From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <4ED78F3C.8060605@t0mb.net> Date: Thu, 01 Dec 2011 14:29:16 +0000 From: Tom MIME-Version: 1.0 To: Daniel J Walsh CC: SELinux@tycho.nsa.gov Subject: Re: First forays in to writing a module to lock down PowerDNS. References: <4ED500C9.1080509@t0mb.net> <4ED50502.1030509@redhat.com> <4ED507D4.101@t0mb.net> <4ED60963.7080006@t0mb.net> <4ED65B76.3050107@redhat.com> <4ED76A4A.6000504@t0mb.net> <4ED78CC1.9080706@redhat.com> <4ED78DB2.7090206@t0mb.net> <4ED78DFF.5040009@redhat.com> In-Reply-To: <4ED78DFF.5040009@redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Again, thanks for the help, it's very much appreciated! Tom. On 01/12/11 14:23, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/01/2011 09:22 AM, Tom wrote: >> I've just removed that. It was only there because I had things >> incorrectly labelled when I first started working on the module, >> and audit2allow told me i should use that rule accordingly. I've >> had no denials since removing it! >> >> Cheers. Tom. >> >> On 01/12/11 14:18, Daniel J Walsh wrote: On 12/01/2011 06:51 AM, >> Tom wrote: >>>>> Hi again, >>>>> >>>>> Thanks again for all your help. I'm enjoying refactoring >>>>> this, making it better each time! I've learned a lot so far, >>>>> and am starting to look ready for tackling my next module, >>>>> which will be for an in-house application we use here at >>>>> work. >>>>> >>>>> I'm hoping to test this on a production server very soon. >>>>> I'm also chipping away at my colleagues whose only experience >>>>> with selinux is to turn it off! Some of them aren't too keen >>>>> on the idea of me introducing selinux on to our platform, but >>>>> I'm just going to introduce it bit by bit and make sure it's >>>>> all documented well, and that they understand what I'm up >>>>> to. >>>>> >>>>> >>>>> # PowerDNS targeted enforcement module >>>>> >>>>> policy_module(pdns,1.0.2) >>>>> >>>>> type pdns_t; type pdns_exec_t; can_exec(pdns_t, pdns_exec_t) >>>>> >>>>> init_daemon_domain(pdns_t, pdns_exec_t) >>>>> >>>>> # /etc/pdns/pdns.conf type pdns_conf_t; >>>>> files_config_file(pdns_conf_t) read_files_pattern(pdns_t, >>>>> pdns_conf_t, pdns_conf_t) files_etc_filetrans(pdns_t, >>>>> pdns_conf_t, file) >>>>> >>>>> # /var/run/pdns.pid /var/run/pdns.controlsocket >>>>> /var/run/subsys/pdns type pdns_var_run_t; >>>>> files_pid_file(pdns_var_run_t) manage_files_pattern(pdns_t, >>>>> pdns_var_run_t, pdns_var_run_t) manage_dirs_pattern(pdns_t, >>>>> pdns_var_run_t, pdns_var_run_t) >>>>> manage_sock_files_pattern(pdns_t, pdns_var_run_t, >>>>> pdns_var_run_t) files_pid_filetrans(pdns_t, pdns_var_run_t, { >>>>> dir file sock_file }) >>>>> >>>>> # General self privs allow pdns_t self:capability { setuid >>>>> chown fsetid kill setgid }; allow pdns_t self:fifo_file >>>>> rw_fifo_file_perms; allow pdns_t self:process signal_perms; >>>>> allow pdns_t self:tcp_socket create_stream_socket_perms; >>>>> allow pdns_t self:udp_socket create_socket_perms; >>>>> >>>>> # General files access Macros files_read_etc_files(pdns_t) >>>>> files_read_usr_files(pdns_t) >>>>> files_read_default_files(pdns_t) libs_use_lib_files(pdns_t) >>>>> libs_use_ld_so(pdns_t) miscfiles_read_localization(pdns_t) >>>>> >>>>> # General Networky stuff corenet_udp_bind_all_nodes(pdns_t) >>>>> corenet_tcp_bind_all_nodes(pdns_t) >>>>> >>>>> # Syslog logging_send_syslog_msg(pdns_t) >>>>> >>>>> # Inbound DNS corenet_udp_bind_dns_port(pdns_t) >>>>> corenet_udp_sendrecv_dns_port(pdns_t) >>>>> corenet_tcp_bind_dns_port(pdns_t) >>>>> corenet_tcp_sendrecv_dns_port(pdns_t) >>>>> >>>>> # Inbound TCP 8081 for PDNS Web Server >>>>> corenet_tcp_bind_transproxy_port(pdns_t) >>>>> corenet_tcp_sendrecv_transproxy_port(pdns_t) >>>>> >>>>> # Outbound DB Connectivity >>>>> corenet_tcp_connect_mysqld_port(pdns_t) >>>>> corenet_tcp_connect_mssql_port(pdns_t) >>>>> >>>>> >>>>> >>>>> >>>>> On 30/11/11 16:36, Daniel J Walsh wrote: On 11/30/2011 05:45 >>>>> AM, Tom wrote: >>>>>>>> Hi Again, >>>>>>>> >>>>>>>> I've followed your advice, and I've removed all but >>>>>>>> one requirement for var_run_t:sock_file. I couldn't >>>>>>>> find any interfaces which would simply give me access >>>>>>>> to that, but it's certainly looking a lot better, and a >>>>>>>> lot more readable! It could probably do with some more >>>>>>>> re-factoring, but it's working well at the moment! >>>>>>>> >>>>>>>> I haven't really thought too much about the file >>>>>>>> labelling. I've only done the daemon binary, config >>>>>>>> file and /var/run/pdns.pid file. I'm not sure I've >>>>>>>> followed best practices there at all. >>>>>>>> >>>>>>>> >>>>> Ok the next rule you need to follow, is if you need to write >>>>> to a "Generic" type, then you need to create your own type >>>>> and potentially transition to it. >>>>> >>>>>>>> # PowerDNS targeted enforcement module >>>>>>>> >>>>>>>> policy_module(pdns,1.0.0) >>>>>>>> >>>>>>>> require { type var_run_t; } >>>>>>>> >>>>>>>> type pdns_t; type pdns_exec_t; allow pdns_t >>>>>>>> pdns_exec_t:file execute_no_trans; >>>>>>>> >>>>>>>> init_daemon_domain(pdns_t, pdns_exec_t) >>>>>>>> >>>>>>>> # /etc/pdns/pdns.conf type pdns_conf_t; >>>>>>>> files_config_file(pdns_conf_t) >>>>>>>> >>>>>>>> # /var/run/pdns.pid type pdns_var_run_t; >>>>>>>> files_pid_file(pdns_var_run_t) >>>>>>>> >>>>>>>> # General self privs allow pdns_t self:capability { >>>>>>>> setuid chown fsetid kill setgid }; allow pdns_t >>>>>>>> self:fifo_file { read getattr ioctl }; >>>>> allow pdns_t self:fifo_file rw_fifo_file_perms; >>>>>>>> allow pdns_t self:process sigkill; >>>>> Might want to just add signal_perms; >>>>>>>> allow pdns_t self:tcp_socket { setopt read bind create >>>>>>>> accept write ioctl connect getopt listen }; >>>>> allow pdns_t self:tcp_socket create_stream_socket_perms; >>>>> >>>>>>>> allow pdns_t self:udp_socket { read bind create write >>>>>>>> getattr }; >>>>> allow pdns_t self:udp_socket create_socket_perms; >>>>>>>> # Cannot figure out an interface to use with this one: >>>>>>>> allow pdns_t var_run_t:sock_file { create setattr }; >>>>>>>> >>>>> See below >>>>>>>> # General files access Macros >>>>>>>> files_read_etc_files(pdns_t) >>>>>>>> files_manage_usr_files(pdns_t) >>>>> You should have you own type? Whar file in /usr are you >>>>> rewriting? >>>>> >>>>>>>> files_read_default_files(pdns_t) >>>>>>>> files_rw_generic_pids(pdns_t) >>>>>>>> files_delete_all_pids(pdns_t) >>>>> Are you actually deleting other peoples content in /var/run? >>>>> Or do you have your own content in /var/run? >>>>> >>>>> For example something like >>>>> >>>>> manage_dirs_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t) >>>>> manage_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t) >>>>> manage_sock_files_pattern(pdns_t, pdns_var_run_t, >>>>> pdns_var_run_t) files_pid_filetrans(pdns_t, pdns_var_run_t, { >>>>> dir file sock_file }) >>>>> >>>>> Then add a matching content in the fc file. >>>>> >>>>>>>> files_read_config_files(pdns_t) >>>>>>>> libs_use_lib_files(pdns_t) libs_use_ld_so(pdns_t) >>>>>>>> miscfiles_read_localization(pdns_t) >>>>>>>> >>>>>>>> # Core Network corenet_udp_bind_all_nodes(pdns_t) >>>>>>>> corenet_tcp_bind_all_nodes(pdns_t) >>>>>>>> >>>>>>>> # Syslog logging_send_syslog_msg(pdns_t) >>>>>>>> >>>>>>>> # Inbound DNS corenet_udp_bind_dns_port(pdns_t) >>>>>>>> corenet_udp_sendrecv_dns_port(pdns_t) >>>>>>>> corenet_tcp_bind_dns_port(pdns_t) >>>>>>>> corenet_tcp_sendrecv_dns_port(pdns_t) >>>>>>>> >>>>>>>> # Inbound TCP 8081 for PDNS Web Server >>>>>>>> corenet_tcp_bind_transproxy_port(pdns_t) >>>>>>>> corenet_tcp_sendrecv_transproxy_port(pdns_t) >>>>>>>> >>>>>>>> # Outbound DB Connectivity >>>>>>>> corenet_tcp_connect_mysqld_port(pdns_t) >>>>>>>> corenet_tcp_connect_mssql_port(pdns_t) >>>>>>>> >>>>>>>> >>>>>>>> Thanks again for your advice. >>>>>>>> >>>>>>>> Tom. >>>>>>>> >>>>>>>> >>>>>>>> On 29/11/11 16:27, Tom wrote: >>>>>>>>> Hi Daniel, >>>>>>>>> >>>>>>>>> Thanks for this. I'm just about to leave work, but >>>>>>>>> I'll be looking again in the morning, and I'll get >>>>>>>>> back to you and see what you think of version 1.0.1! >>>>>>>>> :) >>>>>>>>> >>>>>>>>> Thanks again. Tom. >>>>>>>>> >>>>>>>>> >>>>>>>>> On 29/11/11 16:14, Daniel J Walsh wrote: >>>>>>>> On 11/29/2011 10:56 AM, Tom wrote: >>>>>>>>>>>> Greetings, >>>>>>>>>>>> >>>>>>>>>>>> This is my first attempt at writing an selinux >>>>>>>>>>>> module. I've basically done it by trying to >>>>>>>>>>>> confine the powerdns service, and then worked >>>>>>>>>>>> through all of the problems I've had in the >>>>>>>>>>>> audit log. At this point, my powerdns service >>>>>>>>>>>> seems to work well with full functionality, >>>>>>>>>>>> however, I'm sure there's about a million >>>>>>>>>>>> things I could be doing to make it better. I'm >>>>>>>>>>>> still a bit shaky on the way I've done the >>>>>>>>>>>> domain transition, and also, I'm sure there are >>>>>>>>>>>> a loads of macros which I could be using, >>>>>>>>>>>> although I'm not sure whether those types of >>>>>>>>>>>> things are distribution dependent. I'm using >>>>>>>>>>>> CentOS 5.7, and have written this to fit in to >>>>>>>>>>>> the targeted polifcy. >>>>>>>>>>>> >>>>>>>>>>>> I'd be glad of any advice on how to do this >>>>>>>>>>>> type of thing in a more efficient way. >>>>>>>>>>>> >>>>>>>>>>>> Many thanks. Tom. >>>>>>>>>>>> >>>>>>>>>>>> # cat pdns.te # PowerDNS targeted enforcement >>>>>>>>>>>> module >>>>>>>>>>>> >>>>>>>>>>>> policy_module(pdns,1.0.0) >>>>>>>>>>>> >>>>>>>>>>>> require { type etc_t; type lib_t; type usr_t; >>>>>>>>>>>> type ld_so_cache_t; type ld_so_t; type lib_t; >>>>>>>>>>>> type locale_t; type var_run_t; type devlog_t; >>>>>>>>>>>> type syslogd_t; type initrc_var_run_t; type >>>>>>>>>>>> dns_port_t; type inaddr_any_node_t; type >>>>>>>>>>>> transproxy_port_t; type mysqld_port_t; type >>>>>>>>>>>> mssql_port_t; } >>>>>>>>>>>> >>>>>>>>>>>> type pdns_t; type pdns_exec_t; >>>>>>>>>>>> >>>>>>>>>>>> domain_type(pdns_t) domain_entry_file(pdns_t, >>>>>>>>>>>> pdns_exec_t) init_daemon_domain(pdns_t, >>>>>>>>>>>> pdns_exec_t) >>>>>>>>>>>> >>>>>>>>>>>> # /etc/pdns/pdns.conf type pdns_conf_t; >>>>>>>>>>>> files_config_file(pdns_conf_t) >>>>>>>>>>>> >>>>>>>>>>>> # /var/run/pdns.pid type pdns_var_run_t; >>>>>>>>>>>> files_pid_file(pdns_var_run_t) >>>>>>>>>>>> >>>>>>>>>>>> allow pdns_t etc_t:dir search; allow pdns_t >>>>>>>>>>>> etc_t:file { getattr read }; allow pdns_t >>>>>>>>>>>> usr_t:dir search; allow pdns_t usr_t:file { >>>>>>>>>>>> write create read getattr }; allow pdns_t >>>>>>>>>>>> lib_t:dir { search getattr }; allow pdns_t >>>>>>>>>>>> lib_t:lnk_file read; allow pdns_t lib_t:file { >>>>>>>>>>>> read getattr execute }; allow pdns_t >>>>>>>>>>>> ld_so_cache_t:file read; allow pdns_t >>>>>>>>>>>> ld_so_cache_t:file getattr; allow pdns_t >>>>>>>>>>>> ld_so_t:file { read execute }; allow pdns_t >>>>>>>>>>>> locale_t:file { read getattr }; allow pdns_t >>>>>>>>>>>> pdns_conf_t:file read; allow pdns_t >>>>>>>>>>>> var_run_t:dir { write remove_name add_name }; >>>>>>>>>>>> allow pdns_t var_run_t:sock_file { unlink >>>>>>>>>>>> create setattr }; allow pdns_t var_run_t:file { >>>>>>>>>>>> write create }; allow pdns_t devlog_t:sock_file >>>>>>>>>>>> write; allow pdns_t syslogd_t:unix_dgram_socket >>>>>>>>>>>> sendto; allow pdns_t initrc_var_run_t:file >>>>>>>>>>>> write; allow pdns_t pdns_exec_t:file >>>>>>>>>>>> execute_no_trans; >>>>>>>>>>>> >>>>>>>>>>>> allow pdns_t self:process sigkill; allow >>>>>>>>>>>> pdns_t self:fifo_file { getattr read ioctl >>>>>>>>>>>> write }; allow pdns_t self:capability { chown >>>>>>>>>>>> fsetid net_bind_service setuid setgid kill }; >>>>>>>>>>>> allow pdns_t self:unix_dgram_socket { create >>>>>>>>>>>> connect write }; allow pdns_t self:udp_socket { >>>>>>>>>>>> create bind read getattr write }; allow pdns_t >>>>>>>>>>>> self:tcp_socket { create bind read getattr >>>>>>>>>>>> write setopt listen connect shutdown accept >>>>>>>>>>>> getopt ioctl }; >>>>>>>>>>>> >>>>>>>>>>>> allow pdns_t inaddr_any_node_t:udp_socket >>>>>>>>>>>> node_bind; allow pdns_t >>>>>>>>>>>> inaddr_any_node_t:tcp_socket node_bind; >>>>>>>>>>>> >>>>>>>>>>>> # TCP + UDP Port 53 allow pdns_t >>>>>>>>>>>> dns_port_t:udp_socket name_bind; allow pdns_t >>>>>>>>>>>> dns_port_t:tcp_socket name_bind; >>>>>>>>>>>> >>>>>>>>>>>> # TCP 8081 for PDNS Web Server allow pdns_t >>>>>>>>>>>> transproxy_port_t:tcp_socket name_bind; >>>>>>>>>>>> >>>>>>>>>>>> # DB Connectivity allow pdns_t >>>>>>>>>>>> mysqld_port_t:tcp_socket name_connect; allow >>>>>>>>>>>> pdns_t mssql_port_t:tcp_socket name_connect; >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> # cat pdns.fc /usr/sbin/pdns_server -- >>>>>>>>>>>> gen_context(system_u:object_r:pdns_exec_t,s0) >>>>>>>>>>>> /var/run/pdns.pid -- >>>>>>>>>>>> gen_context(system_u:object_r:pdns_var_run_t,s0) >>>>>>>>>>>> >>>>>>>>>>>> > /etc/pdns/pdns.conf -- >>>>>>>>>>>> gen_context(system_u:object_r:pdns_conf_t,s0) >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- This message was distributed to subscribers >>>>>>>>>>>> of the selinux mailing list. If you no longer >>>>>>>>>>>> wish to subscribe, send mail to >>>>>>>>>>>> majordomo@tycho.nsa.gov with the words >>>>>>>>>>>> "unsubscribe selinux" without quotes as the >>>>>>>>>>>> message. >>>>>>>> Tom try to remove the entire require block. You should >>>>>>>> be using interfaces and not using the types directly in >>>>>>>> your policy. >>>>>>>> >>>>>>>> All interfaces are available under >>>>>>>> /usr/share/selinux/devel/include/... >>>>>>>> >>>>>>>> For example. >>>>>>>>>>>> allow pdns_t etc_t:dir search; allow pdns_t >>>>>>>>>>>> etc_t:file { getattr read }; allow pdns_t >>>>>>>>>>>> usr_t:dir search; allow pdns_t usr_t:file { >>>>>>>>>>>> write create read getattr }; >>>>>>>> Should be >>>>>>>> >>>>>>>> files_read_etc_files(pdns_t) >>>>>>>> files_read_usr_files(pdns_t) >>>>>>>> >>>>>>>> >>>>>>>>>>>> allow pdns_t transproxy_port_t:tcp_socket >>>>>>>>>>>> name_bind; >>>>>>>> Should be >>>>>>>> >>>>>>>> corenet_tcp_bind_transproxy_port(pdns_t) >>>>>>>>> -- This message was distributed to subscribers of >>>>>>>>> the selinux mailing list. If you no longer wish to >>>>>>>>> subscribe, send mail to majordomo@tycho.nsa.gov with >>>>>>>>> the words "unsubscribe selinux" without quotes as the >>>>>>>>> message. >>>>>>>> -- This message was distributed to subscribers of the >>>>>>>> selinux mailing list. If you no longer wish to >>>>>>>> subscribe, send mail to majordomo@tycho.nsa.gov with >>>>>>>> the words "unsubscribe selinux" without quotes as the >>>>>>>> message. >>>>>>>> >>>>>>>> >>>>> -- This message was distributed to subscribers of the >>>>> selinux mailing list. If you no longer wish to subscribe, >>>>> send mail to majordomo@tycho.nsa.gov with the words >>>>> "unsubscribe selinux" without quotes as the message. >>>>> >>>>> >> What default_t files do you have on your system? default_t means >> these are files on the system that SELinux has no idea what the >> content is. It usually means you added a new directory at /. If >> you could classify this data as label and label it correctly you >> should be able to remove the files_read_default. Most confined >> apps are not allowed to use content labeled default_t. >> > > Excellent, then I think your policy looks good from a cursory review. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk7Xjf8ACgkQrlYvE4MpobMcRACfTblmFXgiITDHEW6yZv5qAPwT > 3uoAoKthjiYOAgExf8flV86AJWpdJ3iG > =Vbuz > -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.