From: Dominick Grift <dominick.grift@defensec.nl>
To: Russell Coker <russell@coker.com.au>
Cc: selinux-refpolicy@vger.kernel.org
Subject: Re: another memlockd patch
Date: Fri, 10 Apr 2020 10:10:57 +0200 [thread overview]
Message-ID: <ypjl369bn4ku.fsf@defensec.nl> (raw)
In-Reply-To: <20200410060317.GB35896@xev> (Russell Coker's message of "Fri, 10 Apr 2020 16:03:17 +1000")
Russell Coker <russell@coker.com.au> writes:
> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> I think this resolves all issues Chris raised.
>
>
> Index: refpolicy-2.20200410/policy/modules/services/memlockd.fc
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20200410/policy/modules/services/memlockd.fc
> @@ -0,0 +1 @@
> +/usr/sbin/memlockd -- gen_context(system_u:object_r:memlockd_exec_t,s0)
> Index: refpolicy-2.20200410/policy/modules/services/memlockd.if
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20200410/policy/modules/services/memlockd.if
> @@ -0,0 +1,2 @@
> +## <summary>memory lock daemon, keeps important files in RAM.</summary>
> +
> Index: refpolicy-2.20200410/policy/modules/services/memlockd.te
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20200410/policy/modules/services/memlockd.te
> @@ -0,0 +1,37 @@
> +policy_module(memlockd, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type memlockd_t;
> +type memlockd_exec_t;
> +init_daemon_domain(memlockd_t, memlockd_exec_t)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow memlockd_t self:capability { setgid setuid ipc_lock };
> +allow memlockd_t self:fifo_file rw_file_perms;
> +allow memlockd_t self:unix_dgram_socket { create connect };
the unix dgram socket creating is probably redundant and implied with
logging_send_logs_msg() as journald uses dgram_sendto for logging?
> +
> +# cache /etc/shadow too
> +auth_read_shadow(memlockd_t)
Hmm since /etc/shadow is mode 000, how is memlock able to read this
without cap_dac_read_search access. is that implied?
> +auth_map_shadow(memlockd_t)
> +
> +corecmd_exec_all_executables(memlockd_t)
> +corecmd_exec_bin(memlockd_t)
> +corecmd_exec_shell(memlockd_t)
> +corecmd_read_all_executables(memlockd_t)
> +corecmd_search_bin(memlockd_t)
> +files_read_etc_files(memlockd_t)
> +libs_exec_ld_so(memlockd_t)
> +files_map_etc_files(memlockd_t)
> +
> +logging_send_syslog_msg(memlockd_t)
> +miscfiles_read_localization(memlockd_t)
> +
> +sysnet_mmap_read_config(memlockd_t)
> Index: refpolicy-2.20200410/policy/modules/system/sysnetwork.if
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/system/sysnetwork.if
> +++ refpolicy-2.20200410/policy/modules/system/sysnetwork.if
> @@ -391,6 +391,31 @@ interface(`sysnet_mmap_config_files',`
>
> #######################################
> ## <summary>
> +## map network config files.
> +## </summary>
> +## <desc>
> +## <p>
> +## Allow the specified domain to mmap the
> +## general network configuration files.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`sysnet_mmap_read_config',`
> + gen_require(`
> + type net_conf_t;
> + ')
> +
> + files_search_etc($1)
> + allow $1 net_conf_t:file mmap_read_file_perms;
> +')
> +
> +#######################################
> +## <summary>
> ## Do not audit attempts to read network config files.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20200410/policy/modules/system/authlogin.if
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/system/authlogin.if
> +++ refpolicy-2.20200410/policy/modules/system/authlogin.if
> @@ -577,6 +577,23 @@ interface(`auth_read_shadow',`
>
> ########################################
> ## <summary>
> +## Map the shadow passwords file (/etc/shadow)
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`auth_map_shadow',`
> + gen_require(`
> + type shadow_t;
> + ')
> + allow $1 shadow_t:file map;
> +')
> +
> +########################################
> +## <summary>
> ## Pass shadow assertion for reading.
> ## </summary>
> ## <desc>
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
next prev parent reply other threads:[~2020-04-10 8:11 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-10 6:03 another memlockd patch Russell Coker
2020-04-10 8:10 ` Dominick Grift [this message]
2020-04-10 9:40 ` Russell Coker
2020-04-14 15:04 ` Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ypjl369bn4ku.fsf@defensec.nl \
--to=dominick.grift@defensec.nl \
--cc=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.