How to write a policy for a "service wrapper"?

How to write a policy for a "service wrapper"?

[Ian Pilcher]

I have a service (stunnel) that runs in a confined domain (stunnel_t).

Due to changes in Fedora's systemwide cryptographic policy, I need to
run this service under the "legacy" cryptographic policy, using the
'runcp' wrapper[1].

So my idea is to create new domain for the wrapper (runcp_t or similar),
give that domain the permissions required to perform its functions, and
then use a type transition rule to run the actual service in its normal
domain.

It's simple enough to write a type transition rule for a specific
service, e.g.:

   type_transition runcp_t stunnel_exec_t:process stunnel_t;

However, it would obviously be nice to allow the wrapper to be used
without the need for service-specific rules.

Any service that normally runs in a confined domain presumably already
provides a type transition rule for the init system, e.g.:

   type_transition init_t stunnel_exec_t:process stunnel_t;

Is there some way that I can make the wrapper take advantage of these
rules, possibly by transitioning back to init_t?

[1] 
https://gitlab.com/redhat-crypto/crypto-policies-extras/-/blob/main/runcp.c

-- 
========================================================================
If your user interface is intuitive in retrospect ... it isn't intuitive
========================================================================

Re: How to write a policy for a "service wrapper"?

[Dominick Grift]

Ian Pilcher <arequipeno@gmail.com> writes:

> I have a service (stunnel) that runs in a confined domain (stunnel_t).
>
> Due to changes in Fedora's systemwide cryptographic policy, I need to
> run this service under the "legacy" cryptographic policy, using the
> 'runcp' wrapper[1].
>
> So my idea is to create new domain for the wrapper (runcp_t or similar),
> give that domain the permissions required to perform its functions, and
> then use a type transition rule to run the actual service in its normal
> domain.
>
> It's simple enough to write a type transition rule for a specific
> service, e.g.:
>
>   type_transition runcp_t stunnel_exec_t:process stunnel_t;
>
> However, it would obviously be nice to allow the wrapper to be used
> without the need for service-specific rules.
>
> Any service that normally runs in a confined domain presumably already
> provides a type transition rule for the init system, e.g.:
>
>   type_transition init_t stunnel_exec_t:process stunnel_t;
>
> Is there some way that I can make the wrapper take advantage of these
> rules, possibly by transitioning back to init_t?

You can label the runcp command with a private executable file type and
then allow systemd to execute it without a transition effectively
running runcp in init_t just like systemd. Then when runcp executes
stunnel it should transparently transition from init_t to stunnel_t as
if runcp was not there.

>
> [1]
> https://gitlab.com/redhat-crypto/crypto-policies-extras/-/blob/main/runcp.c

-- 
gpg --locate-keys dominick.grift@defensec.nl (wkd)
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
Dominick Grift
Mastodon: @kcinimod@defensec.nl

Re: How to write a policy for a "service wrapper"?

[Ian Pilcher]

On 11/11/24 12:33 PM, Dominick Grift wrote:
> 
> Ian Pilcher <arequipeno@gmail.com> writes:
> 
>>
>> Is there some way that I can make the wrapper take advantage of these
>> rules, possibly by transitioning back to init_t?
> 
> You can label the runcp command with a private executable file type and
> then allow systemd to execute it without a transition effectively
> running runcp in init_t just like systemd. Then when runcp executes
> stunnel it should transparently transition from init_t to stunnel_t as
> if runcp was not there.
> 

I like it!

Thanks!

-- 
========================================================================
If your user interface is intuitive in retrospect ... it isn't intuitive
========================================================================