From: Dominick Grift <dominick.grift@defensec.nl>
To: Russell Coker <russell@coker.com.au>
Cc: selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] misc network patches with Dominick's changes
Date: Wed, 27 Jan 2021 14:29:16 +0100 [thread overview]
Message-ID: <ypjl8s8ejyoj.fsf@defensec.nl> (raw)
In-Reply-To: <YBESacEBUo/hzFVH@xev> (Russell Coker's message of "Wed, 27 Jan 2021 18:12:41 +1100")
Russell Coker <russell@coker.com.au> writes:
> Here's the latest version of my misc network patch with some changes
> Dominick suggested and with the controversial things from my previous
> patch removed.
>
> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> Index: refpolicy-2.20210126/policy/modules/admin/netutils.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/admin/netutils.te
> +++ refpolicy-2.20210126/policy/modules/admin/netutils.te
> @@ -109,6 +109,7 @@ allow ping_t self:tcp_socket create_sock
> allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr };
> allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
> allow ping_t self:netlink_route_socket create_netlink_socket_perms;
> +allow ping_t self:icmp_socket create;
>
> corenet_all_recvfrom_netlabel(ping_t)
> corenet_sendrecv_icmp_packets(ping_t)
> @@ -156,13 +157,14 @@ allow traceroute_t self:capability { net
> allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms;
> allow traceroute_t self:process signal;
> allow traceroute_t self:rawip_socket create_socket_perms;
> -allow traceroute_t self:packet_socket create_socket_perms;
> +allow traceroute_t self:packet_socket { map create_socket_perms };
> allow traceroute_t self:udp_socket create_socket_perms;
>
> can_exec(traceroute_t, traceroute_exec_t)
>
> kernel_read_system_state(traceroute_t)
> kernel_read_network_state(traceroute_t)
> +kernel_search_fs_sysctls(traceroute_t)
>
> corecmd_search_bin(traceroute_t)
>
> @@ -197,6 +199,7 @@ auth_use_nsswitch(traceroute_t)
>
> logging_send_syslog_msg(traceroute_t)
>
> +miscfiles_read_generic_certs(traceroute_t)
> miscfiles_read_localization(traceroute_t)
>
> userdom_use_inherited_user_terminals(traceroute_t)
> Index: refpolicy-2.20210126/policy/modules/system/sysnetwork.fc
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/system/sysnetwork.fc
> +++ refpolicy-2.20210126/policy/modules/system/sysnetwork.fc
> @@ -27,6 +27,7 @@ ifdef(`distro_debian',`
> /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
>
> /etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
> +/etc/tor/torsocks.conf -- gen_context(system_u:object_r:net_conf_t,s0)
minor but bet to escape the period: /etc/tor/torsocks\.conf
not sure why you associate this with net_conf_t. I probably would have
labeled all of /etc/tor tor_conf_t (for confined tor administration etc)
>
> ifdef(`distro_redhat',`
> /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
> Index: refpolicy-2.20210126/policy/modules/system/sysnetwork.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/system/sysnetwork.te
> +++ refpolicy-2.20210126/policy/modules/system/sysnetwork.te
> @@ -5,6 +5,14 @@ policy_module(sysnetwork, 1.26.5)
> # Declarations
> #
>
> +## <desc>
> +## <p>
> +## Determine whether DHCP client
> +## can manage samba
> +## </p>
> +## </desc>
> +gen_tunable(dhcpc_manage_samba, false)
> +
> attribute_role dhcpc_roles;
> roleattribute system_r dhcpc_roles;
>
> @@ -175,6 +183,18 @@ ifdef(`init_systemd',`
> ')
>
> optional_policy(`
> + tunable_policy(`dhcpc_manage_samba',`
> + samba_manage_var_files(dhcpc_t)
> + init_exec_script_files(dhcpc_t)
> + init_get_system_status(dhcpc_t)
> + samba_stop(dhcpc_t)
> + samba_start(dhcpc_t)
> + samba_reload(dhcpc_t)
> + samba_status(dhcpc_t)
> + ')
> +')
> +
> +optional_policy(`
> avahi_domtrans(dhcpc_t)
> ')
>
> Index: refpolicy-2.20210126/policy/modules/roles/unprivuser.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/roles/unprivuser.te
> +++ refpolicy-2.20210126/policy/modules/roles/unprivuser.te
> @@ -25,6 +25,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + netutils_domtrans_ping(user_t)
> +')
this is already allowed conditionally as said before. you should be able
to remove this.
> +
> +optional_policy(`
> screen_role_template(user, user_r, user_t)
> ')
>
> Index: refpolicy-2.20210126/policy/modules/services/samba.if
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/services/samba.if
> +++ refpolicy-2.20210126/policy/modules/services/samba.if
> @@ -729,3 +729,79 @@ interface(`samba_admin',`
> files_list_tmp($1)
> admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
> ')
> +
> +########################################
> +## <summary>
> +## start samba daemon
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samba_start',`
> + gen_require(`
> + type samba_unit_t;
> + ')
> +
> + allow $1 samba_unit_t:file getattr;
> + allow $1 samba_unit_t:service start;
> +')
> +
> +########################################
> +## <summary>
> +## stop samba daemon
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samba_stop',`
> + gen_require(`
> + type samba_unit_t;
> + ')
> +
> + allow $1 samba_unit_t:file getattr;
> + allow $1 samba_unit_t:service stop;
> +')
> +
> +########################################
> +## <summary>
> +## get status of samba daemon
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samba_status',`
> + gen_require(`
> + type samba_unit_t;
> + ')
> +
> + allow $1 samba_unit_t:file getattr;
> + allow $1 samba_unit_t:service status;
> +')
> +
> +########################################
> +## <summary>
> +## reload samba daemon
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samba_reload',`
> + gen_require(`
> + type samba_unit_t;
> + ')
> +
> + allow $1 samba_unit_t:file getattr;
> + allow $1 samba_unit_t:service reload;
> +')
> Index: refpolicy-2.20210126/policy/modules/services/mon.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/services/mon.te
> +++ refpolicy-2.20210126/policy/modules/services/mon.te
> @@ -58,6 +58,9 @@ manage_files_pattern(mon_t, mon_var_log_
> manage_files_pattern(mon_t, mon_runtime_t, mon_runtime_t)
> files_runtime_filetrans(mon_t, mon_runtime_t, file)
>
> +# to read fips_enabled
> +kernel_read_crypto_sysctls(mon_t)
> +
> kernel_read_kernel_sysctls(mon_t)
> kernel_read_network_state(mon_t)
> kernel_read_system_state(mon_t)
> Index: refpolicy-2.20210126/policy/modules/services/mailman.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/services/mailman.te
> +++ refpolicy-2.20210126/policy/modules/services/mailman.te
> @@ -112,6 +112,7 @@ corecmd_exec_bin(mailman_cgi_t)
> dev_read_urand(mailman_cgi_t)
>
> files_search_locks(mailman_cgi_t)
> +files_read_usr_files(mailman_cgi_t)
>
> term_use_controlling_term(mailman_cgi_t)
>
> Index: refpolicy-2.20210126/policy/modules/services/dkim.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/services/dkim.te
> +++ refpolicy-2.20210126/policy/modules/services/dkim.te
> @@ -35,6 +35,7 @@ kernel_read_vm_overcommit_sysctl(dkim_mi
>
> corenet_udp_bind_generic_node(dkim_milter_t)
> corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
> +corenet_udp_bind_generic_port(dkim_milter_t)
>
> dev_read_urand(dkim_milter_t)
> # for cpu/online
>
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
next prev parent reply other threads:[~2021-01-27 13:32 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-27 7:12 [PATCH] misc network patches with Dominick's changes Russell Coker
2021-01-27 13:29 ` Dominick Grift [this message]
2021-01-27 16:35 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ypjl8s8ejyoj.fsf@defensec.nl \
--to=dominick.grift@defensec.nl \
--cc=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.