From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.3 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 07E52C433DB for ; Thu, 21 Jan 2021 13:40:00 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B688A23877 for ; Thu, 21 Jan 2021 13:39:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726375AbhAUNhz (ORCPT ); Thu, 21 Jan 2021 08:37:55 -0500 Received: from agnus.defensec.nl ([80.100.19.56]:35386 "EHLO agnus.defensec.nl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732326AbhAUNg4 (ORCPT ); Thu, 21 Jan 2021 08:36:56 -0500 Received: from [IPv6:2001:985:d55d::438] (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id 6B5AB2A0D7E; Thu, 21 Jan 2021 14:35:45 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl 6B5AB2A0D7E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1611236146; bh=CFlg6U+KGIORGpP7JkNTx41F6t2zEcyvFY7jmXkvl+o=; h=To:Cc:References:From:Subject:Date:In-Reply-To:From; b=lBw960hFS7vBNAYW8gEFHsVtWt185rbZ3MkDbbg8gvbPXU3je8yE4yhNI8I9SeN0p wp6vltwCWn5JefUrB/5B4AFfFUZ/Q4tB6jYUsMAeCpkRbocCp/3j7yPs+LkA62BroH UwAOoVPG4jJiK+rMx8HmcDjGc2kDdgVki+8gJg7c= To: Russell Coker Cc: selinux-refpolicy@vger.kernel.org References: <1730727.gRP4Mpsj7r@liv> From: Dominick Grift Subject: Re: [PATCH] misc services patches Message-ID: <60db511b-f9a3-5489-182b-88a0b727b9c2@defensec.nl> Date: Thu, 21 Jan 2021 14:35:42 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: <1730727.gRP4Mpsj7r@liv> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/21/21 2:25 PM, Russell Coker wrote: > On Thursday, 21 January 2021 1:53:44 AM AEDT Dominick Grift wrote: >>> /usr/sbin/suexec -- > gen_context(system_u:object_r:httpd_suexec_exec_ >>> t,s0) >>> /usr/sbin/wigwam -- > gen_context(system_u:object_r:httpd_exec_t,s0)> >>> +/usr/sbin/php7..-fpm -- > gen_context(system_u:object_r:httpd_exec_t,s0 >>> ) >> >> that seems fragile. would probably have used "/usr/sbin/php.*-fpm" > > OK, I'll change that. > >>> +interface(`apache_delete_squirrelmail_spool',` >>> + gen_require(` >>> + type squirrelmail_spool_t; >>> + ') >>> + >>> + allow $1 squirrelmail_spool_t:dir rw_dir_perms; >>> + allow $1 squirrelmail_spool_t:file delete_file_perms; >> >> delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t) > > OK. > >>> tunable_policy(`httpd_enable_homedirs',` >>> >>> - userdom_search_user_home_dirs(httpd_t) >>> + userdom_list_user_home_content(httpd_t) >> >> this is not how it was designed. If you want that functionality then set >> httpd_read_user_content boolean to true instead > > OK, I'll delete that patch and do it a better way next time I see a case for > it. > >>> allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; >>> allow cupsd_t self:fifo_file rw_fifo_file_perms; >>> allow cupsd_t self:unix_stream_socket { accept connectto listen }; >>> allow cupsd_t self:netlink_selinux_socket create_socket_perms; >>> >>> +allow cupsd_t self:netlink_kobject_uevent_socket { bind create >>> >>> getattr read setopt }; >> >> create_socket_perms, use the permission sets and patterns where appropriate > > ok > >>> Index: refpolicy-2.20210120/policy/modules/services/l2tp.te >>> =================================================================== >>> --- refpolicy-2.20210120.orig/policy/modules/services/l2tp.te >>> +++ refpolicy-2.20210120/policy/modules/services/l2tp.te >>> @@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_ >>> >>> allow l2tpd_t self:tcp_socket { accept listen }; >>> allow l2tpd_t self:unix_dgram_socket sendto; >>> allow l2tpd_t self:unix_stream_socket { accept listen }; >>> >>> +allow l2tpd_t self:pppox_socket create; >> >> create_socket_perms probably eventually > > Maybe, but for the moment I think it's best to leave them like that. I had it > working fully only needing those accesses. > >>> @@ -59,7 +59,7 @@ interface(`mysql_signal',` >>> >>> type mysqld_t; >>> >>> ') >>> >>> - allow $1 mysqld_t:process signal; >>> + allow $1 mysqld_t:process { signull signal }; >> >> create a new mysql_signull() >> >> by generalizing interfaces and putting them out of context youre >> shutting down doors for fine grained access control. > > OK, I'll drop that patch and add a mysql_signull() next time I see the need > for it (probably a week or two). > >>> optional_policy(` >>> >>> + dbus_send_system_bus(smbd_t) >>> + dbus_system_bus_client(smbd_t) >> >> dbus_send_system_bus(smbd_t) is redundant (already implied with >> dbus_system_bus_client(smbd_t) > > ok > >>> Index: refpolicy-2.20210120/policy/modules/services/squid.te >>> =================================================================== >>> --- refpolicy-2.20210120.orig/policy/modules/services/squid.te >>> +++ refpolicy-2.20210120/policy/modules/services/squid.te >>> @@ -71,6 +71,7 @@ allow squid_t self:msg { send receive }; >>> >>> allow squid_t self:unix_dgram_socket sendto; >>> allow squid_t self:unix_stream_socket { accept connectto listen }; >>> allow squid_t self:tcp_socket { accept listen }; >>> >>> +allow squid_t self:netlink_netfilter_socket >>> all_netlink_netfilter_socket_perms; >> >> probably just create_socket_perms? > > OK. > >>> Index: refpolicy-2.20210120/policy/modules/services/ssh.te >>> =================================================================== >>> --- refpolicy-2.20210120.orig/policy/modules/services/ssh.te >>> +++ refpolicy-2.20210120/policy/modules/services/ssh.te >>> @@ -268,6 +268,7 @@ ifdef(`init_systemd',` >>> >>> init_dbus_chat(sshd_t) >>> systemd_dbus_chat_logind(sshd_t) >>> init_rw_stream_soconnectivitycheck.cbg-app.huawei.comckets(sshd_t) >>> >>> + systemd_read_logind_sessions_files(sshd_t) >> >> This should probably be addressed on the lower authlogin level instead > > auth_login_pgm_domain()? I would consider adding it to auth_use_pam(). but its a good question. > > In another patch I have systemd_connect_machined(sshd_t) which I guess should > go in the same one too. Which patch was that? That does not look right if only that the name of the interface isnt very descriptive (there is no way unix stream connect or unix dgram sendto machined. So this is either about systemd's nss mymachines (in which case it belongs in auth_use_nsswitch() or about reading systemd /var/run/machines in which case the interface name is wrong. > > > Thanks for all the suggestions. I'll send an updated version shortly. >