Re: How to write a policy for a "service wrapper"?

[Dominick Grift <dominick.grift@defensec.nl>]

Ian Pilcher <arequipeno@gmail.com> writes:

> I have a service (stunnel) that runs in a confined domain (stunnel_t).
>
> Due to changes in Fedora's systemwide cryptographic policy, I need to
> run this service under the "legacy" cryptographic policy, using the
> 'runcp' wrapper[1].
>
> So my idea is to create new domain for the wrapper (runcp_t or similar),
> give that domain the permissions required to perform its functions, and
> then use a type transition rule to run the actual service in its normal
> domain.
>
> It's simple enough to write a type transition rule for a specific
> service, e.g.:
>
>   type_transition runcp_t stunnel_exec_t:process stunnel_t;
>
> However, it would obviously be nice to allow the wrapper to be used
> without the need for service-specific rules.
>
> Any service that normally runs in a confined domain presumably already
> provides a type transition rule for the init system, e.g.:
>
>   type_transition init_t stunnel_exec_t:process stunnel_t;
>
> Is there some way that I can make the wrapper take advantage of these
> rules, possibly by transitioning back to init_t?

You can label the runcp command with a private executable file type and
then allow systemd to execute it without a transition effectively
running runcp in init_t just like systemd. Then when runcp executes
stunnel it should transparently transition from init_t to stunnel_t as
if runcp was not there.

>
> [1]
> https://gitlab.com/redhat-crypto/crypto-policies-extras/-/blob/main/runcp.c

-- 
gpg --locate-keys dominick.grift@defensec.nl (wkd)
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
Dominick Grift
Mastodon: @kcinimod@defensec.nl