From: Alexander Miroshnichenko <alex@millerson.name> To: selinux-refpolicy@vger.kernel.org Cc: Alexander Miroshnichenko <alex@millerson.name> Subject: [PATCH v2] Add knot module Date: Fri, 5 Jul 2019 15:02:53 +0300 Message-ID: <20190705120251.1121-1-alex@millerson.name> (raw) In-Reply-To: <20190702155823.GA27193@brutus.lan> Add a SELinux Reference Policy module for the Knot authoritative-only DNS server. Signed-off-by: Alexander Miroshnichenko <alex@millerson.name> --- policy/modules/roles/sysadm.te | 4 + policy/modules/services/knot.fc | 9 ++ policy/modules/services/knot.if | 219 ++++++++++++++++++++++++++++++++ policy/modules/services/knot.te | 104 +++++++++++++++ policy/modules/system/init.te | 4 + 5 files changed, 340 insertions(+) create mode 100644 policy/modules/services/knot.fc create mode 100644 policy/modules/services/knot.if create mode 100644 policy/modules/services/knot.te diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 8f891c83865f..e3079ad65d17 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -550,6 +550,10 @@ optional_policy(` keystone_admin(sysadm_t, sysadm_r) ') +optional_policy(` + knotc_role(sysadm_r, sysadm_t) +') + optional_policy(` kismet_admin(sysadm_t, sysadm_r) ') diff --git a/policy/modules/services/knot.fc b/policy/modules/services/knot.fc new file mode 100644 index 000000000000..02a1c2022661 --- /dev/null +++ b/policy/modules/services/knot.fc @@ -0,0 +1,9 @@ +/etc/knot(/.*)? gen_context(system_u:object_r:knot_conf_t,s0) + +/usr/sbin/knotd -- gen_context(system_u:object_r:knotd_exec_t,s0) + +/usr/sbin/knotc -- gen_context(system_u:object_r:knotc_exec_t,s0) + +/var/lib/knot(/.*)? gen_context(system_u:object_r:knot_var_lib_t,s0) + +/run/knot(/.*)? gen_context(system_u:object_r:knot_runtime_t,s0) diff --git a/policy/modules/services/knot.if b/policy/modules/services/knot.if new file mode 100644 index 000000000000..fef08da46a79 --- /dev/null +++ b/policy/modules/services/knot.if @@ -0,0 +1,219 @@ +## <summary>high-performance authoritative-only DNS server.</summary> + +######################################## +## <summary> +## Execute knotd_exec_t in the knotd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`knotd_domtrans',` + gen_require(` + type knotd_t, knotd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, knotd_exec_t, knotd_t) +') + +######################################## +## <summary> +## Manage Knot runtime. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`knot_manage_runtime',` + gen_require(` + type knot_runtime_t; + ') + + manage_dirs_pattern($1, knot_runtime_t, knot_runtime_t) + manage_files_pattern($1, knot_runtime_t, knot_runtime_t) + manage_lnk_files_pattern($1, knot_runtime_t, knot_runtime_t) + manage_sock_files_pattern($1, knot_runtime_t, knot_runtime_t) + files_search_pids($1) +') + +######################################## +## <summary> +## Manage knot var lib. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`knot_manage_var_lib',` + gen_require(` + type knot_var_lib_t; + ') + + manage_dirs_pattern($1, knot_var_lib_t, knot_var_lib_t) + manage_files_pattern($1, knot_var_lib_t, knot_var_lib_t) + manage_lnk_files_pattern($1, knot_var_lib_t, knot_var_lib_t) + files_search_var_lib($1) +') + +######################################## +## <summary> +## Mmap knot var lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`knot_mmap_var_lib_files',` + gen_require(` + type knot_var_lib_t; + ') + + allow $1 knot_var_lib_t:file map; +') + +######################################## +## <summary> +## Read, mmap knot config files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`knot_mmap_config_file',` + gen_require(` + type knot_conf_t; + ') + + mmap_read_files_pattern($1, knot_conf_t, knot_conf_t) + files_search_etc($1) +') + +######################################## +## <summary> +## Manage knot tmp. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`knot_manage_tmp',` + gen_require(` + type knot_tmp_t; + ') + + allow $1 knot_tmp_t:file manage_file_perms; + allow $1 knot_tmp_t:dir manage_dir_perms; +') + +######################################## +## <summary> +## Mmap knot tmp. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`knot_mmap_tmp_files',` + gen_require(` + type knot_tmp_t; + ') + + allow $1 knot_tmp_t:file map; +') + +######################################## +## <summary> +## Create knot tmp files, directories in +## temporary directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="file_type"> +## <summary> +## The type of the object to be created +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## The object class. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`knot_tmp_filetrans',` + gen_require(` + type knot_tmp_t; + ') + + files_tmp_filetrans($1, knot_tmp_t, { file dir }) +') + +######################################## +## <summary> +## Execute knotc in the knotc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`knotc_domtrans',` + gen_require(` + type knotc_t, knotc_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, knotc_exec_t, knotc_t) +') + +######################################## +## <summary> +## Role access for knotc +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role +## </summary> +## </param> +# +interface(`knotc_role',` + gen_require(` + type knotc_t; + attribute_role knotc_roles; + ') + + roleattribute $1 knotc_roles; + + knotc_domtrans($2) + + ps_process_pattern($2, knotc_t) + allow $2 knotc_t:process { signull signal sigkill }; +') diff --git a/policy/modules/services/knot.te b/policy/modules/services/knot.te new file mode 100644 index 000000000000..780535759cf5 --- /dev/null +++ b/policy/modules/services/knot.te @@ -0,0 +1,104 @@ +policy_module(knot, 1.0.0) + +######################################## +# +# Declarations +# + +type knotd_t; +type knotd_exec_t; +init_daemon_domain(knotd_t, knotd_exec_t) + +type knotc_t; +type knotc_exec_t; +application_domain(knotc_t, knotc_exec_t) +init_daemon_domain(knotc_t, knotc_exec_t) +role knotc_roles types knotc_t; + +attribute_role knotc_roles; + +type knot_conf_t; +files_config_file(knot_conf_t) + +type knot_runtime_t; +files_pid_file(knot_runtime_t) + +type knot_var_lib_t; +files_type(knot_var_lib_t) + +type knot_tmp_t; +files_tmp_file(knot_tmp_t) + +######################################## +# +# knotd local policy +# +allow knotd_t self:capability { dac_override dac_read_search setgid setpcap setuid }; +allow knotd_t self:process { signal_perms getcap getsched setsched }; +allow knotd_t self:tcp_socket create_stream_socket_perms; +allow knotd_t self:udp_socket create_socket_perms; +allow knotd_t self:unix_stream_socket create_stream_socket_perms; + +corenet_tcp_bind_generic_node(knotd_t) +corenet_udp_bind_generic_node(knotd_t) + +corenet_sendrecv_dns_server_packets(knotd_t) +corenet_tcp_bind_dns_port(knotd_t) +corenet_udp_bind_dns_port(knotd_t) +# Slave replication +corenet_tcp_connect_dns_port(knotd_t) + +kernel_read_kernel_sysctls(knotd_t) + +knot_mmap_config_file(knotd_t) + +knot_manage_runtime(knotd_t) +files_pid_filetrans(knotd_t, knot_runtime_t, dir) + +knot_manage_var_lib(knotd_t) +knot_mmap_var_lib_files(knotd_t) +files_var_lib_filetrans(knotd_t, knot_var_lib_t, dir) + +knot_manage_tmp(knotd_t) +knot_mmap_tmp_files(knotd_t) +knot_tmp_filetrans(knotd_t) + +files_map_etc_files(knotd_t) + +fs_getattr_xattr_fs(knotd_t) + +fs_getattr_tmpfs(knotd_t) + +auth_use_nsswitch(knotd_t) + +logging_send_syslog_msg(knotd_t) + +miscfiles_read_localization(knotd_t) + +######################################## +# +# knotc local policy +# +allow knotc_t self:capability { dac_override dac_read_search }; +allow knotc_t self:process signal; + +stream_connect_pattern(knotc_t, knot_runtime_t, knot_runtime_t, knotd_t) + +knot_mmap_config_file(knotc_t) + +knot_manage_tmp(knotc_t) +knot_mmap_tmp_files(knotc_t) +knot_tmp_filetrans(knotc_t) + +knot_manage_var_lib(knotc_t) +knot_mmap_var_lib_files(knotc_t) + +files_read_etc_files(knotc_t) + +fs_getattr_tmpfs(knotc_t) + +domain_use_interactive_fds(knotc_t) + +miscfiles_read_localization(knotc_t) + +userdom_use_user_ptys(knotc_t) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index f4d27bff3ea2..d38a0a8549d3 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1158,6 +1158,10 @@ optional_policy(` kerberos_use(initrc_t) ') +optional_policy(` + knot_mmap_config_file(initrc_t) +') + optional_policy(` ldap_read_config(initrc_t) ldap_list_db(initrc_t) -- 2.21.0
next prev parent reply index Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-07-02 12:55 [PATCH] " Alexander Miroshnichenko 2019-07-02 15:58 ` Dominick Grift 2019-07-05 12:02 ` Alexander Miroshnichenko [this message] 2019-07-09 0:47 ` [PATCH v2] " Chris PeBenito 2019-07-10 8:55 ` [PATCH v3] " Alexander Miroshnichenko 2019-07-10 10:52 ` Dominick Grift 2019-07-10 12:54 ` [PATCH v4] " Alexander Miroshnichenko 2019-07-13 18:08 ` Chris PeBenito
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20190705120251.1121-1-alex@millerson.name \ --to=alex@millerson.name \ --cc=selinux-refpolicy@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
SELinux-Refpolicy Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \ selinux-refpolicy@vger.kernel.org public-inbox-index selinux-refpolicy Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy AGPL code for this site: git clone https://public-inbox.org/public-inbox.git