Re: [PATCH] misc services patches

[Dominick Grift <dominick.grift@defensec.nl>]

On 1/21/21 2:25 PM, Russell Coker wrote:
> On Thursday, 21 January 2021 1:53:44 AM AEDT Dominick Grift wrote:
>>>  /usr/sbin/suexec					--	
> gen_context(system_u:object_r:httpd_suexec_exec_
>>>  t,s0)
>>>  /usr/sbin/wigwam					--	
> gen_context(system_u:object_r:httpd_exec_t,s0)> 
>>> +/usr/sbin/php7..-fpm					--	
> gen_context(system_u:object_r:httpd_exec_t,s0
>>> )
>>
>> that seems fragile. would probably have used "/usr/sbin/php.*-fpm"
> 
> OK, I'll change that.
> 
>>> +interface(`apache_delete_squirrelmail_spool',`
>>> +	gen_require(`
>>> +		type squirrelmail_spool_t;
>>> +	')
>>> +
>>> +	allow $1 squirrelmail_spool_t:dir rw_dir_perms;
>>> +	allow $1 squirrelmail_spool_t:file delete_file_perms;
>>
>> delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t)
> 
> OK.
>  
>>>  tunable_policy(`httpd_enable_homedirs',`
>>>
>>> -	userdom_search_user_home_dirs(httpd_t)
>>> +	userdom_list_user_home_content(httpd_t)
>>
>> this is not how it was designed. If you want that functionality then set
>> httpd_read_user_content boolean to true instead
> 
> OK, I'll delete that patch and do it a better way next time I see a case for 
> it.
> 
>>>  allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
>>>  allow cupsd_t self:fifo_file rw_fifo_file_perms;
>>>  allow cupsd_t self:unix_stream_socket { accept connectto listen };
>>>  allow cupsd_t self:netlink_selinux_socket create_socket_perms;
>>>
>>> +allow cupsd_t self:netlink_kobject_uevent_socket { bind create
>>>
>>>  getattr read setopt };
>>
>> create_socket_perms, use the permission sets and patterns where appropriate
> 
> ok
> 
>>> Index: refpolicy-2.20210120/policy/modules/services/l2tp.te
>>> ===================================================================
>>> --- refpolicy-2.20210120.orig/policy/modules/services/l2tp.te
>>> +++ refpolicy-2.20210120/policy/modules/services/l2tp.te
>>> @@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_
>>>
>>>  allow l2tpd_t self:tcp_socket { accept listen };
>>>  allow l2tpd_t self:unix_dgram_socket sendto;
>>>  allow l2tpd_t self:unix_stream_socket { accept listen };
>>>
>>> +allow l2tpd_t self:pppox_socket create;
>>
>> create_socket_perms probably eventually
> 
> Maybe, but for the moment I think it's best to leave them like that.  I had it 
> working fully only needing those accesses.
> 
>>> @@ -59,7 +59,7 @@ interface(`mysql_signal',`
>>>
>>>  		type mysqld_t;
>>>  	
>>>  	')
>>>
>>> -	allow $1 mysqld_t:process signal;
>>> +	allow $1 mysqld_t:process { signull signal };
>>
>> create a new mysql_signull()
>>
>> by generalizing interfaces and putting them out of context youre
>> shutting down doors for fine grained access control.
> 
> OK, I'll drop that patch and add a mysql_signull() next time I see the need 
> for it (probably a week or two).
> 
>>>  optional_policy(`
>>>
>>> +	dbus_send_system_bus(smbd_t)
>>> +	dbus_system_bus_client(smbd_t)
>>
>> dbus_send_system_bus(smbd_t) is redundant (already implied with
>> dbus_system_bus_client(smbd_t)
> 
> ok
> 
>>> Index: refpolicy-2.20210120/policy/modules/services/squid.te
>>> ===================================================================
>>> --- refpolicy-2.20210120.orig/policy/modules/services/squid.te
>>> +++ refpolicy-2.20210120/policy/modules/services/squid.te
>>> @@ -71,6 +71,7 @@ allow squid_t self:msg { send receive };
>>>
>>>  allow squid_t self:unix_dgram_socket sendto;
>>>  allow squid_t self:unix_stream_socket { accept connectto listen };
>>>  allow squid_t self:tcp_socket { accept listen };
>>>
>>> +allow squid_t self:netlink_netfilter_socket
>>> all_netlink_netfilter_socket_perms;
>>
>> probably just create_socket_perms?
> 
> OK.
> 
>>> Index: refpolicy-2.20210120/policy/modules/services/ssh.te
>>> ===================================================================
>>> --- refpolicy-2.20210120.orig/policy/modules/services/ssh.te
>>> +++ refpolicy-2.20210120/policy/modules/services/ssh.te
>>> @@ -268,6 +268,7 @@ ifdef(`init_systemd',`
>>>
>>>  	init_dbus_chat(sshd_t)
>>>  	systemd_dbus_chat_logind(sshd_t)
>>>  	init_rw_stream_soconnectivitycheck.cbg-app.huawei.comckets(sshd_t)
>>>
>>> +	systemd_read_logind_sessions_files(sshd_t)
>>
>> This should probably be addressed on the lower authlogin level instead
> 
> auth_login_pgm_domain()?

I would consider adding it to auth_use_pam(). but its a good question.

> 
> In another patch I have systemd_connect_machined(sshd_t) which I guess should 
> go in the same one too.

Which patch was that? That does not look right if only that the name of
the interface isnt very descriptive (there is no way unix stream connect
or unix dgram sendto machined.

So this is either about systemd's nss mymachines (in which case it
belongs in auth_use_nsswitch() or about reading systemd
/var/run/machines in which case the interface name is wrong.

> 
> 
> Thanks for all the suggestions.  I'll send an updated version shortly.
>