From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.4 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B8E7AC606CF for ; Tue, 9 Jul 2019 00:50:04 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 7C1E5216C4 for ; Tue, 9 Jul 2019 00:50:04 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="TicJlHwN" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727151AbfGIAuE (ORCPT ); Mon, 8 Jul 2019 20:50:04 -0400 Received: from mail-qk1-f193.google.com ([209.85.222.193]:37277 "EHLO mail-qk1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725857AbfGIAuD (ORCPT ); Mon, 8 Jul 2019 20:50:03 -0400 Received: by mail-qk1-f193.google.com with SMTP id d15so14798145qkl.4 for ; Mon, 08 Jul 2019 17:50:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=plnoIjdsN56akKoROzdLvl8EpbKuHDNjzocuYPoIn3o=; b=TicJlHwNhYK8QwI1/al+Ww/csd0/NTokzx54OP8kAzoL3AKAdLNSHvgV8CI41L2Z+5 DBnvwNkykU0QwJvDc0/kC4gMUCeWaYyYhtbgY0papGV+u3003aL/4H6Y+cED+B/uPPJD U3j6Nix0XLR9/peWnRD6uqU2jqBJbPz9emaN4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=plnoIjdsN56akKoROzdLvl8EpbKuHDNjzocuYPoIn3o=; b=rz5/LnmjlXgKDTVgmuUnVlyykCEyzVp1GHucy0uxJ/ceNYa9m/sJtiHv9xxBgg6cVL IqWTRcJ4ey2L587Z8wNlJB8yzoES+g1UrT9MBYxzJpb1QxQq5kippGjiw4msMkQqf+ax 1Gw7ieEisHhkz124MOgkTrrz046nHu4CjXh7qKZsqHLqNBvdPAxBmHgE2VZRQkCrl1nv oA4JAKKJdQoQZ1SgHoLtsmsJWEZ9sT7RzSwO92+bj7UwoXgRnZPxpbp6ZIXbmn93lnoa v+4YwHTs6T7urEtu3ZXDTr++iBqUvyawVirMUzRP1ZkWzdP6IDOuBy2YVbvPu66A/hOa 4Pdg== X-Gm-Message-State: APjAAAWBT/1FLWrBVwCbj/EjO0Wkm0J7HndHlcduxKcGodJWzaL/dj37 INDet6sB92o7UBESs5EW7JsbBQS++yI= X-Google-Smtp-Source: APXvYqyq3yJ+f26p0UaD7djPp476J4lfwohZdtFlThfaNaiy56ErSL30OMk/GI1mZqb99+TLf4ixFQ== X-Received: by 2002:a05:620a:1648:: with SMTP id c8mr16014622qko.106.1562633402452; Mon, 08 Jul 2019 17:50:02 -0700 (PDT) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id m12sm5267947qkk.123.2019.07.08.17.50.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Jul 2019 17:50:02 -0700 (PDT) Subject: Re: [PATCH v2] Add knot module To: Alexander Miroshnichenko , selinux-refpolicy@vger.kernel.org References: <20190702155823.GA27193@brutus.lan> <20190705120251.1121-1-alex@millerson.name> From: Chris PeBenito Message-ID: <1e3cd1ef-1643-ee92-d6f3-55c45bdee331@ieee.org> Date: Mon, 8 Jul 2019 20:47:45 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <20190705120251.1121-1-alex@millerson.name> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 7/5/19 8:02 AM, Alexander Miroshnichenko wrote: > Add a SELinux Reference Policy module for the > Knot authoritative-only DNS server. > > Signed-off-by: Alexander Miroshnichenko > --- > policy/modules/roles/sysadm.te | 4 + > policy/modules/services/knot.fc | 9 ++ > policy/modules/services/knot.if | 219 ++++++++++++++++++++++++++++++++ > policy/modules/services/knot.te | 104 +++++++++++++++ > policy/modules/system/init.te | 4 + > 5 files changed, 340 insertions(+) > create mode 100644 policy/modules/services/knot.fc > create mode 100644 policy/modules/services/knot.if > create mode 100644 policy/modules/services/knot.te I think the rules are probably ok, but the interface names need work. They should all start with knot_*, for starters. See below. > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te > index 8f891c83865f..e3079ad65d17 100644 > --- a/policy/modules/roles/sysadm.te > +++ b/policy/modules/roles/sysadm.te > @@ -550,6 +550,10 @@ optional_policy(` > keystone_admin(sysadm_t, sysadm_r) > ') > > +optional_policy(` > + knotc_role(sysadm_r, sysadm_t) > +') > + > optional_policy(` > kismet_admin(sysadm_t, sysadm_r) > ') > diff --git a/policy/modules/services/knot.fc b/policy/modules/services/knot.fc > new file mode 100644 > index 000000000000..02a1c2022661 > --- /dev/null > +++ b/policy/modules/services/knot.fc > @@ -0,0 +1,9 @@ > +/etc/knot(/.*)? gen_context(system_u:object_r:knot_conf_t,s0) > + > +/usr/sbin/knotd -- gen_context(system_u:object_r:knotd_exec_t,s0) > + > +/usr/sbin/knotc -- gen_context(system_u:object_r:knotc_exec_t,s0) > + > +/var/lib/knot(/.*)? gen_context(system_u:object_r:knot_var_lib_t,s0) > + > +/run/knot(/.*)? gen_context(system_u:object_r:knot_runtime_t,s0) > diff --git a/policy/modules/services/knot.if b/policy/modules/services/knot.if > new file mode 100644 > index 000000000000..fef08da46a79 > --- /dev/null > +++ b/policy/modules/services/knot.if > @@ -0,0 +1,219 @@ > +## high-performance authoritative-only DNS server. > + > +######################################## > +## > +## Execute knotd_exec_t in the knotd domain. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`knotd_domtrans',` > + gen_require(` > + type knotd_t, knotd_exec_t; > + ') > + > + corecmd_search_bin($1) > + domtrans_pattern($1, knotd_exec_t, knotd_t) > +') This doesn't seem needed, since a service is usually started by init. If it is needed, then it should be something like knot_domtrans(), and then the latter knotc_domtrans should be something like knot_domtrans_client(). > +######################################## > +## > +## Manage Knot runtime. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`knot_manage_runtime',` > + gen_require(` > + type knot_runtime_t; > + ') > + > + manage_dirs_pattern($1, knot_runtime_t, knot_runtime_t) > + manage_files_pattern($1, knot_runtime_t, knot_runtime_t) > + manage_lnk_files_pattern($1, knot_runtime_t, knot_runtime_t) > + manage_sock_files_pattern($1, knot_runtime_t, knot_runtime_t) > + files_search_pids($1) While there are a few interfaces that have this, I don't want this to be the standard. This should either be split into 4 different interfaces or put the rules directly in knot.te. > +') > + > +######################################## > +## > +## Manage knot var lib. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`knot_manage_var_lib',` > + gen_require(` > + type knot_var_lib_t; > + ') > + > + manage_dirs_pattern($1, knot_var_lib_t, knot_var_lib_t) > + manage_files_pattern($1, knot_var_lib_t, knot_var_lib_t) > + manage_lnk_files_pattern($1, knot_var_lib_t, knot_var_lib_t) > + files_search_var_lib($1) > +') Same thing as above. > +######################################## > +## > +## Mmap knot var lib files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`knot_mmap_var_lib_files',` "map" not "mmap" > + gen_require(` > + type knot_var_lib_t; > + ') > + > + allow $1 knot_var_lib_t:file map; > +') > + > +######################################## > +## > +## Read, mmap knot config files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`knot_mmap_config_file',` In this case, mmap_read, not just mmap. Or split map perm to another interface. > + gen_require(` > + type knot_conf_t; > + ') > + > + mmap_read_files_pattern($1, knot_conf_t, knot_conf_t) > + files_search_etc($1) > +') > + > +######################################## > +## > +## Manage knot tmp. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`knot_manage_tmp',` > + gen_require(` > + type knot_tmp_t; > + ') > + > + allow $1 knot_tmp_t:file manage_file_perms; > + allow $1 knot_tmp_t:dir manage_dir_perms; Needs 2 interfaces. > +') > + > +######################################## > +## > +## Mmap knot tmp. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`knot_mmap_tmp_files',` Similar comment to above. > + gen_require(` > + type knot_tmp_t; > + ') > + > + allow $1 knot_tmp_t:file map; > +') > + > +######################################## > +## > +## Create knot tmp files, directories in > +## temporary directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The type of the object to be created > +## > +## > +## > +## > +## The object class. > +## > +## > +## > +## > +## The name of the object being created. > +## > +## > +# > +interface(`knot_tmp_filetrans',` > + gen_require(` > + type knot_tmp_t; > + ') > + > + files_tmp_filetrans($1, knot_tmp_t, { file dir }) > +') > + > +######################################## > +## > +## Execute knotc in the knotc domain. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`knotc_domtrans',` > + gen_require(` > + type knotc_t, knotc_exec_t; > + ') > + > + corecmd_search_bin($1) > + domtrans_pattern($1, knotc_exec_t, knotc_t) > +') > + > +######################################## > +## > +## Role access for knotc > +## > +## > +## > +## Role allowed access > +## > +## > +## > +## > +## User domain for the role > +## > +## > +# > +interface(`knotc_role',` > + gen_require(` > + type knotc_t; > + attribute_role knotc_roles; > + ') > + > + roleattribute $1 knotc_roles; > + > + knotc_domtrans($2) > + > + ps_process_pattern($2, knotc_t) > + allow $2 knotc_t:process { signull signal sigkill }; > +') > diff --git a/policy/modules/services/knot.te b/policy/modules/services/knot.te > new file mode 100644 > index 000000000000..780535759cf5 > --- /dev/null > +++ b/policy/modules/services/knot.te > @@ -0,0 +1,104 @@ > +policy_module(knot, 1.0.0) > + > +######################################## > +# > +# Declarations > +# > + > +type knotd_t; > +type knotd_exec_t; > +init_daemon_domain(knotd_t, knotd_exec_t) > + > +type knotc_t; > +type knotc_exec_t; > +application_domain(knotc_t, knotc_exec_t) > +init_daemon_domain(knotc_t, knotc_exec_t) > +role knotc_roles types knotc_t; > + > +attribute_role knotc_roles; > + > +type knot_conf_t; > +files_config_file(knot_conf_t) > + > +type knot_runtime_t; > +files_pid_file(knot_runtime_t) > + > +type knot_var_lib_t; > +files_type(knot_var_lib_t) > + > +type knot_tmp_t; > +files_tmp_file(knot_tmp_t) > + > +######################################## > +# > +# knotd local policy > +# > +allow knotd_t self:capability { dac_override dac_read_search setgid setpcap setuid }; > +allow knotd_t self:process { signal_perms getcap getsched setsched }; > +allow knotd_t self:tcp_socket create_stream_socket_perms; > +allow knotd_t self:udp_socket create_socket_perms; > +allow knotd_t self:unix_stream_socket create_stream_socket_perms; > + > +corenet_tcp_bind_generic_node(knotd_t) > +corenet_udp_bind_generic_node(knotd_t) > + > +corenet_sendrecv_dns_server_packets(knotd_t) > +corenet_tcp_bind_dns_port(knotd_t) > +corenet_udp_bind_dns_port(knotd_t) > +# Slave replication > +corenet_tcp_connect_dns_port(knotd_t) > + > +kernel_read_kernel_sysctls(knotd_t) > + > +knot_mmap_config_file(knotd_t) > + > +knot_manage_runtime(knotd_t) > +files_pid_filetrans(knotd_t, knot_runtime_t, dir) > + > +knot_manage_var_lib(knotd_t) > +knot_mmap_var_lib_files(knotd_t) > +files_var_lib_filetrans(knotd_t, knot_var_lib_t, dir) > + > +knot_manage_tmp(knotd_t) > +knot_mmap_tmp_files(knotd_t) > +knot_tmp_filetrans(knotd_t) > + > +files_map_etc_files(knotd_t) > + > +fs_getattr_xattr_fs(knotd_t) > + > +fs_getattr_tmpfs(knotd_t) > + > +auth_use_nsswitch(knotd_t) > + > +logging_send_syslog_msg(knotd_t) > + > +miscfiles_read_localization(knotd_t) > + > +######################################## > +# > +# knotc local policy > +# > +allow knotc_t self:capability { dac_override dac_read_search }; > +allow knotc_t self:process signal; > + > +stream_connect_pattern(knotc_t, knot_runtime_t, knot_runtime_t, knotd_t) > + > +knot_mmap_config_file(knotc_t) > + > +knot_manage_tmp(knotc_t) > +knot_mmap_tmp_files(knotc_t) > +knot_tmp_filetrans(knotc_t) > + > +knot_manage_var_lib(knotc_t) > +knot_mmap_var_lib_files(knotc_t) > + > +files_read_etc_files(knotc_t) > + > +fs_getattr_tmpfs(knotc_t) > + > +domain_use_interactive_fds(knotc_t) > + > +miscfiles_read_localization(knotc_t) > + > +userdom_use_user_ptys(knotc_t) > diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te > index f4d27bff3ea2..d38a0a8549d3 100644 > --- a/policy/modules/system/init.te > +++ b/policy/modules/system/init.te > @@ -1158,6 +1158,10 @@ optional_policy(` > kerberos_use(initrc_t) > ') > > +optional_policy(` > + knot_mmap_config_file(initrc_t) > +') > + > optional_policy(` > ldap_read_config(initrc_t) > ldap_list_db(initrc_t) > -- Chris PeBenito