From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0E3A3C04A6B for ; Wed, 8 May 2019 06:33:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id BF42821019 for ; Wed, 8 May 2019 06:33:33 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PvzBqB9R" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726476AbfEHGdd (ORCPT ); Wed, 8 May 2019 02:33:33 -0400 Received: from mail-ed1-f67.google.com ([209.85.208.67]:46948 "EHLO mail-ed1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726428AbfEHGdd (ORCPT ); Wed, 8 May 2019 02:33:33 -0400 Received: by mail-ed1-f67.google.com with SMTP id f37so20941607edb.13 for ; Tue, 07 May 2019 23:33:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to:user-agent; bh=gyZUktbwJLax+Ay5wKZ7gV1fiJW1X6fk8SGyrGrYtzk=; b=PvzBqB9Rp1mLh+cuWY5OYbjBCUxYvrA3OVtcv15NMwg6Utqnsm3gIoW7rHE/CLRrGv Z8aTIMdS8sfN9rLiA1Q1+I9eUIUi9ETNC3QCWfeqqampdkW5MV8758rrVqPqfUXc1vsR tub4WN4JINT6HOJOK9Qt1zvMBe/b4/5Xo1qMlyMi6Cgcn0Gqqf7URAE4MCxoHSlnYyZz BwJivnQJ99A4xhdh7oI0+saQSHEMRugvrTWRQ24jnsKb9u3X6TNVt53GxqLYDoIC+VmF mtuSqcwWsOPqgG/wUKHaTvCgYkIohWET0l24dVNJ/1l9F+gjz4pgrKh998wcq20zOuSi p3UA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to:user-agent; bh=gyZUktbwJLax+Ay5wKZ7gV1fiJW1X6fk8SGyrGrYtzk=; b=idM6xfY3Z1Bn+S+mR+PFjKAqmOn6ZkYgeEIGFCZZjh+/YVKzBj6oTgxVmiGWNsQbZp wh0xXDdeW6/fUsGt/gGiRY08m2z3lU3esiJyKdwXa6s+sZdPblJeyRXriHDFlmeygs0h w83pSPTtsF6/qTX2ffa5Vy5T1W6EAw8Sib3/BpOv3h6LiO4tONT+VIZdmUFiPgzYYAaZ dMUiuYFGbXZluUPpFYg5RFXNLZAeyX4EKVWsWQPMJYWFUK2eiViNyknt0Bm3a0JfPitl W7DaoM44jfbxZ4Tgwhay1js8yAOsysNWC7K81N1F+mvZFj0yVM61xrC4X8+NK5PCzrGM +E0A== X-Gm-Message-State: APjAAAXZBokbU7LeO4CGRUCP8gT1N32nSQ5pHe4Xi8OxFRSFKew44v7o 2+vaGYexoEQwEMMBFqOoNgxkssrK X-Google-Smtp-Source: APXvYqyq6DcmNMvnmefC7kb5GjX47Ho2BNGDaFeKTPzHGBntpSanYigL2SoS1rYTo8SeSxXBnnOV+g== X-Received: by 2002:a17:906:f84:: with SMTP id q4mr28062433ejj.117.1557297210180; Tue, 07 May 2019 23:33:30 -0700 (PDT) Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438]) by smtp.gmail.com with ESMTPSA id k18sm4862709eda.92.2019.05.07.23.33.28 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 07 May 2019 23:33:28 -0700 (PDT) Date: Wed, 8 May 2019 08:33:27 +0200 From: Dominick Grift To: Alexander Miroshnichenko Cc: selinux-refpolicy@vger.kernel.org, jason@perfinion.com Subject: Re: [PATCH] Add nginx policy taken from Gentoo hardened-refpolicy Message-ID: <20190508063327.GA30701@brutus.lan> Mail-Followup-To: Alexander Miroshnichenko , selinux-refpolicy@vger.kernel.org, jason@perfinion.com References: <20190507144201.1517-1-alex@millerson.name> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="G4iJoqBmSsgzjUCe" Content-Disposition: inline In-Reply-To: <20190507144201.1517-1-alex@millerson.name> User-Agent: Every email client sucks, this one just sucks less. X-PGP-Key: https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org --G4iJoqBmSsgzjUCe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 07, 2019 at 05:42:01PM +0300, Alexander Miroshnichenko wrote: > Signed-off-by: Alexander Miroshnichenko Some observations below. > --- > policy/modules/services/nginx.fc | 64 ++++++++++++ > policy/modules/services/nginx.if | 104 +++++++++++++++++++ > policy/modules/services/nginx.te | 169 +++++++++++++++++++++++++++++++ > 3 files changed, 337 insertions(+) > create mode 100644 policy/modules/services/nginx.fc > create mode 100644 policy/modules/services/nginx.if > create mode 100644 policy/modules/services/nginx.te >=20 > diff --git a/policy/modules/services/nginx.fc b/policy/modules/services/n= ginx.fc > new file mode 100644 > index 000000000000..62f12620ea88 > --- /dev/null > +++ b/policy/modules/services/nginx.fc > @@ -0,0 +1,64 @@ > +########################################################################= ####### > +# SELinux module for the NGINX Web Server > +# > +# Project Contact Information: > +# Stuart Cianos > +# Email: scianos@alphavida.com > +# > +########################################################################= ####### > +# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reser= ved. > +# > +# > +# Stuart Cianos licenses this file to You under the GNU General Public L= icense, > +# Version 3.0 (the "License"); you may not use this file except in compl= iance > +# with the License. You may obtain a copy of the License at > +# > +# http://www.gnu.org/licenses/gpl.txt > +# > +# or in the COPYING file included in the original archive. > +# > +# Disclaimer of Warranty. > +# > +# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY > +# APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT > +# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRA= NTY > +# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED T= O, > +# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR > +# PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PRO= GRAM > +# IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST = OF > +# ALL NECESSARY SERVICING, REPAIR OR CORRECTION. > +# > +# Limitation of Liability. > +# > +# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING > +# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONV= EYS > +# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDIN= G ANY > +# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF T= HE > +# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS= OF > +# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR T= HIRD > +# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS= ), > +# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY= OF > +# SUCH DAMAGES. > +########################################################################= ####### > +# nginx executable will have: > +# label: system_u:object_r:nginx_exec_t > +# MLS sensitivity: s0 > +# MCS categories: > + > +# > +# /etc > +# > +/etc/nginx(/.*)? gen_context(system_u:object_r:nginx_conf_t,s0) > +/etc/ssl/nginx(/.*)? gen_context(system_u:object_r:nginx_conf_t,s0) /etc/ssl is for certificates, should probably use a "cert_type" here > + > +# > +# /usr > +# > +/usr/sbin/nginx -- gen_context(system_u:object_r:nginx_exec_t,s0) > + > +# > +# /var > +# > +/var/lib/nginx/tmp(/.*)? gen_context(system_u:object_r:nginx_tmp_t,s0) I would just label /var/lib/nginx(/.*)?" type nginx_var_lib_t > +/var/log/nginx(/.*)? gen_context(system_u:object_r:nginx_log_t,s0) > +/var/tmp/nginx(/.*)? gen_context(system_u:object_r:nginx_tmp_t,s0) > diff --git a/policy/modules/services/nginx.if b/policy/modules/services/n= ginx.if > new file mode 100644 > index 000000000000..ebef6e759e3f > --- /dev/null > +++ b/policy/modules/services/nginx.if > @@ -0,0 +1,104 @@ > +########################################################################= ####### > +# SELinux module for the NGINX Web Server > +# > +# Project Contact Information: > +# Stuart Cianos > +# Email: scianos@alphavida.com > +# > +########################################################################= ####### > +# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reser= ved. > +# > +# > +# Stuart Cianos licenses this file to You under the GNU General Public L= icense, > +# Version 3.0 (the "License"); you may not use this file except in compl= iance > +# with the License. You may obtain a copy of the License at > +# > +# http://www.gnu.org/licenses/gpl.txt > +# > +# or in the COPYING file included in the original archive. > +# > +# Disclaimer of Warranty. > +# > +# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY > +# APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT > +# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRA= NTY > +# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED T= O, > +# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR > +# PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PRO= GRAM > +# IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST = OF > +# ALL NECESSARY SERVICING, REPAIR OR CORRECTION. > +# > +# Limitation of Liability. > +# > +# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING > +# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONV= EYS > +# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDIN= G ANY > +# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF T= HE > +# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS= OF > +# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR T= HIRD > +# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS= ), > +# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY= OF > +# SUCH DAMAGES. > +########################################################################= ####### > +## policy for nginx Documentation (summary) is lacking. > + > +######################################## > +## > +## Execute a domain transition to run nginx. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`nginx_domtrans',` > + gen_require(` > + type nginx_t, nginx_exec_t; > + ') > + allow nginx_t $1:fd use; > + allow nginx_t $1:fifo_file rw_file_perms; > + allow nginx_t $1:process sigchld; > + > + domain_auto_transition_pattern($1, nginx_exec_t, nginx_t) > +') Use domtrans() here > + > +######################################## > +## > +## Administer the nginx domain > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The role to be allowed to manage the nginx domain. > +## > +## > +## > +# > +interface(`nginx_admin',` > + gen_require(` > + type nginx_t, nginx_conf_t, nginx_log_t, nginx_var_lib_t, nginx_var_ru= n_t; > + type nginx_exec_t; > + ') you reference nginx_var_lib_t and nginx_var_run_t here but there are no ref= erences to those types in the .fc file > + > + allow $1 nginx_t:process { ptrace signal_perms }; > + ps_process_pattern($1, nginx_t) > + > + files_list_etc($1) > + admin_pattern($1, nginx_conf_t) > + > + can_exec($1, nginx_exec_t) > + > + files_list_var_lib($1) > + admin_pattern($1, nginx_var_lib_t) > + > + logging_list_logs($1) > + admin_pattern($1, nginx_log_t) > + > + files_list_pids($1) > + admin_pattern($1, nginx_var_run_t) > +') > diff --git a/policy/modules/services/nginx.te b/policy/modules/services/n= ginx.te > new file mode 100644 > index 000000000000..be59babb8596 > --- /dev/null > +++ b/policy/modules/services/nginx.te > @@ -0,0 +1,169 @@ > +# SELinux module for the NGINX Web Server > +policy_module(nginx,1.0.10) > + > +######################################## > +# > +# Declarations > +# > + > +## > +##

> +## Allow nginx to serve HTTP content (act as an http server) > +##

> +## > +gen_tunable(nginx_enable_http_server, false) Not sure if it worth it to make this conditional > + > +## > +##

> +## Allow nginx to act as an imap proxy server) > +##

> +## > +gen_tunable(nginx_enable_imap_server, false) > + > +## > +##

> +## Allow nginx to act as a pop3 server) > +##

> +## > +gen_tunable(nginx_enable_pop3_server, false) > + > +## > +##

> +## Allow nginx to act as an smtp server) > +##

> +## > +gen_tunable(nginx_enable_smtp_server, false) > + > +## > +##

> +## Allow nginx to connect to remote HTTP servers > +##

> +## > +gen_tunable(nginx_can_network_connect_http, false) > + > +## > +##

> +## Allow nginx to connect to remote servers (regardless of protocol) > +##

> +## > +gen_tunable(nginx_can_network_connect, false) > + > +type nginx_t; > +type nginx_exec_t; > +init_daemon_domain(nginx_t, nginx_exec_t) > + > +# conf files > +type nginx_conf_t; > +files_type(nginx_conf_t) use files_config_file() > + > +# log files > +type nginx_log_t; > +logging_log_file(nginx_log_t) > + > +# tmp files > +type nginx_tmp_t; > +files_tmp_file(nginx_tmp_t) > + > +# var/lib files > +type nginx_var_lib_t; > +files_type(nginx_var_lib_t) > + > +# pid files > +type nginx_var_run_t; > +files_pid_file(nginx_var_run_t) > + > +######################################## > +# > +# nginx local policy > +# > + > +allow nginx_t self:fifo_file { read write }; use rw_fifo_file_perms > +allow nginx_t self:unix_stream_socket create_stream_socket_perms; I see below that it maintains a socket in /var/lib/.* what is that for. Can entities connect to nginx with a unix domain socket? > +allow nginx_t self:tcp_socket { listen accept }; > +allow nginx_t self:capability { setuid net_bind_service setgid chown }; > + > +# conf files > +list_dirs_pattern(nginx_t, nginx_conf_t, nginx_conf_t) > +read_files_pattern(nginx_t, nginx_conf_t, nginx_conf_t) > + > +# log files > +manage_files_pattern(nginx_t, nginx_log_t, nginx_log_t) you may be able to ommit the "write" permission here. > +logging_log_filetrans(nginx_t, nginx_log_t, { file dir }) the dir here does not make sense, as nginx_t is not allowed to create it an= yway. Either allow nginx to manage nginx_log_t dirs or remove it > + > + > +# pid file > +manage_dirs_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t) > +manage_files_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t) > +files_pid_filetrans(nginx_t, nginx_var_run_t, file) Here its the opposite. you allos it to create dirs but theres no file trans= ition rule. In addition .fc spec is missing. > + > +# tmp files > +manage_files_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t) > +manage_dirs_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t) > +files_tmp_filetrans(nginx_t, nginx_tmp_t, dir) > + > +# var/lib files > +create_files_pattern(nginx_t, nginx_var_lib_t, nginx_var_lib_t) > +create_sock_files_pattern(nginx_t, nginx_var_lib_t, nginx_var_lib_t) > +files_var_lib_filetrans(nginx_t,nginx_var_lib_t, { file dir sock_file }) fc spec is missing. Its not allowed to create nginx_var_lib_t dirs. > + > + > +kernel_read_kernel_sysctls(nginx_t) > +corenet_tcp_bind_generic_node(nginx_t) > +corenet_tcp_sendrecv_generic_if(nginx_t) > +corenet_tcp_sendrecv_generic_node(nginx_t) > + > +dev_read_rand(nginx_t) > +dev_read_urand(nginx_t) > + > +domain_use_interactive_fds(nginx_t) Probaby not needed > + > +files_read_etc_files(nginx_t) > + > + > +miscfiles_read_localization(nginx_t) > +sysnet_dns_name_resolve(nginx_t) > + > + > +tunable_policy(`nginx_enable_http_server',` > + corenet_tcp_bind_http_port(nginx_t) > + apache_read_all_content(nginx_t) > + apache_manage_all_rw_content(nginx_t) > +') > + > +# We enable both binding and connecting, since nginx acts here as a reve= rse proxy > +tunable_policy(`nginx_enable_imap_server',` > + corenet_tcp_bind_pop_port(nginx_t) > + corenet_tcp_connect_pop_port(nginx_t) > +') > + > +tunable_policy(`nginx_enable_pop3_server',` > + corenet_tcp_bind_pop_port(nginx_t) > + corenet_tcp_connect_pop_port(nginx_t) > +') > + > +tunable_policy(`nginx_enable_smtp_server',` > + corenet_tcp_bind_smtp_port(nginx_t) > + corenet_tcp_connect_smtp_port(nginx_t) > +') > + > +tunable_policy(`nginx_can_network_connect_http',` > + corenet_tcp_connect_http_port(nginx_t) > +') > + > +tunable_policy(`nginx_can_network_connect',` > + corenet_tcp_connect_all_ports(nginx_t) > +') > + > +optional_policy(` > + phpfpm_stream_connect(nginx_t) > +') > + > +ifdef(`distro_gentoo',` > + > + # needs to be able to signal its children > + allow nginx_t self:process { signal sigchld }; > + > + optional_policy(` > + uwsgi_stream_connect(nginx_t) > + ') > +') > --=20 > 2.21.0 >=20 --=20 Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02 Dominick Grift --G4iJoqBmSsgzjUCe Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAlzSeDIACgkQJXSOVTf5 R2mnhQv+KHOTLSSLXrMQmBqgKdZGkX5jW0ewEC+JpvsHlF6cwO403+LgHTZ8g6A0 VIsH2Yx1yOR+VsCdrE9Q4GWs/hgRcG8qA/AfsUoEgiAPEvanst4tRUHr6iVAhq+u rEasbrSeXGM/aLAE7eqM63JSFkkiqZAnpz4pwBT/ICbCnOJloUT6L3cG3lLfsuvN 7em4MBf/QJaC+oZmC8nFeu527P1N8XOSnp/LLCOYvPP/pM2E2YQL+TgtB8PjK6AP Vgq8tgkCBwoVjPjy8MPV2e4FcFww/r986osFSiHuzE3QiuLcZm4w1R6DEshjo05F pdtnnIIdNFWP0p3t6B0TMY1QCm+x9ucTQbU69u17szB8lssnAE4CZjc7XJd4WuJ9 3484g7KIzjvLX5Njht+OCvlfXer4r5+AEHiug/gRqiQldLET+qNlI4XWJJceVsSZ 03SbDGuajUYzjiOkP9lKpd7fAN3qTW97XsuLijcFmF1RhO2ggp6BbYbnAQbhsax9 pj9dOPgT =raNW -----END PGP SIGNATURE----- --G4iJoqBmSsgzjUCe--