Re: [PATCH] misc network patches with Dominick's changes

[Dominick Grift <dominick.grift@defensec.nl>]

Russell Coker <russell@coker.com.au> writes:

> Here's the latest version of my misc network patch with some changes
> Dominick suggested and with the controversial things from my previous
> patch removed.
>
> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> Index: refpolicy-2.20210126/policy/modules/admin/netutils.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/admin/netutils.te
> +++ refpolicy-2.20210126/policy/modules/admin/netutils.te
> @@ -109,6 +109,7 @@ allow ping_t self:tcp_socket create_sock
>  allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr };
>  allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
>  allow ping_t self:netlink_route_socket create_netlink_socket_perms;
> +allow ping_t self:icmp_socket create;
>  
>  corenet_all_recvfrom_netlabel(ping_t)
>  corenet_sendrecv_icmp_packets(ping_t)
> @@ -156,13 +157,14 @@ allow traceroute_t self:capability { net
>  allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms;
>  allow traceroute_t self:process signal;
>  allow traceroute_t self:rawip_socket create_socket_perms;
> -allow traceroute_t self:packet_socket create_socket_perms;
> +allow traceroute_t self:packet_socket { map create_socket_perms };
>  allow traceroute_t self:udp_socket create_socket_perms;
>  
>  can_exec(traceroute_t, traceroute_exec_t)
>  
>  kernel_read_system_state(traceroute_t)
>  kernel_read_network_state(traceroute_t)
> +kernel_search_fs_sysctls(traceroute_t)
>  
>  corecmd_search_bin(traceroute_t)
>  
> @@ -197,6 +199,7 @@ auth_use_nsswitch(traceroute_t)
>  
>  logging_send_syslog_msg(traceroute_t)
>  
> +miscfiles_read_generic_certs(traceroute_t)
>  miscfiles_read_localization(traceroute_t)
>  
>  userdom_use_inherited_user_terminals(traceroute_t)
> Index: refpolicy-2.20210126/policy/modules/system/sysnetwork.fc
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/system/sysnetwork.fc
> +++ refpolicy-2.20210126/policy/modules/system/sysnetwork.fc
> @@ -27,6 +27,7 @@ ifdef(`distro_debian',`
>  /etc/dhcp3?/dhclient.*		gen_context(system_u:object_r:dhcp_etc_t,s0)
>  
>  /etc/systemd/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
> +/etc/tor/torsocks.conf	--	gen_context(system_u:object_r:net_conf_t,s0)

minor but bet to escape the period: /etc/tor/torsocks\.conf

not sure why you associate this with net_conf_t. I probably would have
labeled all of /etc/tor tor_conf_t (for confined tor administration etc)

>  
>  ifdef(`distro_redhat',`
>  /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
> Index: refpolicy-2.20210126/policy/modules/system/sysnetwork.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/system/sysnetwork.te
> +++ refpolicy-2.20210126/policy/modules/system/sysnetwork.te
> @@ -5,6 +5,14 @@ policy_module(sysnetwork, 1.26.5)
>  # Declarations
>  #
>  
> +## <desc>
> +##      <p>
> +##      Determine whether DHCP client
> +##      can manage samba
> +##      </p>
> +## </desc>
> +gen_tunable(dhcpc_manage_samba, false)
> +
>  attribute_role dhcpc_roles;
>  roleattribute system_r dhcpc_roles;
>  
> @@ -175,6 +183,18 @@ ifdef(`init_systemd',`
>  ')
>  
>  optional_policy(`
> +	tunable_policy(`dhcpc_manage_samba',`
> +        	samba_manage_var_files(dhcpc_t)
> +		init_exec_script_files(dhcpc_t)
> +		init_get_system_status(dhcpc_t)
> +		samba_stop(dhcpc_t)
> +		samba_start(dhcpc_t)
> +		samba_reload(dhcpc_t)
> +		samba_status(dhcpc_t)
> +	')
> +')
> +
> +optional_policy(`
>  	avahi_domtrans(dhcpc_t)
>  ')
>  
> Index: refpolicy-2.20210126/policy/modules/roles/unprivuser.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/roles/unprivuser.te
> +++ refpolicy-2.20210126/policy/modules/roles/unprivuser.te
> @@ -25,6 +25,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	netutils_domtrans_ping(user_t)
> +')

this is already allowed conditionally as said before. you should be able
to remove this. 

> +
> +optional_policy(`
>  	screen_role_template(user, user_r, user_t)
>  ')
>  
> Index: refpolicy-2.20210126/policy/modules/services/samba.if
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/services/samba.if
> +++ refpolicy-2.20210126/policy/modules/services/samba.if
> @@ -729,3 +729,79 @@ interface(`samba_admin',`
>  	files_list_tmp($1)
>  	admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
>  ')
> +
> +########################################
> +## <summary>
> +##	start samba daemon
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`samba_start',`
> +	gen_require(`
> +		type samba_unit_t;
> +	')
> +
> +	allow $1 samba_unit_t:file getattr;
> +	allow $1 samba_unit_t:service start;
> +')
> +
> +########################################
> +## <summary>
> +##	stop samba daemon
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`samba_stop',`
> +	gen_require(`
> +		type samba_unit_t;
> +	')
> +
> +	allow $1 samba_unit_t:file getattr;
> +	allow $1 samba_unit_t:service stop;
> +')
> +
> +########################################
> +## <summary>
> +##	get status of samba daemon
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`samba_status',`
> +	gen_require(`
> +		type samba_unit_t;
> +	')
> +
> +	allow $1 samba_unit_t:file getattr;
> +	allow $1 samba_unit_t:service status;
> +')
> +
> +########################################
> +## <summary>
> +##	reload samba daemon
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`samba_reload',`
> +	gen_require(`
> +		type samba_unit_t;
> +	')
> +
> +	allow $1 samba_unit_t:file getattr;
> +	allow $1 samba_unit_t:service reload;
> +')
> Index: refpolicy-2.20210126/policy/modules/services/mon.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/services/mon.te
> +++ refpolicy-2.20210126/policy/modules/services/mon.te
> @@ -58,6 +58,9 @@ manage_files_pattern(mon_t, mon_var_log_
>  manage_files_pattern(mon_t, mon_runtime_t, mon_runtime_t)
>  files_runtime_filetrans(mon_t, mon_runtime_t, file)
>  
> +# to read fips_enabled
> +kernel_read_crypto_sysctls(mon_t)
> +
>  kernel_read_kernel_sysctls(mon_t)
>  kernel_read_network_state(mon_t)
>  kernel_read_system_state(mon_t)
> Index: refpolicy-2.20210126/policy/modules/services/mailman.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/services/mailman.te
> +++ refpolicy-2.20210126/policy/modules/services/mailman.te
> @@ -112,6 +112,7 @@ corecmd_exec_bin(mailman_cgi_t)
>  dev_read_urand(mailman_cgi_t)
>  
>  files_search_locks(mailman_cgi_t)
> +files_read_usr_files(mailman_cgi_t)
>  
>  term_use_controlling_term(mailman_cgi_t)
>  
> Index: refpolicy-2.20210126/policy/modules/services/dkim.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/services/dkim.te
> +++ refpolicy-2.20210126/policy/modules/services/dkim.te
> @@ -35,6 +35,7 @@ kernel_read_vm_overcommit_sysctl(dkim_mi
>  
>  corenet_udp_bind_generic_node(dkim_milter_t)
>  corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
> +corenet_udp_bind_generic_port(dkim_milter_t)
>  
>  dev_read_urand(dkim_milter_t)
>  # for cpu/online
>

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift