_udp_sendrecv_dns_port(pdns_t)
>> corenet_tcp_bind_dns_port(pdns_t)
>> corenet_tcp_sendrecv_dns_port(pdns_t)
>>
>> # Inbound TCP 8081 for PDNS Web Server
>> corenet_tcp_bind_transproxy_port(pdns_t)
>> corenet_tcp_sendrecv_transproxy_port(pdns_t)
>>
>> # Outbound DB Connectivity corenet_tcp_connect_mysqld_port(pdns_t)
>> corenet_tcp_connect_mssql_port(pdns_t)
>>
>>
>> Thanks again for your advice.
>>
>> Tom.
>>
>>
>> On 29/11/11 16:27, Tom wrote:
>>> Hi Daniel,
>>>
>>> Thanks for this. I'm just about to leave work, but I'll be
>>> looking again in the morning, and I'll get back to you and see
>>> what you think of version 1.0.1! :)
>>>
>>> Thanks again. Tom.
>>>
>>>
>>> On 29/11/11 16:14, Daniel J Walsh wrote:
>> On 11/29/2011 10:56 AM, Tom wrote:
>>>>>> Greetings,
>>>>>>
>>>>>> This is my first attempt at writing an selinux module.
>>>>>> I've basically done it by trying to confine the powerdns
>>>>>> service, and then worked through all of the problems I've
>>>>>> had in the audit log. At this point, my powerdns service
>>>>>> seems to work well with full functionality, however, I'm
>>>>>> sure there's about a million things I could be doing to
>>>>>> make it better. I'm still a bit shaky on the way I've done
>>>>>> the domain transition, and also, I'm sure there are a loads
>>>>>> of macros which I could be using, although I'm not sure
>>>>>> whether those types of things are distribution dependent.
>>>>>> I'm using CentOS 5.7, and have written this to fit in to
>>>>>> the targeted polifcy.
>>>>>>
>>>>>> I'd be glad of any advice on how to do this type of thing
>>>>>> in a more efficient way.
>>>>>>
>>>>>> Many thanks. Tom.
>>>>>>
>>>>>> # cat pdns.te # PowerDNS targeted enforcement module
>>>>>>
>>>>>> policy_module(pdns,1.0.0)
>>>>>>
>>>>>> require { type etc_t; type lib_t; type usr_t; type
>>>>>> ld_so_cache_t; type ld_so_t; type lib_t; type locale_t;
>>>>>> type var_run_t; type devlog_t; type syslogd_t; type
>>>>>> initrc_var_run_t; type dns_port_t; type inaddr_any_node_t;
>>>>>> type transproxy_port_t; type mysqld_port_t; type
>>>>>> mssql_port_t; }
>>>>>>
>>>>>> type pdns_t; type pdns_exec_t;
>>>>>>
>>>>>> domain_type(pdns_t) domain_entry_file(pdns_t, pdns_exec_t)
>>>>>> init_daemon_domain(pdns_t, pdns_exec_t)
>>>>>>
>>>>>> # /etc/pdns/pdns.conf type pdns_conf_t;
>>>>>> files_config_file(pdns_conf_t)
>>>>>>
>>>>>> # /var/run/pdns.pid type pdns_var_run_t;
>>>>>> files_pid_file(pdns_var_run_t)
>>>>>>
>>>>>> allow pdns_t etc_t:dir search; allow pdns_t etc_t:file {
>>>>>> getattr read }; allow pdns_t usr_t:dir search; allow pdns_t
>>>>>> usr_t:file { write create read getattr }; allow pdns_t
>>>>>> lib_t:dir { search getattr }; allow pdns_t lib_t:lnk_file
>>>>>> read; allow pdns_t lib_t:file { read getattr execute };
>>>>>> allow pdns_t ld_so_cache_t:file read; allow pdns_t
>>>>>> ld_so_cache_t:file getattr; allow pdns_t ld_so_t:file {
>>>>>> read execute }; allow pdns_t locale_t:file { read getattr
>>>>>> }; allow pdns_t pdns_conf_t:file read; allow pdns_t
>>>>>> var_run_t:dir { write remove_name add_name }; allow pdns_t
>>>>>> var_run_t:sock_file { unlink create setattr }; allow pdns_t
>>>>>> var_run_t:file { write create }; allow pdns_t
>>>>>> devlog_t:sock_file write; allow pdns_t
>>>>>> syslogd_t:unix_dgram_socket sendto; allow pdns_t
>>>>>> initrc_var_run_t:file write; allow pdns_t pdns_exec_t:file
>>>>>> execute_no_trans;
>>>>>>
>>>>>> allow pdns_t self:process sigkill; allow pdns_t
>>>>>> self:fifo_file { getattr read ioctl write }; allow pdns_t
>>>>>> self:capability { chown fsetid net_bind_service setuid
>>>>>> setgid kill }; allow pdns_t self:unix_dgram_socket { create
>>>>>> connect write }; allow pdns_t self:udp_socket { create bind
>>>>>> read getattr write }; allow pdns_t self:tcp_socket { create
>>>>>> bind read getattr write setopt listen connect shutdown
>>>>>> accept getopt ioctl };
>>>>>>
>>>>>> allow pdns_t inaddr_any_node_t:udp_socket node_bind; allow
>>>>>> pdns_t inaddr_any_node_t:tcp_socket node_bind;
>>>>>>
>>>>>> # TCP + UDP Port 53 allow pdns_t dns_port_t:udp_socket
>>>>>> name_bind; allow pdns_t dns_port_t:tcp_socket name_bind;
>>>>>>
>>>>>> # TCP 8081 for PDNS Web Server allow pdns_t
>>>>>> transproxy_port_t:tcp_socket name_bind;
>>>>>>
>>>>>> # DB Connectivity allow pdns_t mysqld_port_t:tcp_socket
>>>>>> name_connect; allow pdns_t mssql_port_t:tcp_socket
>>>>>> name_connect;
>>>>>>
>>>>>>
>>>>>> # cat pdns.fc /usr/sbin/pdns_server --
>>>>>> gen_context(system_u:object_r:pdns_exec_t,s0)
>>>>>> /var/run/pdns.pid --
>>>>>> gen_context(system_u:object_r:pdns_var_run_t,s0)
>>>>>> /etc/pdns/pdns.conf --
>>>>>> gen_context(system_u:object_r:pdns_conf_t,s0)
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> -- This message was distributed to subscribers of the
>>>>>> selinux mailing list. If you no longer wish to subscribe,
>>>>>> send mail to majordomo@tycho.nsa.gov with the words
>>>>>> "unsubscribe selinux" without quotes as the message.
>> Tom try to remove the entire require block. You should be using
>> interfaces and not using the types directly in your policy.
>>
>> All interfaces are available under
>> /usr/share/selinux/devel/include/...
>>
>> For example.
>>>>>> allow pdns_t etc_t:dir search; allow pdns_t etc_t:file {
>>>>>> getattr read }; allow pdns_t usr_t:dir search; allow pdns_t
>>>>>> usr_t:file { write create read getattr };
>> Should be
>>
>> files_read_etc_files(pdns_t) files_read_usr_files(pdns_t)
>>
>>
>>>>>> allow pdns_t transproxy_port_t:tcp_socket name_bind;
>> Should be
>>
>> corenet_tcp_bind_transproxy_port(pdns_t)
>>>
>>> -- This message was distributed to subscribers of the selinux
>>> mailing list. If you no longer wish to subscribe, send mail to
>>> majordomo@tycho.nsa.gov with the words "unsubscribe selinux"
>>> without quotes as the message.
>>
>> -- This message was distributed to subscribers of the selinux
>> mailing list. If you no longer wish to subscribe, send mail to
>> majordomo@tycho.nsa.gov with the words "unsubscribe selinux"
>> without quotes as the message.
>>
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk7WW3YACgkQrlYvE4MpobO1DgCgsHHTO6M+oMRKm6XEIDroPdy1
> q4gAoLUwdZEqg4RZ4XztIGH8jlpq53P6
> =O79Q
> -----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: First forays in to writing a module to lock down PowerDNS.
2011-12-01 11:51 ` Tom
@ 2011-12-01 14:18 ` Daniel J Walsh
2011-12-01 14:22 ` Tom
0 siblings, 1 reply; 10+ messages in thread
From: Daniel J Walsh @ 2011-12-01 14:18 UTC (permalink / raw)
To: Tom; +Cc: SELinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/01/2011 06:51 AM, Tom wrote:
> Hi again,
>
> Thanks again for all your help. I'm enjoying refactoring this,
> making it better each time! I've learned a lot so far, and am
> starting to look ready for tackling my next module, which will be
> for an in-house application we use here at work.
>
> I'm hoping to test this on a production server very soon. I'm
> also chipping away at my colleagues whose only experience with
> selinux is to turn it off! Some of them aren't too keen on the
> idea of me introducing selinux on to our platform, but I'm just
> going to introduce it bit by bit and make sure it's all documented
> well, and that they understand what I'm up to.
>
>
> # PowerDNS targeted enforcement module
>
> policy_module(pdns,1.0.2)
>
> type pdns_t; type pdns_exec_t; can_exec(pdns_t, pdns_exec_t)
>
> init_daemon_domain(pdns_t, pdns_exec_t)
>
> # /etc/pdns/pdns.conf type pdns_conf_t;
> files_config_file(pdns_conf_t) read_files_pattern(pdns_t,
> pdns_conf_t, pdns_conf_t) files_etc_filetrans(pdns_t, pdns_conf_t,
> file)
>
> # /var/run/pdns.pid /var/run/pdns.controlsocket
> /var/run/subsys/pdns type pdns_var_run_t;
> files_pid_file(pdns_var_run_t) manage_files_pattern(pdns_t,
> pdns_var_run_t, pdns_var_run_t) manage_dirs_pattern(pdns_t,
> pdns_var_run_t, pdns_var_run_t) manage_sock_files_pattern(pdns_t,
> pdns_var_run_t, pdns_var_run_t) files_pid_filetrans(pdns_t,
> pdns_var_run_t, { dir file sock_file })
>
> # General self privs allow pdns_t self:capability { setuid chown
> fsetid kill setgid }; allow pdns_t self:fifo_file
> rw_fifo_file_perms; allow pdns_t self:process signal_perms; allow
> pdns_t self:tcp_socket create_stream_socket_perms; allow pdns_t
> self:udp_socket create_socket_perms;
>
> # General files access Macros files_read_etc_files(pdns_t)
> files_read_usr_files(pdns_t) files_read_default_files(pdns_t)
> libs_use_lib_files(pdns_t) libs_use_ld_so(pdns_t)
> miscfiles_read_localization(pdns_t)
>
> # General Networky stuff corenet_udp_bind_all_nodes(pdns_t)
> corenet_tcp_bind_all_nodes(pdns_t)
>
> # Syslog logging_send_syslog_msg(pdns_t)
>
> # Inbound DNS corenet_udp_bind_dns_port(pdns_t)
> corenet_udp_sendrecv_dns_port(pdns_t)
> corenet_tcp_bind_dns_port(pdns_t)
> corenet_tcp_sendrecv_dns_port(pdns_t)
>
> # Inbound TCP 8081 for PDNS Web Server
> corenet_tcp_bind_transproxy_port(pdns_t)
> corenet_tcp_sendrecv_transproxy_port(pdns_t)
>
> # Outbound DB Connectivity corenet_tcp_connect_mysqld_port(pdns_t)
> corenet_tcp_connect_mssql_port(pdns_t)
>
>
>
>
> On 30/11/11 16:36, Daniel J Walsh wrote: On 11/30/2011 05:45 AM,
> Tom wrote:
>>>> Hi Again,
>>>>
>>>> I've followed your advice, and I've removed all but one
>>>> requirement for var_run_t:sock_file. I couldn't find any
>>>> interfaces which would simply give me access to that, but
>>>> it's certainly looking a lot better, and a lot more readable!
>>>> It could probably do with some more re-factoring, but it's
>>>> working well at the moment!
>>>>
>>>> I haven't really thought too much about the file labelling.
>>>> I've only done the daemon binary, config file and
>>>> /var/run/pdns.pid file. I'm not sure I've followed best
>>>> practices there at all.
>>>>
>>>>
> Ok the next rule you need to follow, is if you need to write to a
> "Generic" type, then you need to create your own type and
> potentially transition to it.
>
>>>> # PowerDNS targeted enforcement module
>>>>
>>>> policy_module(pdns,1.0.0)
>>>>
>>>> require { type var_run_t; }
>>>>
>>>> type pdns_t; type pdns_exec_t; allow pdns_t pdns_exec_t:file
>>>> execute_no_trans;
>>>>
>>>> init_daemon_domain(pdns_t, pdns_exec_t)
>>>>
>>>> # /etc/pdns/pdns.conf type pdns_conf_t;
>>>> files_config_file(pdns_conf_t)
>>>>
>>>> # /var/run/pdns.pid type pdns_var_run_t;
>>>> files_pid_file(pdns_var_run_t)
>>>>
>>>> # General self privs allow pdns_t self:capability { setuid
>>>> chown fsetid kill setgid }; allow pdns_t self:fifo_file {
>>>> read getattr ioctl };
> allow pdns_t self:fifo_file rw_fifo_file_perms;
>>>> allow pdns_t self:process sigkill;
> Might want to just add signal_perms;
>>>> allow pdns_t self:tcp_socket { setopt read bind create
>>>> accept write ioctl connect getopt listen };
> allow pdns_t self:tcp_socket create_stream_socket_perms;
>
>>>> allow pdns_t self:udp_socket { read bind create write getattr
>>>> };
> allow pdns_t self:udp_socket create_socket_perms;
>>>> # Cannot figure out an interface to use with this one: allow
>>>> pdns_t var_run_t:sock_file { create setattr };
>>>>
> See below
>>>> # General files access Macros files_read_etc_files(pdns_t)
>>>> files_manage_usr_files(pdns_t)
> You should have you own type? Whar file in /usr are you
> rewriting?
>
>>>> files_read_default_files(pdns_t)
>>>> files_rw_generic_pids(pdns_t) files_delete_all_pids(pdns_t)
> Are you actually deleting other peoples content in /var/run? Or
> do you have your own content in /var/run?
>
> For example something like
>
> manage_dirs_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
> manage_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
> manage_sock_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
> files_pid_filetrans(pdns_t, pdns_var_run_t, { dir file sock_file
> })
>
> Then add a matching content in the fc file.
>
>>>> files_read_config_files(pdns_t) libs_use_lib_files(pdns_t)
>>>> libs_use_ld_so(pdns_t) miscfiles_read_localization(pdns_t)
>>>>
>>>> # Core Network corenet_udp_bind_all_nodes(pdns_t)
>>>> corenet_tcp_bind_all_nodes(pdns_t)
>>>>
>>>> # Syslog logging_send_syslog_msg(pdns_t)
>>>>
>>>> # Inbound DNS corenet_udp_bind_dns_port(pdns_t)
>>>> corenet_udp_sendrecv_dns_port(pdns_t)
>>>> corenet_tcp_bind_dns_port(pdns_t)
>>>> corenet_tcp_sendrecv_dns_port(pdns_t)
>>>>
>>>> # Inbound TCP 8081 for PDNS Web Server
>>>> corenet_tcp_bind_transproxy_port(pdns_t)
>>>> corenet_tcp_sendrecv_transproxy_port(pdns_t)
>>>>
>>>> # Outbound DB Connectivity
>>>> corenet_tcp_connect_mysqld_port(pdns_t)
>>>> corenet_tcp_connect_mssql_port(pdns_t)
>>>>
>>>>
>>>> Thanks again for your advice.
>>>>
>>>> Tom.
>>>>
>>>>
>>>> On 29/11/11 16:27, Tom wrote:
>>>>> Hi Daniel,
>>>>>
>>>>> Thanks for this. I'm just about to leave work, but I'll
>>>>> be looking again in the morning, and I'll get back to you
>>>>> and see what you think of version 1.0.1! :)
>>>>>
>>>>> Thanks again. Tom.
>>>>>
>>>>>
>>>>> On 29/11/11 16:14, Daniel J Walsh wrote:
>>>> On 11/29/2011 10:56 AM, Tom wrote:
>>>>>>>> Greetings,
>>>>>>>>
>>>>>>>> This is my first attempt at writing an selinux
>>>>>>>> module. I've basically done it by trying to confine
>>>>>>>> the powerdns service, and then worked through all of
>>>>>>>> the problems I've had in the audit log. At this
>>>>>>>> point, my powerdns service seems to work well with
>>>>>>>> full functionality, however, I'm sure there's about a
>>>>>>>> million things I could be doing to make it better.
>>>>>>>> I'm still a bit shaky on the way I've done the domain
>>>>>>>> transition, and also, I'm sure there are a loads of
>>>>>>>> macros which I could be using, although I'm not sure
>>>>>>>> whether those types of things are distribution
>>>>>>>> dependent. I'm using CentOS 5.7, and have written
>>>>>>>> this to fit in to the targeted polifcy.
>>>>>>>>
>>>>>>>> I'd be glad of any advice on how to do this type of
>>>>>>>> thing in a more efficient way.
>>>>>>>>
>>>>>>>> Many thanks. Tom.
>>>>>>>>
>>>>>>>> # cat pdns.te # PowerDNS targeted enforcement module
>>>>>>>>
>>>>>>>> policy_module(pdns,1.0.0)
>>>>>>>>
>>>>>>>> require { type etc_t; type lib_t; type usr_t; type
>>>>>>>> ld_so_cache_t; type ld_so_t; type lib_t; type
>>>>>>>> locale_t; type var_run_t; type devlog_t; type
>>>>>>>> syslogd_t; type initrc_var_run_t; type dns_port_t;
>>>>>>>> type inaddr_any_node_t; type transproxy_port_t; type
>>>>>>>> mysqld_port_t; type mssql_port_t; }
>>>>>>>>
>>>>>>>> type pdns_t; type pdns_exec_t;
>>>>>>>>
>>>>>>>> domain_type(pdns_t) domain_entry_file(pdns_t,
>>>>>>>> pdns_exec_t) init_daemon_domain(pdns_t, pdns_exec_t)
>>>>>>>>
>>>>>>>> # /etc/pdns/pdns.conf type pdns_conf_t;
>>>>>>>> files_config_file(pdns_conf_t)
>>>>>>>>
>>>>>>>> # /var/run/pdns.pid type pdns_var_run_t;
>>>>>>>> files_pid_file(pdns_var_run_t)
>>>>>>>>
>>>>>>>> allow pdns_t etc_t:dir search; allow pdns_t
>>>>>>>> etc_t:file { getattr read }; allow pdns_t usr_t:dir
>>>>>>>> search; allow pdns_t usr_t:file { write create read
>>>>>>>> getattr }; allow pdns_t lib_t:dir { search getattr };
>>>>>>>> allow pdns_t lib_t:lnk_file read; allow pdns_t
>>>>>>>> lib_t:file { read getattr execute }; allow pdns_t
>>>>>>>> ld_so_cache_t:file read; allow pdns_t
>>>>>>>> ld_so_cache_t:file getattr; allow pdns_t ld_so_t:file
>>>>>>>> { read execute }; allow pdns_t locale_t:file { read
>>>>>>>> getattr }; allow pdns_t pdns_conf_t:file read; allow
>>>>>>>> pdns_t var_run_t:dir { write remove_name add_name };
>>>>>>>> allow pdns_t var_run_t:sock_file { unlink create
>>>>>>>> setattr }; allow pdns_t var_run_t:file { write create
>>>>>>>> }; allow pdns_t devlog_t:sock_file write; allow
>>>>>>>> pdns_t syslogd_t:unix_dgram_socket sendto; allow
>>>>>>>> pdns_t initrc_var_run_t:file write; allow pdns_t
>>>>>>>> pdns_exec_t:file execute_no_trans;
>>>>>>>>
>>>>>>>> allow pdns_t self:process sigkill; allow pdns_t
>>>>>>>> self:fifo_file { getattr read ioctl write }; allow
>>>>>>>> pdns_t self:capability { chown fsetid
>>>>>>>> net_bind_service setuid setgid kill }; allow pdns_t
>>>>>>>> self:unix_dgram_socket { create connect write };
>>>>>>>> allow pdns_t self:udp_socket { create bind read
>>>>>>>> getattr write }; allow pdns_t self:tcp_socket {
>>>>>>>> create bind read getattr write setopt listen connect
>>>>>>>> shutdown accept getopt ioctl };
>>>>>>>>
>>>>>>>> allow pdns_t inaddr_any_node_t:udp_socket node_bind;
>>>>>>>> allow pdns_t inaddr_any_node_t:tcp_socket node_bind;
>>>>>>>>
>>>>>>>> # TCP + UDP Port 53 allow pdns_t
>>>>>>>> dns_port_t:udp_socket name_bind; allow pdns_t
>>>>>>>> dns_port_t:tcp_socket name_bind;
>>>>>>>>
>>>>>>>> # TCP 8081 for PDNS Web Server allow pdns_t
>>>>>>>> transproxy_port_t:tcp_socket name_bind;
>>>>>>>>
>>>>>>>> # DB Connectivity allow pdns_t
>>>>>>>> mysqld_port_t:tcp_socket name_connect; allow pdns_t
>>>>>>>> mssql_port_t:tcp_socket name_connect;
>>>>>>>>
>>>>>>>>
>>>>>>>> # cat pdns.fc /usr/sbin/pdns_server --
>>>>>>>> gen_context(system_u:object_r:pdns_exec_t,s0)
>>>>>>>> /var/run/pdns.pid --
>>>>>>>> gen_context(system_u:object_r:pdns_var_run_t,s0)
>>>>>>>> /etc/pdns/pdns.conf --
>>>>>>>> gen_context(system_u:object_r:pdns_conf_t,s0)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> -- This message was distributed to subscribers of
>>>>>>>> the selinux mailing list. If you no longer wish to
>>>>>>>> subscribe, send mail to majordomo@tycho.nsa.gov with
>>>>>>>> the words "unsubscribe selinux" without quotes as the
>>>>>>>> message.
>>>> Tom try to remove the entire require block. You should be
>>>> using interfaces and not using the types directly in your
>>>> policy.
>>>>
>>>> All interfaces are available under
>>>> /usr/share/selinux/devel/include/...
>>>>
>>>> For example.
>>>>>>>> allow pdns_t etc_t:dir search; allow pdns_t
>>>>>>>> etc_t:file { getattr read }; allow pdns_t usr_t:dir
>>>>>>>> search; allow pdns_t usr_t:file { write create read
>>>>>>>> getattr };
>>>> Should be
>>>>
>>>> files_read_etc_files(pdns_t) files_read_usr_files(pdns_t)
>>>>
>>>>
>>>>>>>> allow pdns_t transproxy_port_t:tcp_socket name_bind;
>>>> Should be
>>>>
>>>> corenet_tcp_bind_transproxy_port(pdns_t)
>>>>>
>>>>> -- This message was distributed to subscribers of the
>>>>> selinux mailing list. If you no longer wish to subscribe,
>>>>> send mail to majordomo@tycho.nsa.gov with the words
>>>>> "unsubscribe selinux" without quotes as the message.
>>>>
>>>> -- This message was distributed to subscribers of the
>>>> selinux mailing list. If you no longer wish to subscribe,
>>>> send mail to majordomo@tycho.nsa.gov with the words
>>>> "unsubscribe selinux" without quotes as the message.
>>>>
>>>>
>
>
> -- This message was distributed to subscribers of the selinux
> mailing list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux"
> without quotes as the message.
>
>
What default_t files do you have on your system? default_t means
these are files on the system that SELinux has no idea what the
content is. It usually means you added a new directory at /. If you
could classify this data as label and label it correctly you should be
able to remove the files_read_default. Most confined apps are not
allowed to use content labeled default_t.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7XjMEACgkQrlYvE4MpobO8cQCfddAPnIlVn0yYDjp7Nip8Pd6K
QLsAoKqZ6wxXiyAsIOInxBALhPs7Eedc
=tVhI
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: First forays in to writing a module to lock down PowerDNS.
2011-12-01 14:18 ` Daniel J Walsh
@ 2011-12-01 14:22 ` Tom
2011-12-01 14:23 ` Daniel J Walsh
0 siblings, 1 reply; 10+ messages in thread
From: Tom @ 2011-12-01 14:22 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SELinux
I've just removed that. It was only there because I had things
incorrectly labelled when I first started working on the module, and
audit2allow told me i should use that rule accordingly. I've had no
denials since removing it!
Cheers. Tom.
On 01/12/11 14:18, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 12/01/2011 06:51 AM, Tom wrote:
>> Hi again,
>>
>> Thanks again for all your help. I'm enjoying refactoring this,
>> making it better each time! I've learned a lot so far, and am
>> starting to look ready for tackling my next module, which will be
>> for an in-house application we use here at work.
>>
>> I'm hoping to test this on a production server very soon. I'm
>> also chipping away at my colleagues whose only experience with
>> selinux is to turn it off! Some of them aren't too keen on the
>> idea of me introducing selinux on to our platform, but I'm just
>> going to introduce it bit by bit and make sure it's all documented
>> well, and that they understand what I'm up to.
>>
>>
>> # PowerDNS targeted enforcement module
>>
>> policy_module(pdns,1.0.2)
>>
>> type pdns_t; type pdns_exec_t; can_exec(pdns_t, pdns_exec_t)
>>
>> init_daemon_domain(pdns_t, pdns_exec_t)
>>
>> # /etc/pdns/pdns.conf type pdns_conf_t;
>> files_config_file(pdns_conf_t) read_files_pattern(pdns_t,
>> pdns_conf_t, pdns_conf_t) files_etc_filetrans(pdns_t, pdns_conf_t,
>> file)
>>
>> # /var/run/pdns.pid /var/run/pdns.controlsocket
>> /var/run/subsys/pdns type pdns_var_run_t;
>> files_pid_file(pdns_var_run_t) manage_files_pattern(pdns_t,
>> pdns_var_run_t, pdns_var_run_t) manage_dirs_pattern(pdns_t,
>> pdns_var_run_t, pdns_var_run_t) manage_sock_files_pattern(pdns_t,
>> pdns_var_run_t, pdns_var_run_t) files_pid_filetrans(pdns_t,
>> pdns_var_run_t, { dir file sock_file })
>>
>> # General self privs allow pdns_t self:capability { setuid chown
>> fsetid kill setgid }; allow pdns_t self:fifo_file
>> rw_fifo_file_perms; allow pdns_t self:process signal_perms; allow
>> pdns_t self:tcp_socket create_stream_socket_perms; allow pdns_t
>> self:udp_socket create_socket_perms;
>>
>> # General files access Macros files_read_etc_files(pdns_t)
>> files_read_usr_files(pdns_t) files_read_default_files(pdns_t)
>> libs_use_lib_files(pdns_t) libs_use_ld_so(pdns_t)
>> miscfiles_read_localization(pdns_t)
>>
>> # General Networky stuff corenet_udp_bind_all_nodes(pdns_t)
>> corenet_tcp_bind_all_nodes(pdns_t)
>>
>> # Syslog logging_send_syslog_msg(pdns_t)
>>
>> # Inbound DNS corenet_udp_bind_dns_port(pdns_t)
>> corenet_udp_sendrecv_dns_port(pdns_t)
>> corenet_tcp_bind_dns_port(pdns_t)
>> corenet_tcp_sendrecv_dns_port(pdns_t)
>>
>> # Inbound TCP 8081 for PDNS Web Server
>> corenet_tcp_bind_transproxy_port(pdns_t)
>> corenet_tcp_sendrecv_transproxy_port(pdns_t)
>>
>> # Outbound DB Connectivity corenet_tcp_connect_mysqld_port(pdns_t)
>> corenet_tcp_connect_mssql_port(pdns_t)
>>
>>
>>
>>
>> On 30/11/11 16:36, Daniel J Walsh wrote: On 11/30/2011 05:45 AM,
>> Tom wrote:
>>>>> Hi Again,
>>>>>
>>>>> I've followed your advice, and I've removed all but one
>>>>> requirement for var_run_t:sock_file. I couldn't find any
>>>>> interfaces which would simply give me access to that, but
>>>>> it's certainly looking a lot better, and a lot more readable!
>>>>> It could probably do with some more re-factoring, but it's
>>>>> working well at the moment!
>>>>>
>>>>> I haven't really thought too much about the file labelling.
>>>>> I've only done the daemon binary, config file and
>>>>> /var/run/pdns.pid file. I'm not sure I've followed best
>>>>> practices there at all.
>>>>>
>>>>>
>> Ok the next rule you need to follow, is if you need to write to a
>> "Generic" type, then you need to create your own type and
>> potentially transition to it.
>>
>>>>> # PowerDNS targeted enforcement module
>>>>>
>>>>> policy_module(pdns,1.0.0)
>>>>>
>>>>> require { type var_run_t; }
>>>>>
>>>>> type pdns_t; type pdns_exec_t; allow pdns_t pdns_exec_t:file
>>>>> execute_no_trans;
>>>>>
>>>>> init_daemon_domain(pdns_t, pdns_exec_t)
>>>>>
>>>>> # /etc/pdns/pdns.conf type pdns_conf_t;
>>>>> files_config_file(pdns_conf_t)
>>>>>
>>>>> # /var/run/pdns.pid type pdns_var_run_t;
>>>>> files_pid_file(pdns_var_run_t)
>>>>>
>>>>> # General self privs allow pdns_t self:capability { setuid
>>>>> chown fsetid kill setgid }; allow pdns_t self:fifo_file {
>>>>> read getattr ioctl };
>> allow pdns_t self:fifo_file rw_fifo_file_perms;
>>>>> allow pdns_t self:process sigkill;
>> Might want to just add signal_perms;
>>>>> allow pdns_t self:tcp_socket { setopt read bind create
>>>>> accept write ioctl connect getopt listen };
>> allow pdns_t self:tcp_socket create_stream_socket_perms;
>>
>>>>> allow pdns_t self:udp_socket { read bind create write getattr
>>>>> };
>> allow pdns_t self:udp_socket create_socket_perms;
>>>>> # Cannot figure out an interface to use with this one: allow
>>>>> pdns_t var_run_t:sock_file { create setattr };
>>>>>
>> See below
>>>>> # General files access Macros files_read_etc_files(pdns_t)
>>>>> files_manage_usr_files(pdns_t)
>> You should have you own type? Whar file in /usr are you
>> rewriting?
>>
>>>>> files_read_default_files(pdns_t)
>>>>> files_rw_generic_pids(pdns_t) files_delete_all_pids(pdns_t)
>> Are you actually deleting other peoples content in /var/run? Or
>> do you have your own content in /var/run?
>>
>> For example something like
>>
>> manage_dirs_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
>> manage_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
>> manage_sock_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
>> files_pid_filetrans(pdns_t, pdns_var_run_t, { dir file sock_file
>> })
>>
>> Then add a matching content in the fc file.
>>
>>>>> files_read_config_files(pdns_t) libs_use_lib_files(pdns_t)
>>>>> libs_use_ld_so(pdns_t) miscfiles_read_localization(pdns_t)
>>>>>
>>>>> # Core Network corenet_udp_bind_all_nodes(pdns_t)
>>>>> corenet_tcp_bind_all_nodes(pdns_t)
>>>>>
>>>>> # Syslog logging_send_syslog_msg(pdns_t)
>>>>>
>>>>> # Inbound DNS corenet_udp_bind_dns_port(pdns_t)
>>>>> corenet_udp_sendrecv_dns_port(pdns_t)
>>>>> corenet_tcp_bind_dns_port(pdns_t)
>>>>> corenet_tcp_sendrecv_dns_port(pdns_t)
>>>>>
>>>>> # Inbound TCP 8081 for PDNS Web Server
>>>>> corenet_tcp_bind_transproxy_port(pdns_t)
>>>>> corenet_tcp_sendrecv_transproxy_port(pdns_t)
>>>>>
>>>>> # Outbound DB Connectivity
>>>>> corenet_tcp_connect_mysqld_port(pdns_t)
>>>>> corenet_tcp_connect_mssql_port(pdns_t)
>>>>>
>>>>>
>>>>> Thanks again for your advice.
>>>>>
>>>>> Tom.
>>>>>
>>>>>
>>>>> On 29/11/11 16:27, Tom wrote:
>>>>>> Hi Daniel,
>>>>>>
>>>>>> Thanks for this. I'm just about to leave work, but I'll
>>>>>> be looking again in the morning, and I'll get back to you
>>>>>> and see what you think of version 1.0.1! :)
>>>>>>
>>>>>> Thanks again. Tom.
>>>>>>
>>>>>>
>>>>>> On 29/11/11 16:14, Daniel J Walsh wrote:
>>>>> On 11/29/2011 10:56 AM, Tom wrote:
>>>>>>>>> Greetings,
>>>>>>>>>
>>>>>>>>> This is my first attempt at writing an selinux
>>>>>>>>> module. I've basically done it by trying to confine
>>>>>>>>> the powerdns service, and then worked through all of
>>>>>>>>> the problems I've had in the audit log. At this
>>>>>>>>> point, my powerdns service seems to work well with
>>>>>>>>> full functionality, however, I'm sure there's about a
>>>>>>>>> million things I could be doing to make it better.
>>>>>>>>> I'm still a bit shaky on the way I've done the domain
>>>>>>>>> transition, and also, I'm sure there are a loads of
>>>>>>>>> macros which I could be using, although I'm not sure
>>>>>>>>> whether those types of things are distribution
>>>>>>>>> dependent. I'm using CentOS 5.7, and have written
>>>>>>>>> this to fit in to the targeted polifcy.
>>>>>>>>>
>>>>>>>>> I'd be glad of any advice on how to do this type of
>>>>>>>>> thing in a more efficient way.
>>>>>>>>>
>>>>>>>>> Many thanks. Tom.
>>>>>>>>>
>>>>>>>>> # cat pdns.te # PowerDNS targeted enforcement module
>>>>>>>>>
>>>>>>>>> policy_module(pdns,1.0.0)
>>>>>>>>>
>>>>>>>>> require { type etc_t; type lib_t; type usr_t; type
>>>>>>>>> ld_so_cache_t; type ld_so_t; type lib_t; type
>>>>>>>>> locale_t; type var_run_t; type devlog_t; type
>>>>>>>>> syslogd_t; type initrc_var_run_t; type dns_port_t;
>>>>>>>>> type inaddr_any_node_t; type transproxy_port_t; type
>>>>>>>>> mysqld_port_t; type mssql_port_t; }
>>>>>>>>>
>>>>>>>>> type pdns_t; type pdns_exec_t;
>>>>>>>>>
>>>>>>>>> domain_type(pdns_t) domain_entry_file(pdns_t,
>>>>>>>>> pdns_exec_t) init_daemon_domain(pdns_t, pdns_exec_t)
>>>>>>>>>
>>>>>>>>> # /etc/pdns/pdns.conf type pdns_conf_t;
>>>>>>>>> files_config_file(pdns_conf_t)
>>>>>>>>>
>>>>>>>>> # /var/run/pdns.pid type pdns_var_run_t;
>>>>>>>>> files_pid_file(pdns_var_run_t)
>>>>>>>>>
>>>>>>>>> allow pdns_t etc_t:dir search; allow pdns_t
>>>>>>>>> etc_t:file { getattr read }; allow pdns_t usr_t:dir
>>>>>>>>> search; allow pdns_t usr_t:file { write create read
>>>>>>>>> getattr }; allow pdns_t lib_t:dir { search getattr };
>>>>>>>>> allow pdns_t lib_t:lnk_file read; allow pdns_t
>>>>>>>>> lib_t:file { read getattr execute }; allow pdns_t
>>>>>>>>> ld_so_cache_t:file read; allow pdns_t
>>>>>>>>> ld_so_cache_t:file getattr; allow pdns_t ld_so_t:file
>>>>>>>>> { read execute }; allow pdns_t locale_t:file { read
>>>>>>>>> getattr }; allow pdns_t pdns_conf_t:file read; allow
>>>>>>>>> pdns_t var_run_t:dir { write remove_name add_name };
>>>>>>>>> allow pdns_t var_run_t:sock_file { unlink create
>>>>>>>>> setattr }; allow pdns_t var_run_t:file { write create
>>>>>>>>> }; allow pdns_t devlog_t:sock_file write; allow
>>>>>>>>> pdns_t syslogd_t:unix_dgram_socket sendto; allow
>>>>>>>>> pdns_t initrc_var_run_t:file write; allow pdns_t
>>>>>>>>> pdns_exec_t:file execute_no_trans;
>>>>>>>>>
>>>>>>>>> allow pdns_t self:process sigkill; allow pdns_t
>>>>>>>>> self:fifo_file { getattr read ioctl write }; allow
>>>>>>>>> pdns_t self:capability { chown fsetid
>>>>>>>>> net_bind_service setuid setgid kill }; allow pdns_t
>>>>>>>>> self:unix_dgram_socket { create connect write };
>>>>>>>>> allow pdns_t self:udp_socket { create bind read
>>>>>>>>> getattr write }; allow pdns_t self:tcp_socket {
>>>>>>>>> create bind read getattr write setopt listen connect
>>>>>>>>> shutdown accept getopt ioctl };
>>>>>>>>>
>>>>>>>>> allow pdns_t inaddr_any_node_t:udp_socket node_bind;
>>>>>>>>> allow pdns_t inaddr_any_node_t:tcp_socket node_bind;
>>>>>>>>>
>>>>>>>>> # TCP + UDP Port 53 allow pdns_t
>>>>>>>>> dns_port_t:udp_socket name_bind; allow pdns_t
>>>>>>>>> dns_port_t:tcp_socket name_bind;
>>>>>>>>>
>>>>>>>>> # TCP 8081 for PDNS Web Server allow pdns_t
>>>>>>>>> transproxy_port_t:tcp_socket name_bind;
>>>>>>>>>
>>>>>>>>> # DB Connectivity allow pdns_t
>>>>>>>>> mysqld_port_t:tcp_socket name_connect; allow pdns_t
>>>>>>>>> mssql_port_t:tcp_socket name_connect;
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> # cat pdns.fc /usr/sbin/pdns_server --
>>>>>>>>> gen_context(system_u:object_r:pdns_exec_t,s0)
>>>>>>>>> /var/run/pdns.pid --
>>>>>>>>> gen_context(system_u:object_r:pdns_var_run_t,s0)
>>>>>>>>> /etc/pdns/pdns.conf --
>>>>>>>>> gen_context(system_u:object_r:pdns_conf_t,s0)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -- This message was distributed to subscribers of
>>>>>>>>> the selinux mailing list. If you no longer wish to
>>>>>>>>> subscribe, send mail to majordomo@tycho.nsa.gov with
>>>>>>>>> the words "unsubscribe selinux" without quotes as the
>>>>>>>>> message.
>>>>> Tom try to remove the entire require block. You should be
>>>>> using interfaces and not using the types directly in your
>>>>> policy.
>>>>>
>>>>> All interfaces are available under
>>>>> /usr/share/selinux/devel/include/...
>>>>>
>>>>> For example.
>>>>>>>>> allow pdns_t etc_t:dir search; allow pdns_t
>>>>>>>>> etc_t:file { getattr read }; allow pdns_t usr_t:dir
>>>>>>>>> search; allow pdns_t usr_t:file { write create read
>>>>>>>>> getattr };
>>>>> Should be
>>>>>
>>>>> files_read_etc_files(pdns_t) files_read_usr_files(pdns_t)
>>>>>
>>>>>
>>>>>>>>> allow pdns_t transproxy_port_t:tcp_socket name_bind;
>>>>> Should be
>>>>>
>>>>> corenet_tcp_bind_transproxy_port(pdns_t)
>>>>>> -- This message was distributed to subscribers of the
>>>>>> selinux mailing list. If you no longer wish to subscribe,
>>>>>> send mail to majordomo@tycho.nsa.gov with the words
>>>>>> "unsubscribe selinux" without quotes as the message.
>>>>> -- This message was distributed to subscribers of the
>>>>> selinux mailing list. If you no longer wish to subscribe,
>>>>> send mail to majordomo@tycho.nsa.gov with the words
>>>>> "unsubscribe selinux" without quotes as the message.
>>>>>
>>>>>
>>
>> -- This message was distributed to subscribers of the selinux
>> mailing list. If you no longer wish to subscribe, send mail to
>> majordomo@tycho.nsa.gov with the words "unsubscribe selinux"
>> without quotes as the message.
>>
>>
> What default_t files do you have on your system? default_t means
> these are files on the system that SELinux has no idea what the
> content is. It usually means you added a new directory at /. If you
> could classify this data as label and label it correctly you should be
> able to remove the files_read_default. Most confined apps are not
> allowed to use content labeled default_t.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk7XjMEACgkQrlYvE4MpobO8cQCfddAPnIlVn0yYDjp7Nip8Pd6K
> QLsAoKqZ6wxXiyAsIOInxBALhPs7Eedc
> =tVhI
> -----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: First forays in to writing a module to lock down PowerDNS.
2011-12-01 14:22 ` Tom
@ 2011-12-01 14:23 ` Daniel J Walsh
2011-12-01 14:29 ` Tom
0 siblings, 1 reply; 10+ messages in thread
From: Daniel J Walsh @ 2011-12-01 14:23 UTC (permalink / raw)
To: Tom; +Cc: SELinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/01/2011 09:22 AM, Tom wrote:
> I've just removed that. It was only there because I had things
> incorrectly labelled when I first started working on the module,
> and audit2allow told me i should use that rule accordingly. I've
> had no denials since removing it!
>
> Cheers. Tom.
>
> On 01/12/11 14:18, Daniel J Walsh wrote: On 12/01/2011 06:51 AM,
> Tom wrote:
>>>> Hi again,
>>>>
>>>> Thanks again for all your help. I'm enjoying refactoring
>>>> this, making it better each time! I've learned a lot so far,
>>>> and am starting to look ready for tackling my next module,
>>>> which will be for an in-house application we use here at
>>>> work.
>>>>
>>>> I'm hoping to test this on a production server very soon.
>>>> I'm also chipping away at my colleagues whose only experience
>>>> with selinux is to turn it off! Some of them aren't too keen
>>>> on the idea of me introducing selinux on to our platform, but
>>>> I'm just going to introduce it bit by bit and make sure it's
>>>> all documented well, and that they understand what I'm up
>>>> to.
>>>>
>>>>
>>>> # PowerDNS targeted enforcement module
>>>>
>>>> policy_module(pdns,1.0.2)
>>>>
>>>> type pdns_t; type pdns_exec_t; can_exec(pdns_t, pdns_exec_t)
>>>>
>>>> init_daemon_domain(pdns_t, pdns_exec_t)
>>>>
>>>> # /etc/pdns/pdns.conf type pdns_conf_t;
>>>> files_config_file(pdns_conf_t) read_files_pattern(pdns_t,
>>>> pdns_conf_t, pdns_conf_t) files_etc_filetrans(pdns_t,
>>>> pdns_conf_t, file)
>>>>
>>>> # /var/run/pdns.pid /var/run/pdns.controlsocket
>>>> /var/run/subsys/pdns type pdns_var_run_t;
>>>> files_pid_file(pdns_var_run_t) manage_files_pattern(pdns_t,
>>>> pdns_var_run_t, pdns_var_run_t) manage_dirs_pattern(pdns_t,
>>>> pdns_var_run_t, pdns_var_run_t)
>>>> manage_sock_files_pattern(pdns_t, pdns_var_run_t,
>>>> pdns_var_run_t) files_pid_filetrans(pdns_t, pdns_var_run_t, {
>>>> dir file sock_file })
>>>>
>>>> # General self privs allow pdns_t self:capability { setuid
>>>> chown fsetid kill setgid }; allow pdns_t self:fifo_file
>>>> rw_fifo_file_perms; allow pdns_t self:process signal_perms;
>>>> allow pdns_t self:tcp_socket create_stream_socket_perms;
>>>> allow pdns_t self:udp_socket create_socket_perms;
>>>>
>>>> # General files access Macros files_read_etc_files(pdns_t)
>>>> files_read_usr_files(pdns_t)
>>>> files_read_default_files(pdns_t) libs_use_lib_files(pdns_t)
>>>> libs_use_ld_so(pdns_t) miscfiles_read_localization(pdns_t)
>>>>
>>>> # General Networky stuff corenet_udp_bind_all_nodes(pdns_t)
>>>> corenet_tcp_bind_all_nodes(pdns_t)
>>>>
>>>> # Syslog logging_send_syslog_msg(pdns_t)
>>>>
>>>> # Inbound DNS corenet_udp_bind_dns_port(pdns_t)
>>>> corenet_udp_sendrecv_dns_port(pdns_t)
>>>> corenet_tcp_bind_dns_port(pdns_t)
>>>> corenet_tcp_sendrecv_dns_port(pdns_t)
>>>>
>>>> # Inbound TCP 8081 for PDNS Web Server
>>>> corenet_tcp_bind_transproxy_port(pdns_t)
>>>> corenet_tcp_sendrecv_transproxy_port(pdns_t)
>>>>
>>>> # Outbound DB Connectivity
>>>> corenet_tcp_connect_mysqld_port(pdns_t)
>>>> corenet_tcp_connect_mssql_port(pdns_t)
>>>>
>>>>
>>>>
>>>>
>>>> On 30/11/11 16:36, Daniel J Walsh wrote: On 11/30/2011 05:45
>>>> AM, Tom wrote:
>>>>>>> Hi Again,
>>>>>>>
>>>>>>> I've followed your advice, and I've removed all but
>>>>>>> one requirement for var_run_t:sock_file. I couldn't
>>>>>>> find any interfaces which would simply give me access
>>>>>>> to that, but it's certainly looking a lot better, and a
>>>>>>> lot more readable! It could probably do with some more
>>>>>>> re-factoring, but it's working well at the moment!
>>>>>>>
>>>>>>> I haven't really thought too much about the file
>>>>>>> labelling. I've only done the daemon binary, config
>>>>>>> file and /var/run/pdns.pid file. I'm not sure I've
>>>>>>> followed best practices there at all.
>>>>>>>
>>>>>>>
>>>> Ok the next rule you need to follow, is if you need to write
>>>> to a "Generic" type, then you need to create your own type
>>>> and potentially transition to it.
>>>>
>>>>>>> # PowerDNS targeted enforcement module
>>>>>>>
>>>>>>> policy_module(pdns,1.0.0)
>>>>>>>
>>>>>>> require { type var_run_t; }
>>>>>>>
>>>>>>> type pdns_t; type pdns_exec_t; allow pdns_t
>>>>>>> pdns_exec_t:file execute_no_trans;
>>>>>>>
>>>>>>> init_daemon_domain(pdns_t, pdns_exec_t)
>>>>>>>
>>>>>>> # /etc/pdns/pdns.conf type pdns_conf_t;
>>>>>>> files_config_file(pdns_conf_t)
>>>>>>>
>>>>>>> # /var/run/pdns.pid type pdns_var_run_t;
>>>>>>> files_pid_file(pdns_var_run_t)
>>>>>>>
>>>>>>> # General self privs allow pdns_t self:capability {
>>>>>>> setuid chown fsetid kill setgid }; allow pdns_t
>>>>>>> self:fifo_file { read getattr ioctl };
>>>> allow pdns_t self:fifo_file rw_fifo_file_perms;
>>>>>>> allow pdns_t self:process sigkill;
>>>> Might want to just add signal_perms;
>>>>>>> allow pdns_t self:tcp_socket { setopt read bind create
>>>>>>> accept write ioctl connect getopt listen };
>>>> allow pdns_t self:tcp_socket create_stream_socket_perms;
>>>>
>>>>>>> allow pdns_t self:udp_socket { read bind create write
>>>>>>> getattr };
>>>> allow pdns_t self:udp_socket create_socket_perms;
>>>>>>> # Cannot figure out an interface to use with this one:
>>>>>>> allow pdns_t var_run_t:sock_file { create setattr };
>>>>>>>
>>>> See below
>>>>>>> # General files access Macros
>>>>>>> files_read_etc_files(pdns_t)
>>>>>>> files_manage_usr_files(pdns_t)
>>>> You should have you own type? Whar file in /usr are you
>>>> rewriting?
>>>>
>>>>>>> files_read_default_files(pdns_t)
>>>>>>> files_rw_generic_pids(pdns_t)
>>>>>>> files_delete_all_pids(pdns_t)
>>>> Are you actually deleting other peoples content in /var/run?
>>>> Or do you have your own content in /var/run?
>>>>
>>>> For example something like
>>>>
>>>> manage_dirs_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
>>>> manage_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
>>>> manage_sock_files_pattern(pdns_t, pdns_var_run_t,
>>>> pdns_var_run_t) files_pid_filetrans(pdns_t, pdns_var_run_t, {
>>>> dir file sock_file })
>>>>
>>>> Then add a matching content in the fc file.
>>>>
>>>>>>> files_read_config_files(pdns_t)
>>>>>>> libs_use_lib_files(pdns_t) libs_use_ld_so(pdns_t)
>>>>>>> miscfiles_read_localization(pdns_t)
>>>>>>>
>>>>>>> # Core Network corenet_udp_bind_all_nodes(pdns_t)
>>>>>>> corenet_tcp_bind_all_nodes(pdns_t)
>>>>>>>
>>>>>>> # Syslog logging_send_syslog_msg(pdns_t)
>>>>>>>
>>>>>>> # Inbound DNS corenet_udp_bind_dns_port(pdns_t)
>>>>>>> corenet_udp_sendrecv_dns_port(pdns_t)
>>>>>>> corenet_tcp_bind_dns_port(pdns_t)
>>>>>>> corenet_tcp_sendrecv_dns_port(pdns_t)
>>>>>>>
>>>>>>> # Inbound TCP 8081 for PDNS Web Server
>>>>>>> corenet_tcp_bind_transproxy_port(pdns_t)
>>>>>>> corenet_tcp_sendrecv_transproxy_port(pdns_t)
>>>>>>>
>>>>>>> # Outbound DB Connectivity
>>>>>>> corenet_tcp_connect_mysqld_port(pdns_t)
>>>>>>> corenet_tcp_connect_mssql_port(pdns_t)
>>>>>>>
>>>>>>>
>>>>>>> Thanks again for your advice.
>>>>>>>
>>>>>>> Tom.
>>>>>>>
>>>>>>>
>>>>>>> On 29/11/11 16:27, Tom wrote:
>>>>>>>> Hi Daniel,
>>>>>>>>
>>>>>>>> Thanks for this. I'm just about to leave work, but
>>>>>>>> I'll be looking again in the morning, and I'll get
>>>>>>>> back to you and see what you think of version 1.0.1!
>>>>>>>> :)
>>>>>>>>
>>>>>>>> Thanks again. Tom.
>>>>>>>>
>>>>>>>>
>>>>>>>> On 29/11/11 16:14, Daniel J Walsh wrote:
>>>>>>> On 11/29/2011 10:56 AM, Tom wrote:
>>>>>>>>>>> Greetings,
>>>>>>>>>>>
>>>>>>>>>>> This is my first attempt at writing an selinux
>>>>>>>>>>> module. I've basically done it by trying to
>>>>>>>>>>> confine the powerdns service, and then worked
>>>>>>>>>>> through all of the problems I've had in the
>>>>>>>>>>> audit log. At this point, my powerdns service
>>>>>>>>>>> seems to work well with full functionality,
>>>>>>>>>>> however, I'm sure there's about a million
>>>>>>>>>>> things I could be doing to make it better. I'm
>>>>>>>>>>> still a bit shaky on the way I've done the
>>>>>>>>>>> domain transition, and also, I'm sure there are
>>>>>>>>>>> a loads of macros which I could be using,
>>>>>>>>>>> although I'm not sure whether those types of
>>>>>>>>>>> things are distribution dependent. I'm using
>>>>>>>>>>> CentOS 5.7, and have written this to fit in to
>>>>>>>>>>> the targeted polifcy.
>>>>>>>>>>>
>>>>>>>>>>> I'd be glad of any advice on how to do this
>>>>>>>>>>> type of thing in a more efficient way.
>>>>>>>>>>>
>>>>>>>>>>> Many thanks. Tom.
>>>>>>>>>>>
>>>>>>>>>>> # cat pdns.te # PowerDNS targeted enforcement
>>>>>>>>>>> module
>>>>>>>>>>>
>>>>>>>>>>> policy_module(pdns,1.0.0)
>>>>>>>>>>>
>>>>>>>>>>> require { type etc_t; type lib_t; type usr_t;
>>>>>>>>>>> type ld_so_cache_t; type ld_so_t; type lib_t;
>>>>>>>>>>> type locale_t; type var_run_t; type devlog_t;
>>>>>>>>>>> type syslogd_t; type initrc_var_run_t; type
>>>>>>>>>>> dns_port_t; type inaddr_any_node_t; type
>>>>>>>>>>> transproxy_port_t; type mysqld_port_t; type
>>>>>>>>>>> mssql_port_t; }
>>>>>>>>>>>
>>>>>>>>>>> type pdns_t; type pdns_exec_t;
>>>>>>>>>>>
>>>>>>>>>>> domain_type(pdns_t) domain_entry_file(pdns_t,
>>>>>>>>>>> pdns_exec_t) init_daemon_domain(pdns_t,
>>>>>>>>>>> pdns_exec_t)
>>>>>>>>>>>
>>>>>>>>>>> # /etc/pdns/pdns.conf type pdns_conf_t;
>>>>>>>>>>> files_config_file(pdns_conf_t)
>>>>>>>>>>>
>>>>>>>>>>> # /var/run/pdns.pid type pdns_var_run_t;
>>>>>>>>>>> files_pid_file(pdns_var_run_t)
>>>>>>>>>>>
>>>>>>>>>>> allow pdns_t etc_t:dir search; allow pdns_t
>>>>>>>>>>> etc_t:file { getattr read }; allow pdns_t
>>>>>>>>>>> usr_t:dir search; allow pdns_t usr_t:file {
>>>>>>>>>>> write create read getattr }; allow pdns_t
>>>>>>>>>>> lib_t:dir { search getattr }; allow pdns_t
>>>>>>>>>>> lib_t:lnk_file read; allow pdns_t lib_t:file {
>>>>>>>>>>> read getattr execute }; allow pdns_t
>>>>>>>>>>> ld_so_cache_t:file read; allow pdns_t
>>>>>>>>>>> ld_so_cache_t:file getattr; allow pdns_t
>>>>>>>>>>> ld_so_t:file { read execute }; allow pdns_t
>>>>>>>>>>> locale_t:file { read getattr }; allow pdns_t
>>>>>>>>>>> pdns_conf_t:file read; allow pdns_t
>>>>>>>>>>> var_run_t:dir { write remove_name add_name };
>>>>>>>>>>> allow pdns_t var_run_t:sock_file { unlink
>>>>>>>>>>> create setattr }; allow pdns_t var_run_t:file {
>>>>>>>>>>> write create }; allow pdns_t devlog_t:sock_file
>>>>>>>>>>> write; allow pdns_t syslogd_t:unix_dgram_socket
>>>>>>>>>>> sendto; allow pdns_t initrc_var_run_t:file
>>>>>>>>>>> write; allow pdns_t pdns_exec_t:file
>>>>>>>>>>> execute_no_trans;
>>>>>>>>>>>
>>>>>>>>>>> allow pdns_t self:process sigkill; allow
>>>>>>>>>>> pdns_t self:fifo_file { getattr read ioctl
>>>>>>>>>>> write }; allow pdns_t self:capability { chown
>>>>>>>>>>> fsetid net_bind_service setuid setgid kill };
>>>>>>>>>>> allow pdns_t self:unix_dgram_socket { create
>>>>>>>>>>> connect write }; allow pdns_t self:udp_socket {
>>>>>>>>>>> create bind read getattr write }; allow pdns_t
>>>>>>>>>>> self:tcp_socket { create bind read getattr
>>>>>>>>>>> write setopt listen connect shutdown accept
>>>>>>>>>>> getopt ioctl };
>>>>>>>>>>>
>>>>>>>>>>> allow pdns_t inaddr_any_node_t:udp_socket
>>>>>>>>>>> node_bind; allow pdns_t
>>>>>>>>>>> inaddr_any_node_t:tcp_socket node_bind;
>>>>>>>>>>>
>>>>>>>>>>> # TCP + UDP Port 53 allow pdns_t
>>>>>>>>>>> dns_port_t:udp_socket name_bind; allow pdns_t
>>>>>>>>>>> dns_port_t:tcp_socket name_bind;
>>>>>>>>>>>
>>>>>>>>>>> # TCP 8081 for PDNS Web Server allow pdns_t
>>>>>>>>>>> transproxy_port_t:tcp_socket name_bind;
>>>>>>>>>>>
>>>>>>>>>>> # DB Connectivity allow pdns_t
>>>>>>>>>>> mysqld_port_t:tcp_socket name_connect; allow
>>>>>>>>>>> pdns_t mssql_port_t:tcp_socket name_connect;
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> # cat pdns.fc /usr/sbin/pdns_server --
>>>>>>>>>>> gen_context(system_u:object_r:pdns_exec_t,s0)
>>>>>>>>>>> /var/run/pdns.pid --
>>>>>>>>>>> gen_context(system_u:object_r:pdns_var_run_t,s0)
>>>>>>>>>>>
>>>>>>>>>>>
/etc/pdns/pdns.conf --
>>>>>>>>>>> gen_context(system_u:object_r:pdns_conf_t,s0)
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> -- This message was distributed to subscribers
>>>>>>>>>>> of the selinux mailing list. If you no longer
>>>>>>>>>>> wish to subscribe, send mail to
>>>>>>>>>>> majordomo@tycho.nsa.gov with the words
>>>>>>>>>>> "unsubscribe selinux" without quotes as the
>>>>>>>>>>> message.
>>>>>>> Tom try to remove the entire require block. You should
>>>>>>> be using interfaces and not using the types directly in
>>>>>>> your policy.
>>>>>>>
>>>>>>> All interfaces are available under
>>>>>>> /usr/share/selinux/devel/include/...
>>>>>>>
>>>>>>> For example.
>>>>>>>>>>> allow pdns_t etc_t:dir search; allow pdns_t
>>>>>>>>>>> etc_t:file { getattr read }; allow pdns_t
>>>>>>>>>>> usr_t:dir search; allow pdns_t usr_t:file {
>>>>>>>>>>> write create read getattr };
>>>>>>> Should be
>>>>>>>
>>>>>>> files_read_etc_files(pdns_t)
>>>>>>> files_read_usr_files(pdns_t)
>>>>>>>
>>>>>>>
>>>>>>>>>>> allow pdns_t transproxy_port_t:tcp_socket
>>>>>>>>>>> name_bind;
>>>>>>> Should be
>>>>>>>
>>>>>>> corenet_tcp_bind_transproxy_port(pdns_t)
>>>>>>>> -- This message was distributed to subscribers of
>>>>>>>> the selinux mailing list. If you no longer wish to
>>>>>>>> subscribe, send mail to majordomo@tycho.nsa.gov with
>>>>>>>> the words "unsubscribe selinux" without quotes as the
>>>>>>>> message.
>>>>>>> -- This message was distributed to subscribers of the
>>>>>>> selinux mailing list. If you no longer wish to
>>>>>>> subscribe, send mail to majordomo@tycho.nsa.gov with
>>>>>>> the words "unsubscribe selinux" without quotes as the
>>>>>>> message.
>>>>>>>
>>>>>>>
>>>>
>>>> -- This message was distributed to subscribers of the
>>>> selinux mailing list. If you no longer wish to subscribe,
>>>> send mail to majordomo@tycho.nsa.gov with the words
>>>> "unsubscribe selinux" without quotes as the message.
>>>>
>>>>
> What default_t files do you have on your system? default_t means
> these are files on the system that SELinux has no idea what the
> content is. It usually means you added a new directory at /. If
> you could classify this data as label and label it correctly you
> should be able to remove the files_read_default. Most confined
> apps are not allowed to use content labeled default_t.
>
Excellent, then I think your policy looks good from a cursory review.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7Xjf8ACgkQrlYvE4MpobMcRACfTblmFXgiITDHEW6yZv5qAPwT
3uoAoKthjiYOAgExf8flV86AJWpdJ3iG
=Vbuz
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: First forays in to writing a module to lock down PowerDNS.
2011-12-01 14:23 ` Daniel J Walsh
@ 2011-12-01 14:29 ` Tom
0 siblings, 0 replies; 10+ messages in thread
From: Tom @ 2011-12-01 14:29 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SELinux
Again, thanks for the help, it's very much appreciated!
Tom.
On 01/12/11 14:23, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 12/01/2011 09:22 AM, Tom wrote:
>> I've just removed that. It was only there because I had things
>> incorrectly labelled when I first started working on the module,
>> and audit2allow told me i should use that rule accordingly. I've
>> had no denials since removing it!
>>
>> Cheers. Tom.
>>
>> On 01/12/11 14:18, Daniel J Walsh wrote: On 12/01/2011 06:51 AM,
>> Tom wrote:
>>>>> Hi again,
>>>>>
>>>>> Thanks again for all your help. I'm enjoying refactoring
>>>>> this, making it better each time! I've learned a lot so far,
>>>>> and am starting to look ready for tackling my next module,
>>>>> which will be for an in-house application we use here at
>>>>> work.
>>>>>
>>>>> I'm hoping to test this on a production server very soon.
>>>>> I'm also chipping away at my colleagues whose only experience
>>>>> with selinux is to turn it off! Some of them aren't too keen
>>>>> on the idea of me introducing selinux on to our platform, but
>>>>> I'm just going to introduce it bit by bit and make sure it's
>>>>> all documented well, and that they understand what I'm up
>>>>> to.
>>>>>
>>>>>
>>>>> # PowerDNS targeted enforcement module
>>>>>
>>>>> policy_module(pdns,1.0.2)
>>>>>
>>>>> type pdns_t; type pdns_exec_t; can_exec(pdns_t, pdns_exec_t)
>>>>>
>>>>> init_daemon_domain(pdns_t, pdns_exec_t)
>>>>>
>>>>> # /etc/pdns/pdns.conf type pdns_conf_t;
>>>>> files_config_file(pdns_conf_t) read_files_pattern(pdns_t,
>>>>> pdns_conf_t, pdns_conf_t) files_etc_filetrans(pdns_t,
>>>>> pdns_conf_t, file)
>>>>>
>>>>> # /var/run/pdns.pid /var/run/pdns.controlsocket
>>>>> /var/run/subsys/pdns type pdns_var_run_t;
>>>>> files_pid_file(pdns_var_run_t) manage_files_pattern(pdns_t,
>>>>> pdns_var_run_t, pdns_var_run_t) manage_dirs_pattern(pdns_t,
>>>>> pdns_var_run_t, pdns_var_run_t)
>>>>> manage_sock_files_pattern(pdns_t, pdns_var_run_t,
>>>>> pdns_var_run_t) files_pid_filetrans(pdns_t, pdns_var_run_t, {
>>>>> dir file sock_file })
>>>>>
>>>>> # General self privs allow pdns_t self:capability { setuid
>>>>> chown fsetid kill setgid }; allow pdns_t self:fifo_file
>>>>> rw_fifo_file_perms; allow pdns_t self:process signal_perms;
>>>>> allow pdns_t self:tcp_socket create_stream_socket_perms;
>>>>> allow pdns_t self:udp_socket create_socket_perms;
>>>>>
>>>>> # General files access Macros files_read_etc_files(pdns_t)
>>>>> files_read_usr_files(pdns_t)
>>>>> files_read_default_files(pdns_t) libs_use_lib_files(pdns_t)
>>>>> libs_use_ld_so(pdns_t) miscfiles_read_localization(pdns_t)
>>>>>
>>>>> # General Networky stuff corenet_udp_bind_all_nodes(pdns_t)
>>>>> corenet_tcp_bind_all_nodes(pdns_t)
>>>>>
>>>>> # Syslog logging_send_syslog_msg(pdns_t)
>>>>>
>>>>> # Inbound DNS corenet_udp_bind_dns_port(pdns_t)
>>>>> corenet_udp_sendrecv_dns_port(pdns_t)
>>>>> corenet_tcp_bind_dns_port(pdns_t)
>>>>> corenet_tcp_sendrecv_dns_port(pdns_t)
>>>>>
>>>>> # Inbound TCP 8081 for PDNS Web Server
>>>>> corenet_tcp_bind_transproxy_port(pdns_t)
>>>>> corenet_tcp_sendrecv_transproxy_port(pdns_t)
>>>>>
>>>>> # Outbound DB Connectivity
>>>>> corenet_tcp_connect_mysqld_port(pdns_t)
>>>>> corenet_tcp_connect_mssql_port(pdns_t)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 30/11/11 16:36, Daniel J Walsh wrote: On 11/30/2011 05:45
>>>>> AM, Tom wrote:
>>>>>>>> Hi Again,
>>>>>>>>
>>>>>>>> I've followed your advice, and I've removed all but
>>>>>>>> one requirement for var_run_t:sock_file. I couldn't
>>>>>>>> find any interfaces which would simply give me access
>>>>>>>> to that, but it's certainly looking a lot better, and a
>>>>>>>> lot more readable! It could probably do with some more
>>>>>>>> re-factoring, but it's working well at the moment!
>>>>>>>>
>>>>>>>> I haven't really thought too much about the file
>>>>>>>> labelling. I've only done the daemon binary, config
>>>>>>>> file and /var/run/pdns.pid file. I'm not sure I've
>>>>>>>> followed best practices there at all.
>>>>>>>>
>>>>>>>>
>>>>> Ok the next rule you need to follow, is if you need to write
>>>>> to a "Generic" type, then you need to create your own type
>>>>> and potentially transition to it.
>>>>>
>>>>>>>> # PowerDNS targeted enforcement module
>>>>>>>>
>>>>>>>> policy_module(pdns,1.0.0)
>>>>>>>>
>>>>>>>> require { type var_run_t; }
>>>>>>>>
>>>>>>>> type pdns_t; type pdns_exec_t; allow pdns_t
>>>>>>>> pdns_exec_t:file execute_no_trans;
>>>>>>>>
>>>>>>>> init_daemon_domain(pdns_t, pdns_exec_t)
>>>>>>>>
>>>>>>>> # /etc/pdns/pdns.conf type pdns_conf_t;
>>>>>>>> files_config_file(pdns_conf_t)
>>>>>>>>
>>>>>>>> # /var/run/pdns.pid type pdns_var_run_t;
>>>>>>>> files_pid_file(pdns_var_run_t)
>>>>>>>>
>>>>>>>> # General self privs allow pdns_t self:capability {
>>>>>>>> setuid chown fsetid kill setgid }; allow pdns_t
>>>>>>>> self:fifo_file { read getattr ioctl };
>>>>> allow pdns_t self:fifo_file rw_fifo_file_perms;
>>>>>>>> allow pdns_t self:process sigkill;
>>>>> Might want to just add signal_perms;
>>>>>>>> allow pdns_t self:tcp_socket { setopt read bind create
>>>>>>>> accept write ioctl connect getopt listen };
>>>>> allow pdns_t self:tcp_socket create_stream_socket_perms;
>>>>>
>>>>>>>> allow pdns_t self:udp_socket { read bind create write
>>>>>>>> getattr };
>>>>> allow pdns_t self:udp_socket create_socket_perms;
>>>>>>>> # Cannot figure out an interface to use with this one:
>>>>>>>> allow pdns_t var_run_t:sock_file { create setattr };
>>>>>>>>
>>>>> See below
>>>>>>>> # General files access Macros
>>>>>>>> files_read_etc_files(pdns_t)
>>>>>>>> files_manage_usr_files(pdns_t)
>>>>> You should have you own type? Whar file in /usr are you
>>>>> rewriting?
>>>>>
>>>>>>>> files_read_default_files(pdns_t)
>>>>>>>> files_rw_generic_pids(pdns_t)
>>>>>>>> files_delete_all_pids(pdns_t)
>>>>> Are you actually deleting other peoples content in /var/run?
>>>>> Or do you have your own content in /var/run?
>>>>>
>>>>> For example something like
>>>>>
>>>>> manage_dirs_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
>>>>> manage_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
>>>>> manage_sock_files_pattern(pdns_t, pdns_var_run_t,
>>>>> pdns_var_run_t) files_pid_filetrans(pdns_t, pdns_var_run_t, {
>>>>> dir file sock_file })
>>>>>
>>>>> Then add a matching content in the fc file.
>>>>>
>>>>>>>> files_read_config_files(pdns_t)
>>>>>>>> libs_use_lib_files(pdns_t) libs_use_ld_so(pdns_t)
>>>>>>>> miscfiles_read_localization(pdns_t)
>>>>>>>>
>>>>>>>> # Core Network corenet_udp_bind_all_nodes(pdns_t)
>>>>>>>> corenet_tcp_bind_all_nodes(pdns_t)
>>>>>>>>
>>>>>>>> # Syslog logging_send_syslog_msg(pdns_t)
>>>>>>>>
>>>>>>>> # Inbound DNS corenet_udp_bind_dns_port(pdns_t)
>>>>>>>> corenet_udp_sendrecv_dns_port(pdns_t)
>>>>>>>> corenet_tcp_bind_dns_port(pdns_t)
>>>>>>>> corenet_tcp_sendrecv_dns_port(pdns_t)
>>>>>>>>
>>>>>>>> # Inbound TCP 8081 for PDNS Web Server
>>>>>>>> corenet_tcp_bind_transproxy_port(pdns_t)
>>>>>>>> corenet_tcp_sendrecv_transproxy_port(pdns_t)
>>>>>>>>
>>>>>>>> # Outbound DB Connectivity
>>>>>>>> corenet_tcp_connect_mysqld_port(pdns_t)
>>>>>>>> corenet_tcp_connect_mssql_port(pdns_t)
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks again for your advice.
>>>>>>>>
>>>>>>>> Tom.
>>>>>>>>
>>>>>>>>
>>>>>>>> On 29/11/11 16:27, Tom wrote:
>>>>>>>>> Hi Daniel,
>>>>>>>>>
>>>>>>>>> Thanks for this. I'm just about to leave work, but
>>>>>>>>> I'll be looking again in the morning, and I'll get
>>>>>>>>> back to you and see what you think of version 1.0.1!
>>>>>>>>> :)
>>>>>>>>>
>>>>>>>>> Thanks again. Tom.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 29/11/11 16:14, Daniel J Walsh wrote:
>>>>>>>> On 11/29/2011 10:56 AM, Tom wrote:
>>>>>>>>>>>> Greetings,
>>>>>>>>>>>>
>>>>>>>>>>>> This is my first attempt at writing an selinux
>>>>>>>>>>>> module. I've basically done it by trying to
>>>>>>>>>>>> confine the powerdns service, and then worked
>>>>>>>>>>>> through all of the problems I've had in the
>>>>>>>>>>>> audit log. At this point, my powerdns service
>>>>>>>>>>>> seems to work well with full functionality,
>>>>>>>>>>>> however, I'm sure there's about a million
>>>>>>>>>>>> things I could be doing to make it better. I'm
>>>>>>>>>>>> still a bit shaky on the way I've done the
>>>>>>>>>>>> domain transition, and also, I'm sure there are
>>>>>>>>>>>> a loads of macros which I could be using,
>>>>>>>>>>>> although I'm not sure whether those types of
>>>>>>>>>>>> things are distribution dependent. I'm using
>>>>>>>>>>>> CentOS 5.7, and have written this to fit in to
>>>>>>>>>>>> the targeted polifcy.
>>>>>>>>>>>>
>>>>>>>>>>>> I'd be glad of any advice on how to do this
>>>>>>>>>>>> type of thing in a more efficient way.
>>>>>>>>>>>>
>>>>>>>>>>>> Many thanks. Tom.
>>>>>>>>>>>>
>>>>>>>>>>>> # cat pdns.te # PowerDNS targeted enforcement
>>>>>>>>>>>> module
>>>>>>>>>>>>
>>>>>>>>>>>> policy_module(pdns,1.0.0)
>>>>>>>>>>>>
>>>>>>>>>>>> require { type etc_t; type lib_t; type usr_t;
>>>>>>>>>>>> type ld_so_cache_t; type ld_so_t; type lib_t;
>>>>>>>>>>>> type locale_t; type var_run_t; type devlog_t;
>>>>>>>>>>>> type syslogd_t; type initrc_var_run_t; type
>>>>>>>>>>>> dns_port_t; type inaddr_any_node_t; type
>>>>>>>>>>>> transproxy_port_t; type mysqld_port_t; type
>>>>>>>>>>>> mssql_port_t; }
>>>>>>>>>>>>
>>>>>>>>>>>> type pdns_t; type pdns_exec_t;
>>>>>>>>>>>>
>>>>>>>>>>>> domain_type(pdns_t) domain_entry_file(pdns_t,
>>>>>>>>>>>> pdns_exec_t) init_daemon_domain(pdns_t,
>>>>>>>>>>>> pdns_exec_t)
>>>>>>>>>>>>
>>>>>>>>>>>> # /etc/pdns/pdns.conf type pdns_conf_t;
>>>>>>>>>>>> files_config_file(pdns_conf_t)
>>>>>>>>>>>>
>>>>>>>>>>>> # /var/run/pdns.pid type pdns_var_run_t;
>>>>>>>>>>>> files_pid_file(pdns_var_run_t)
>>>>>>>>>>>>
>>>>>>>>>>>> allow pdns_t etc_t:dir search; allow pdns_t
>>>>>>>>>>>> etc_t:file { getattr read }; allow pdns_t
>>>>>>>>>>>> usr_t:dir search; allow pdns_t usr_t:file {
>>>>>>>>>>>> write create read getattr }; allow pdns_t
>>>>>>>>>>>> lib_t:dir { search getattr }; allow pdns_t
>>>>>>>>>>>> lib_t:lnk_file read; allow pdns_t lib_t:file {
>>>>>>>>>>>> read getattr execute }; allow pdns_t
>>>>>>>>>>>> ld_so_cache_t:file read; allow pdns_t
>>>>>>>>>>>> ld_so_cache_t:file getattr; allow pdns_t
>>>>>>>>>>>> ld_so_t:file { read execute }; allow pdns_t
>>>>>>>>>>>> locale_t:file { read getattr }; allow pdns_t
>>>>>>>>>>>> pdns_conf_t:file read; allow pdns_t
>>>>>>>>>>>> var_run_t:dir { write remove_name add_name };
>>>>>>>>>>>> allow pdns_t var_run_t:sock_file { unlink
>>>>>>>>>>>> create setattr }; allow pdns_t var_run_t:file {
>>>>>>>>>>>> write create }; allow pdns_t devlog_t:sock_file
>>>>>>>>>>>> write; allow pdns_t syslogd_t:unix_dgram_socket
>>>>>>>>>>>> sendto; allow pdns_t initrc_var_run_t:file
>>>>>>>>>>>> write; allow pdns_t pdns_exec_t:file
>>>>>>>>>>>> execute_no_trans;
>>>>>>>>>>>>
>>>>>>>>>>>> allow pdns_t self:process sigkill; allow
>>>>>>>>>>>> pdns_t self:fifo_file { getattr read ioctl
>>>>>>>>>>>> write }; allow pdns_t self:capability { chown
>>>>>>>>>>>> fsetid net_bind_service setuid setgid kill };
>>>>>>>>>>>> allow pdns_t self:unix_dgram_socket { create
>>>>>>>>>>>> connect write }; allow pdns_t self:udp_socket {
>>>>>>>>>>>> create bind read getattr write }; allow pdns_t
>>>>>>>>>>>> self:tcp_socket { create bind read getattr
>>>>>>>>>>>> write setopt listen connect shutdown accept
>>>>>>>>>>>> getopt ioctl };
>>>>>>>>>>>>
>>>>>>>>>>>> allow pdns_t inaddr_any_node_t:udp_socket
>>>>>>>>>>>> node_bind; allow pdns_t
>>>>>>>>>>>> inaddr_any_node_t:tcp_socket node_bind;
>>>>>>>>>>>>
>>>>>>>>>>>> # TCP + UDP Port 53 allow pdns_t
>>>>>>>>>>>> dns_port_t:udp_socket name_bind; allow pdns_t
>>>>>>>>>>>> dns_port_t:tcp_socket name_bind;
>>>>>>>>>>>>
>>>>>>>>>>>> # TCP 8081 for PDNS Web Server allow pdns_t
>>>>>>>>>>>> transproxy_port_t:tcp_socket name_bind;
>>>>>>>>>>>>
>>>>>>>>>>>> # DB Connectivity allow pdns_t
>>>>>>>>>>>> mysqld_port_t:tcp_socket name_connect; allow
>>>>>>>>>>>> pdns_t mssql_port_t:tcp_socket name_connect;
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> # cat pdns.fc /usr/sbin/pdns_server --
>>>>>>>>>>>> gen_context(system_u:object_r:pdns_exec_t,s0)
>>>>>>>>>>>> /var/run/pdns.pid --
>>>>>>>>>>>> gen_context(system_u:object_r:pdns_var_run_t,s0)
>>>>>>>>>>>>
>>>>>>>>>>>>
> /etc/pdns/pdns.conf --
>>>>>>>>>>>> gen_context(system_u:object_r:pdns_conf_t,s0)
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -- This message was distributed to subscribers
>>>>>>>>>>>> of the selinux mailing list. If you no longer
>>>>>>>>>>>> wish to subscribe, send mail to
>>>>>>>>>>>> majordomo@tycho.nsa.gov with the words
>>>>>>>>>>>> "unsubscribe selinux" without quotes as the
>>>>>>>>>>>> message.
>>>>>>>> Tom try to remove the entire require block. You should
>>>>>>>> be using interfaces and not using the types directly in
>>>>>>>> your policy.
>>>>>>>>
>>>>>>>> All interfaces are available under
>>>>>>>> /usr/share/selinux/devel/include/...
>>>>>>>>
>>>>>>>> For example.
>>>>>>>>>>>> allow pdns_t etc_t:dir search; allow pdns_t
>>>>>>>>>>>> etc_t:file { getattr read }; allow pdns_t
>>>>>>>>>>>> usr_t:dir search; allow pdns_t usr_t:file {
>>>>>>>>>>>> write create read getattr };
>>>>>>>> Should be
>>>>>>>>
>>>>>>>> files_read_etc_files(pdns_t)
>>>>>>>> files_read_usr_files(pdns_t)
>>>>>>>>
>>>>>>>>
>>>>>>>>>>>> allow pdns_t transproxy_port_t:tcp_socket
>>>>>>>>>>>> name_bind;
>>>>>>>> Should be
>>>>>>>>
>>>>>>>> corenet_tcp_bind_transproxy_port(pdns_t)
>>>>>>>>> -- This message was distributed to subscribers of
>>>>>>>>> the selinux mailing list. If you no longer wish to
>>>>>>>>> subscribe, send mail to majordomo@tycho.nsa.gov with
>>>>>>>>> the words "unsubscribe selinux" without quotes as the
>>>>>>>>> message.
>>>>>>>> -- This message was distributed to subscribers of the
>>>>>>>> selinux mailing list. If you no longer wish to
>>>>>>>> subscribe, send mail to majordomo@tycho.nsa.gov with
>>>>>>>> the words "unsubscribe selinux" without quotes as the
>>>>>>>> message.
>>>>>>>>
>>>>>>>>
>>>>> -- This message was distributed to subscribers of the
>>>>> selinux mailing list. If you no longer wish to subscribe,
>>>>> send mail to majordomo@tycho.nsa.gov with the words
>>>>> "unsubscribe selinux" without quotes as the message.
>>>>>
>>>>>
>> What default_t files do you have on your system? default_t means
>> these are files on the system that SELinux has no idea what the
>> content is. It usually means you added a new directory at /. If
>> you could classify this data as label and label it correctly you
>> should be able to remove the files_read_default. Most confined
>> apps are not allowed to use content labeled default_t.
>>
>
> Excellent, then I think your policy looks good from a cursory review.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk7Xjf8ACgkQrlYvE4MpobMcRACfTblmFXgiITDHEW6yZv5qAPwT
> 3uoAoKthjiYOAgExf8flV86AJWpdJ3iG
> =Vbuz
> -----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2011-12-01 14:29 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-11-29 15:56 First forays in to writing a module to lock down PowerDNS Tom
2011-11-29 16:14 ` Daniel J Walsh
2011-11-29 16:27 ` Tom
2011-11-30 10:45 ` Tom
2011-11-30 16:36 ` Daniel J Walsh
2011-12-01 11:51 ` Tom
2011-12-01 14:18 ` Daniel J Walsh
2011-12-01 14:22 ` Tom
2011-12-01 14:23 ` Daniel J Walsh
2011-12-01 14:29 ` Tom
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.