selinux-refpolicy.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* another memlockd patch
@ 2020-04-10  6:03 Russell Coker
  2020-04-10  8:10 ` Dominick Grift
  0 siblings, 1 reply; 4+ messages in thread
From: Russell Coker @ 2020-04-10  6:03 UTC (permalink / raw)
  To: selinux-refpolicy

Signed-off-by: Russell Coker <russell@coker.com.au>

I think this resolves all issues Chris raised.


Index: refpolicy-2.20200410/policy/modules/services/memlockd.fc
===================================================================
--- /dev/null
+++ refpolicy-2.20200410/policy/modules/services/memlockd.fc
@@ -0,0 +1 @@
+/usr/sbin/memlockd	--	gen_context(system_u:object_r:memlockd_exec_t,s0)
Index: refpolicy-2.20200410/policy/modules/services/memlockd.if
===================================================================
--- /dev/null
+++ refpolicy-2.20200410/policy/modules/services/memlockd.if
@@ -0,0 +1,2 @@
+## <summary>memory lock daemon, keeps important files in RAM.</summary>
+
Index: refpolicy-2.20200410/policy/modules/services/memlockd.te
===================================================================
--- /dev/null
+++ refpolicy-2.20200410/policy/modules/services/memlockd.te
@@ -0,0 +1,37 @@
+policy_module(memlockd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type memlockd_t;
+type memlockd_exec_t;
+init_daemon_domain(memlockd_t, memlockd_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow memlockd_t self:capability { setgid setuid ipc_lock };
+allow memlockd_t self:fifo_file rw_file_perms;
+allow memlockd_t self:unix_dgram_socket { create connect };
+
+# cache /etc/shadow too
+auth_read_shadow(memlockd_t)
+auth_map_shadow(memlockd_t)
+
+corecmd_exec_all_executables(memlockd_t)
+corecmd_exec_bin(memlockd_t)
+corecmd_exec_shell(memlockd_t)
+corecmd_read_all_executables(memlockd_t)
+corecmd_search_bin(memlockd_t)
+files_read_etc_files(memlockd_t)
+libs_exec_ld_so(memlockd_t)
+files_map_etc_files(memlockd_t)
+
+logging_send_syslog_msg(memlockd_t)
+miscfiles_read_localization(memlockd_t)
+
+sysnet_mmap_read_config(memlockd_t)
Index: refpolicy-2.20200410/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20200410.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20200410/policy/modules/system/sysnetwork.if
@@ -391,6 +391,31 @@ interface(`sysnet_mmap_config_files',`
 
 #######################################
 ## <summary>
+##	map network config files.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to mmap the
+##	general network configuration files.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_mmap_read_config',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 net_conf_t:file mmap_read_file_perms;
+')
+
+#######################################
+## <summary>
 ##	Do not audit attempts to read network config files.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20200410/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20200410.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20200410/policy/modules/system/authlogin.if
@@ -577,6 +577,23 @@ interface(`auth_read_shadow',`
 
 ########################################
 ## <summary>
+##	Map the shadow passwords file (/etc/shadow)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_map_shadow',`
+	gen_require(`
+		type shadow_t;
+	')
+	allow $1 shadow_t:file map;
+')
+
+########################################
+## <summary>
 ##	Pass shadow assertion for reading.
 ## </summary>
 ## <desc>

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: another memlockd patch
  2020-04-10  6:03 another memlockd patch Russell Coker
@ 2020-04-10  8:10 ` Dominick Grift
  2020-04-10  9:40   ` Russell Coker
  0 siblings, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2020-04-10  8:10 UTC (permalink / raw)
  To: Russell Coker; +Cc: selinux-refpolicy

Russell Coker <russell@coker.com.au> writes:

> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> I think this resolves all issues Chris raised.
>
>
> Index: refpolicy-2.20200410/policy/modules/services/memlockd.fc
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20200410/policy/modules/services/memlockd.fc
> @@ -0,0 +1 @@
> +/usr/sbin/memlockd	--	gen_context(system_u:object_r:memlockd_exec_t,s0)
> Index: refpolicy-2.20200410/policy/modules/services/memlockd.if
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20200410/policy/modules/services/memlockd.if
> @@ -0,0 +1,2 @@
> +## <summary>memory lock daemon, keeps important files in RAM.</summary>
> +
> Index: refpolicy-2.20200410/policy/modules/services/memlockd.te
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20200410/policy/modules/services/memlockd.te
> @@ -0,0 +1,37 @@
> +policy_module(memlockd, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type memlockd_t;
> +type memlockd_exec_t;
> +init_daemon_domain(memlockd_t, memlockd_exec_t)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow memlockd_t self:capability { setgid setuid ipc_lock };
> +allow memlockd_t self:fifo_file rw_file_perms;
> +allow memlockd_t self:unix_dgram_socket { create connect };

the unix dgram socket creating is probably redundant and implied with
logging_send_logs_msg() as journald uses dgram_sendto for logging?

> +
> +# cache /etc/shadow too
> +auth_read_shadow(memlockd_t)

Hmm since /etc/shadow is mode 000, how is memlock able to read this
without cap_dac_read_search access. is that implied?

> +auth_map_shadow(memlockd_t)
> +
> +corecmd_exec_all_executables(memlockd_t)
> +corecmd_exec_bin(memlockd_t)
> +corecmd_exec_shell(memlockd_t)
> +corecmd_read_all_executables(memlockd_t)
> +corecmd_search_bin(memlockd_t)
> +files_read_etc_files(memlockd_t)
> +libs_exec_ld_so(memlockd_t)
> +files_map_etc_files(memlockd_t)
> +
> +logging_send_syslog_msg(memlockd_t)
> +miscfiles_read_localization(memlockd_t)
> +
> +sysnet_mmap_read_config(memlockd_t)
> Index: refpolicy-2.20200410/policy/modules/system/sysnetwork.if
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/system/sysnetwork.if
> +++ refpolicy-2.20200410/policy/modules/system/sysnetwork.if
> @@ -391,6 +391,31 @@ interface(`sysnet_mmap_config_files',`
>  
>  #######################################
>  ## <summary>
> +##	map network config files.
> +## </summary>
> +## <desc>
> +##	<p>
> +##	Allow the specified domain to mmap the
> +##	general network configuration files.
> +##	</p>
> +## </desc>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`sysnet_mmap_read_config',`
> +	gen_require(`
> +		type net_conf_t;
> +	')
> +
> +	files_search_etc($1)
> +	allow $1 net_conf_t:file mmap_read_file_perms;
> +')
> +
> +#######################################
> +## <summary>
>  ##	Do not audit attempts to read network config files.
>  ## </summary>
>  ## <param name="domain">
> Index: refpolicy-2.20200410/policy/modules/system/authlogin.if
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/system/authlogin.if
> +++ refpolicy-2.20200410/policy/modules/system/authlogin.if
> @@ -577,6 +577,23 @@ interface(`auth_read_shadow',`
>  
>  ########################################
>  ## <summary>
> +##	Map the shadow passwords file (/etc/shadow)
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`auth_map_shadow',`
> +	gen_require(`
> +		type shadow_t;
> +	')
> +	allow $1 shadow_t:file map;
> +')
> +
> +########################################
> +## <summary>
>  ##	Pass shadow assertion for reading.
>  ## </summary>
>  ## <desc>

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: another memlockd patch
  2020-04-10  8:10 ` Dominick Grift
@ 2020-04-10  9:40   ` Russell Coker
  2020-04-14 15:04     ` Chris PeBenito
  0 siblings, 1 reply; 4+ messages in thread
From: Russell Coker @ 2020-04-10  9:40 UTC (permalink / raw)
  To: Dominick Grift; +Cc: selinux-refpolicy

On Friday, 10 April 2020 6:10:57 PM AEST Dominick Grift wrote:
> > +allow memlockd_t self:unix_dgram_socket { create connect };
> 
> the unix dgram socket creating is probably redundant and implied with
> logging_send_logs_msg() as journald uses dgram_sendto for logging?

You are correct, that is redundant.  Chris shall I submit the patch again or 
would it be easier to just delete that line when you merge?

> > +# cache /etc/shadow too
> > +auth_read_shadow(memlockd_t)
> 
> Hmm since /etc/shadow is mode 000, how is memlock able to read this
> without cap_dac_read_search access. is that implied?

/etc/shadow is mode 640 on Debian.

On other distributions the choice is either more permissions for memlockd or a 
configuration that doesn't cache /etc/shadow.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/




^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: another memlockd patch
  2020-04-10  9:40   ` Russell Coker
@ 2020-04-14 15:04     ` Chris PeBenito
  0 siblings, 0 replies; 4+ messages in thread
From: Chris PeBenito @ 2020-04-14 15:04 UTC (permalink / raw)
  To: Russell Coker, Dominick Grift; +Cc: selinux-refpolicy

On 4/10/20 5:40 AM, Russell Coker wrote:
> On Friday, 10 April 2020 6:10:57 PM AEST Dominick Grift wrote:
>>> +allow memlockd_t self:unix_dgram_socket { create connect };
>>
>> the unix dgram socket creating is probably redundant and implied with
>> logging_send_logs_msg() as journald uses dgram_sendto for logging?
> 
> You are correct, that is redundant.  Chris shall I submit the patch again or
> would it be easier to just delete that line when you merge?

Please resubmit with below change too.

>>> +# cache /etc/shadow too
>>> +auth_read_shadow(memlockd_t)
>>
>> Hmm since /etc/shadow is mode 000, how is memlock able to read this
>> without cap_dac_read_search access. is that implied?
> 
> /etc/shadow is mode 640 on Debian.
> 
> On other distributions the choice is either more permissions for memlockd or a
> configuration that doesn't cache /etc/shadow.

Seems that we need an ifndef(`distro_debian' block with dac_read_search;

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-04-14 15:16 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-10  6:03 another memlockd patch Russell Coker
2020-04-10  8:10 ` Dominick Grift
2020-04-10  9:40   ` Russell Coker
2020-04-14 15:04     ` Chris PeBenito

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).