From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <4ED78DB2.7090206@t0mb.net> Date: Thu, 01 Dec 2011 14:22:42 +0000 From: Tom MIME-Version: 1.0 To: Daniel J Walsh CC: SELinux@tycho.nsa.gov Subject: Re: First forays in to writing a module to lock down PowerDNS. References: <4ED500C9.1080509@t0mb.net> <4ED50502.1030509@redhat.com> <4ED507D4.101@t0mb.net> <4ED60963.7080006@t0mb.net> <4ED65B76.3050107@redhat.com> <4ED76A4A.6000504@t0mb.net> <4ED78CC1.9080706@redhat.com> In-Reply-To: <4ED78CC1.9080706@redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov I've just removed that. It was only there because I had things incorrectly labelled when I first started working on the module, and audit2allow told me i should use that rule accordingly. I've had no denials since removing it! Cheers. Tom. On 01/12/11 14:18, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/01/2011 06:51 AM, Tom wrote: >> Hi again, >> >> Thanks again for all your help. I'm enjoying refactoring this, >> making it better each time! I've learned a lot so far, and am >> starting to look ready for tackling my next module, which will be >> for an in-house application we use here at work. >> >> I'm hoping to test this on a production server very soon. I'm >> also chipping away at my colleagues whose only experience with >> selinux is to turn it off! Some of them aren't too keen on the >> idea of me introducing selinux on to our platform, but I'm just >> going to introduce it bit by bit and make sure it's all documented >> well, and that they understand what I'm up to. >> >> >> # PowerDNS targeted enforcement module >> >> policy_module(pdns,1.0.2) >> >> type pdns_t; type pdns_exec_t; can_exec(pdns_t, pdns_exec_t) >> >> init_daemon_domain(pdns_t, pdns_exec_t) >> >> # /etc/pdns/pdns.conf type pdns_conf_t; >> files_config_file(pdns_conf_t) read_files_pattern(pdns_t, >> pdns_conf_t, pdns_conf_t) files_etc_filetrans(pdns_t, pdns_conf_t, >> file) >> >> # /var/run/pdns.pid /var/run/pdns.controlsocket >> /var/run/subsys/pdns type pdns_var_run_t; >> files_pid_file(pdns_var_run_t) manage_files_pattern(pdns_t, >> pdns_var_run_t, pdns_var_run_t) manage_dirs_pattern(pdns_t, >> pdns_var_run_t, pdns_var_run_t) manage_sock_files_pattern(pdns_t, >> pdns_var_run_t, pdns_var_run_t) files_pid_filetrans(pdns_t, >> pdns_var_run_t, { dir file sock_file }) >> >> # General self privs allow pdns_t self:capability { setuid chown >> fsetid kill setgid }; allow pdns_t self:fifo_file >> rw_fifo_file_perms; allow pdns_t self:process signal_perms; allow >> pdns_t self:tcp_socket create_stream_socket_perms; allow pdns_t >> self:udp_socket create_socket_perms; >> >> # General files access Macros files_read_etc_files(pdns_t) >> files_read_usr_files(pdns_t) files_read_default_files(pdns_t) >> libs_use_lib_files(pdns_t) libs_use_ld_so(pdns_t) >> miscfiles_read_localization(pdns_t) >> >> # General Networky stuff corenet_udp_bind_all_nodes(pdns_t) >> corenet_tcp_bind_all_nodes(pdns_t) >> >> # Syslog logging_send_syslog_msg(pdns_t) >> >> # Inbound DNS corenet_udp_bind_dns_port(pdns_t) >> corenet_udp_sendrecv_dns_port(pdns_t) >> corenet_tcp_bind_dns_port(pdns_t) >> corenet_tcp_sendrecv_dns_port(pdns_t) >> >> # Inbound TCP 8081 for PDNS Web Server >> corenet_tcp_bind_transproxy_port(pdns_t) >> corenet_tcp_sendrecv_transproxy_port(pdns_t) >> >> # Outbound DB Connectivity corenet_tcp_connect_mysqld_port(pdns_t) >> corenet_tcp_connect_mssql_port(pdns_t) >> >> >> >> >> On 30/11/11 16:36, Daniel J Walsh wrote: On 11/30/2011 05:45 AM, >> Tom wrote: >>>>> Hi Again, >>>>> >>>>> I've followed your advice, and I've removed all but one >>>>> requirement for var_run_t:sock_file. I couldn't find any >>>>> interfaces which would simply give me access to that, but >>>>> it's certainly looking a lot better, and a lot more readable! >>>>> It could probably do with some more re-factoring, but it's >>>>> working well at the moment! >>>>> >>>>> I haven't really thought too much about the file labelling. >>>>> I've only done the daemon binary, config file and >>>>> /var/run/pdns.pid file. I'm not sure I've followed best >>>>> practices there at all. >>>>> >>>>> >> Ok the next rule you need to follow, is if you need to write to a >> "Generic" type, then you need to create your own type and >> potentially transition to it. >> >>>>> # PowerDNS targeted enforcement module >>>>> >>>>> policy_module(pdns,1.0.0) >>>>> >>>>> require { type var_run_t; } >>>>> >>>>> type pdns_t; type pdns_exec_t; allow pdns_t pdns_exec_t:file >>>>> execute_no_trans; >>>>> >>>>> init_daemon_domain(pdns_t, pdns_exec_t) >>>>> >>>>> # /etc/pdns/pdns.conf type pdns_conf_t; >>>>> files_config_file(pdns_conf_t) >>>>> >>>>> # /var/run/pdns.pid type pdns_var_run_t; >>>>> files_pid_file(pdns_var_run_t) >>>>> >>>>> # General self privs allow pdns_t self:capability { setuid >>>>> chown fsetid kill setgid }; allow pdns_t self:fifo_file { >>>>> read getattr ioctl }; >> allow pdns_t self:fifo_file rw_fifo_file_perms; >>>>> allow pdns_t self:process sigkill; >> Might want to just add signal_perms; >>>>> allow pdns_t self:tcp_socket { setopt read bind create >>>>> accept write ioctl connect getopt listen }; >> allow pdns_t self:tcp_socket create_stream_socket_perms; >> >>>>> allow pdns_t self:udp_socket { read bind create write getattr >>>>> }; >> allow pdns_t self:udp_socket create_socket_perms; >>>>> # Cannot figure out an interface to use with this one: allow >>>>> pdns_t var_run_t:sock_file { create setattr }; >>>>> >> See below >>>>> # General files access Macros files_read_etc_files(pdns_t) >>>>> files_manage_usr_files(pdns_t) >> You should have you own type? Whar file in /usr are you >> rewriting? >> >>>>> files_read_default_files(pdns_t) >>>>> files_rw_generic_pids(pdns_t) files_delete_all_pids(pdns_t) >> Are you actually deleting other peoples content in /var/run? Or >> do you have your own content in /var/run? >> >> For example something like >> >> manage_dirs_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t) >> manage_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t) >> manage_sock_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t) >> files_pid_filetrans(pdns_t, pdns_var_run_t, { dir file sock_file >> }) >> >> Then add a matching content in the fc file. >> >>>>> files_read_config_files(pdns_t) libs_use_lib_files(pdns_t) >>>>> libs_use_ld_so(pdns_t) miscfiles_read_localization(pdns_t) >>>>> >>>>> # Core Network corenet_udp_bind_all_nodes(pdns_t) >>>>> corenet_tcp_bind_all_nodes(pdns_t) >>>>> >>>>> # Syslog logging_send_syslog_msg(pdns_t) >>>>> >>>>> # Inbound DNS corenet_udp_bind_dns_port(pdns_t) >>>>> corenet_udp_sendrecv_dns_port(pdns_t) >>>>> corenet_tcp_bind_dns_port(pdns_t) >>>>> corenet_tcp_sendrecv_dns_port(pdns_t) >>>>> >>>>> # Inbound TCP 8081 for PDNS Web Server >>>>> corenet_tcp_bind_transproxy_port(pdns_t) >>>>> corenet_tcp_sendrecv_transproxy_port(pdns_t) >>>>> >>>>> # Outbound DB Connectivity >>>>> corenet_tcp_connect_mysqld_port(pdns_t) >>>>> corenet_tcp_connect_mssql_port(pdns_t) >>>>> >>>>> >>>>> Thanks again for your advice. >>>>> >>>>> Tom. >>>>> >>>>> >>>>> On 29/11/11 16:27, Tom wrote: >>>>>> Hi Daniel, >>>>>> >>>>>> Thanks for this. I'm just about to leave work, but I'll >>>>>> be looking again in the morning, and I'll get back to you >>>>>> and see what you think of version 1.0.1! :) >>>>>> >>>>>> Thanks again. Tom. >>>>>> >>>>>> >>>>>> On 29/11/11 16:14, Daniel J Walsh wrote: >>>>> On 11/29/2011 10:56 AM, Tom wrote: >>>>>>>>> Greetings, >>>>>>>>> >>>>>>>>> This is my first attempt at writing an selinux >>>>>>>>> module. I've basically done it by trying to confine >>>>>>>>> the powerdns service, and then worked through all of >>>>>>>>> the problems I've had in the audit log. At this >>>>>>>>> point, my powerdns service seems to work well with >>>>>>>>> full functionality, however, I'm sure there's about a >>>>>>>>> million things I could be doing to make it better. >>>>>>>>> I'm still a bit shaky on the way I've done the domain >>>>>>>>> transition, and also, I'm sure there are a loads of >>>>>>>>> macros which I could be using, although I'm not sure >>>>>>>>> whether those types of things are distribution >>>>>>>>> dependent. I'm using CentOS 5.7, and have written >>>>>>>>> this to fit in to the targeted polifcy. >>>>>>>>> >>>>>>>>> I'd be glad of any advice on how to do this type of >>>>>>>>> thing in a more efficient way. >>>>>>>>> >>>>>>>>> Many thanks. Tom. >>>>>>>>> >>>>>>>>> # cat pdns.te # PowerDNS targeted enforcement module >>>>>>>>> >>>>>>>>> policy_module(pdns,1.0.0) >>>>>>>>> >>>>>>>>> require { type etc_t; type lib_t; type usr_t; type >>>>>>>>> ld_so_cache_t; type ld_so_t; type lib_t; type >>>>>>>>> locale_t; type var_run_t; type devlog_t; type >>>>>>>>> syslogd_t; type initrc_var_run_t; type dns_port_t; >>>>>>>>> type inaddr_any_node_t; type transproxy_port_t; type >>>>>>>>> mysqld_port_t; type mssql_port_t; } >>>>>>>>> >>>>>>>>> type pdns_t; type pdns_exec_t; >>>>>>>>> >>>>>>>>> domain_type(pdns_t) domain_entry_file(pdns_t, >>>>>>>>> pdns_exec_t) init_daemon_domain(pdns_t, pdns_exec_t) >>>>>>>>> >>>>>>>>> # /etc/pdns/pdns.conf type pdns_conf_t; >>>>>>>>> files_config_file(pdns_conf_t) >>>>>>>>> >>>>>>>>> # /var/run/pdns.pid type pdns_var_run_t; >>>>>>>>> files_pid_file(pdns_var_run_t) >>>>>>>>> >>>>>>>>> allow pdns_t etc_t:dir search; allow pdns_t >>>>>>>>> etc_t:file { getattr read }; allow pdns_t usr_t:dir >>>>>>>>> search; allow pdns_t usr_t:file { write create read >>>>>>>>> getattr }; allow pdns_t lib_t:dir { search getattr }; >>>>>>>>> allow pdns_t lib_t:lnk_file read; allow pdns_t >>>>>>>>> lib_t:file { read getattr execute }; allow pdns_t >>>>>>>>> ld_so_cache_t:file read; allow pdns_t >>>>>>>>> ld_so_cache_t:file getattr; allow pdns_t ld_so_t:file >>>>>>>>> { read execute }; allow pdns_t locale_t:file { read >>>>>>>>> getattr }; allow pdns_t pdns_conf_t:file read; allow >>>>>>>>> pdns_t var_run_t:dir { write remove_name add_name }; >>>>>>>>> allow pdns_t var_run_t:sock_file { unlink create >>>>>>>>> setattr }; allow pdns_t var_run_t:file { write create >>>>>>>>> }; allow pdns_t devlog_t:sock_file write; allow >>>>>>>>> pdns_t syslogd_t:unix_dgram_socket sendto; allow >>>>>>>>> pdns_t initrc_var_run_t:file write; allow pdns_t >>>>>>>>> pdns_exec_t:file execute_no_trans; >>>>>>>>> >>>>>>>>> allow pdns_t self:process sigkill; allow pdns_t >>>>>>>>> self:fifo_file { getattr read ioctl write }; allow >>>>>>>>> pdns_t self:capability { chown fsetid >>>>>>>>> net_bind_service setuid setgid kill }; allow pdns_t >>>>>>>>> self:unix_dgram_socket { create connect write }; >>>>>>>>> allow pdns_t self:udp_socket { create bind read >>>>>>>>> getattr write }; allow pdns_t self:tcp_socket { >>>>>>>>> create bind read getattr write setopt listen connect >>>>>>>>> shutdown accept getopt ioctl }; >>>>>>>>> >>>>>>>>> allow pdns_t inaddr_any_node_t:udp_socket node_bind; >>>>>>>>> allow pdns_t inaddr_any_node_t:tcp_socket node_bind; >>>>>>>>> >>>>>>>>> # TCP + UDP Port 53 allow pdns_t >>>>>>>>> dns_port_t:udp_socket name_bind; allow pdns_t >>>>>>>>> dns_port_t:tcp_socket name_bind; >>>>>>>>> >>>>>>>>> # TCP 8081 for PDNS Web Server allow pdns_t >>>>>>>>> transproxy_port_t:tcp_socket name_bind; >>>>>>>>> >>>>>>>>> # DB Connectivity allow pdns_t >>>>>>>>> mysqld_port_t:tcp_socket name_connect; allow pdns_t >>>>>>>>> mssql_port_t:tcp_socket name_connect; >>>>>>>>> >>>>>>>>> >>>>>>>>> # cat pdns.fc /usr/sbin/pdns_server -- >>>>>>>>> gen_context(system_u:object_r:pdns_exec_t,s0) >>>>>>>>> /var/run/pdns.pid -- >>>>>>>>> gen_context(system_u:object_r:pdns_var_run_t,s0) >>>>>>>>> /etc/pdns/pdns.conf -- >>>>>>>>> gen_context(system_u:object_r:pdns_conf_t,s0) >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- This message was distributed to subscribers of >>>>>>>>> the selinux mailing list. If you no longer wish to >>>>>>>>> subscribe, send mail to majordomo@tycho.nsa.gov with >>>>>>>>> the words "unsubscribe selinux" without quotes as the >>>>>>>>> message. >>>>> Tom try to remove the entire require block. You should be >>>>> using interfaces and not using the types directly in your >>>>> policy. >>>>> >>>>> All interfaces are available under >>>>> /usr/share/selinux/devel/include/... >>>>> >>>>> For example. >>>>>>>>> allow pdns_t etc_t:dir search; allow pdns_t >>>>>>>>> etc_t:file { getattr read }; allow pdns_t usr_t:dir >>>>>>>>> search; allow pdns_t usr_t:file { write create read >>>>>>>>> getattr }; >>>>> Should be >>>>> >>>>> files_read_etc_files(pdns_t) files_read_usr_files(pdns_t) >>>>> >>>>> >>>>>>>>> allow pdns_t transproxy_port_t:tcp_socket name_bind; >>>>> Should be >>>>> >>>>> corenet_tcp_bind_transproxy_port(pdns_t) >>>>>> -- This message was distributed to subscribers of the >>>>>> selinux mailing list. If you no longer wish to subscribe, >>>>>> send mail to majordomo@tycho.nsa.gov with the words >>>>>> "unsubscribe selinux" without quotes as the message. >>>>> -- This message was distributed to subscribers of the >>>>> selinux mailing list. If you no longer wish to subscribe, >>>>> send mail to majordomo@tycho.nsa.gov with the words >>>>> "unsubscribe selinux" without quotes as the message. >>>>> >>>>> >> >> -- This message was distributed to subscribers of the selinux >> mailing list. If you no longer wish to subscribe, send mail to >> majordomo@tycho.nsa.gov with the words "unsubscribe selinux" >> without quotes as the message. >> >> > What default_t files do you have on your system? default_t means > these are files on the system that SELinux has no idea what the > content is. It usually means you added a new directory at /. If you > could classify this data as label and label it correctly you should be > able to remove the files_read_default. Most confined apps are not > allowed to use content labeled default_t. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk7XjMEACgkQrlYvE4MpobO8cQCfddAPnIlVn0yYDjp7Nip8Pd6K > QLsAoKqZ6wxXiyAsIOInxBALhPs7Eedc > =tVhI > -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.