SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
From: Chris PeBenito <pebenito@ieee.org>
To: Alexander Miroshnichenko <alex@millerson.name>,
	selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] add lldpd policy
Date: Sat, 15 Jun 2019 12:08:16 -0400
Message-ID: <749388e0-6da1-4b06-c62c-35302a5aba78@ieee.org> (raw)
In-Reply-To: <20190610142004.2719-1-alex@millerson.name>

On 6/10/19 10:20 AM, Alexander Miroshnichenko wrote:
> New policy for lldpd ( http://vincentbernat.github.io/lldpd ).
> 
> Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
> ---
>   policy/modules/roles/sysadm.te   |   4 +
>   policy/modules/services/lldpd.fc |   9 ++
>   policy/modules/services/lldpd.if | 206 +++++++++++++++++++++++++++++++
>   policy/modules/services/lldpd.te |  80 ++++++++++++
>   4 files changed, 299 insertions(+)
>   create mode 100644 policy/modules/services/lldpd.fc
>   create mode 100644 policy/modules/services/lldpd.if
>   create mode 100644 policy/modules/services/lldpd.te
> 
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 8f891c83865f..ea4e06a29e30 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -595,6 +595,10 @@ optional_policy(`
>   	lldpad_admin(sysadm_t, sysadm_r)
>   ')
>   
> +optional_policy(`
> +        lldp_admin(sysadm_t, sysadm_r)

A whitespace problem here (spaces instead of tab).

> +')
> +
>   optional_policy(`
>   	lockdev_role(sysadm_r, sysadm_t)
>   ')
> diff --git a/policy/modules/services/lldpd.fc b/policy/modules/services/lldpd.fc
> new file mode 100644
> index 000000000000..997a80a3baf9
> --- /dev/null
> +++ b/policy/modules/services/lldpd.fc
> @@ -0,0 +1,9 @@
> +/etc/lldpd.conf		--	gen_context(system_u:object_r:lldpd_etc_t,s0)
> +/etc/lldpd.d(/.*)?		gen_context(system_u:object_r:lldpd_etc_t,s0)
> +
> +/usr/sbin/lldpd		--	gen_context(system_u:object_r:lldpd_exec_t,s0)
> +/usr/sbin/lldpcli         --      gen_context(system_u:object_r:lldp_cli_exec_t,s0)
> +
> +/run/lldpd		-d      gen_context(system_u:object_r:lldpd_var_run_t,s0)
> +/run/lldpd(/.*)?		gen_context(system_u:object_r:lldpd_var_run_t,s0)
> +/run/lldpd.pid		--	gen_context(system_u:object_r:lldpd_var_run_t,s0)
> diff --git a/policy/modules/services/lldpd.if b/policy/modules/services/lldpd.if
> new file mode 100644
> index 000000000000..f7030b1ead19
> --- /dev/null
> +++ b/policy/modules/services/lldpd.if
> @@ -0,0 +1,206 @@
> +
> +## <summary>policy for lldpd</summary>
> +
> +########################################
> +## <summary>
> +##	Execute lldpd_exec_t in the lldpd domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +##	Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`lldpd_domtrans',`
> +	gen_require(`
> +		type lldpd_t, lldpd_exec_t;
> +	')
> +
> +	corecmd_search_bin($1)
> +	domtrans_pattern($1, lldpd_exec_t, lldpd_t)
> +')
> +
> +########################################
> +## <summary>
> +##      Execute a domain transition to run lldpcli.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed to transition.
> +##      </summary>
> +## </param>
> +#
> +interface(`lldp_cli_domtrans',`

Interface name should be lldp_domtrans_cli

> +        gen_require(`
> +                type lldp_cli_t, lldp_cli_exec_t;
> +        ')
> +
> +        corecmd_search_bin($1)
> +        can_exec($1, lldp_cli_exec_t)

This can_exec should not be in a domtrans interface, as it provides 
execute_no_trans, which isn't necessary for domtrans.

> +        domtrans_pattern($1, lldp_cli_exec_t, lldp_cli_t)
> +')
> +
> +########################################
> +## <summary>
> +##      Execute lldpcli in the lldp_cli domain,
> +##      and allow the specified role
> +##      the lldp_cli domain.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed to transition.
> +##      </summary>
> +## </param>
> +## <param name="role">
> +##      <summary>
> +##      Role allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`lldp_cli_run',`

lldp_run_cli

> +        gen_require(`
> +                type lldp_cli_t;
> +        ')
> +
> +        lldp_cli_domtrans($1)
> +        role $2 types lldp_cli_t;
> +')
> +
> +######################################
> +## <summary>
> +##	Execute lldpd in the caller domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`lldpd_exec',`
> +	gen_require(`
> +		type lldpd_exec_t;
> +	')
> +
> +	corecmd_search_bin($1)
> +	can_exec($1, lldpd_exec_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Search lldpd conf directories.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`lldpd_search_conf',`
> +	gen_require(`
> +		type lldpd_etc_t;
> +	')
> +
> +	allow $1 lldpd_etc_t:dir search_dir_perms;
> +	files_search_etc($1)
> +')
> +
> +########################################
> +## <summary>
> +##	Read lldpd conf files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`lldpd_read_conf_files',`
> +	gen_require(`
> +		type lldpd_etc_t;
> +	')
> +
> +	allow $1 lldpd_etc_t:dir list_dir_perms;
> +	read_files_pattern($1, lldpd_etc_t, lldpd_etc_t)
> +	files_search_etc($1)
> +')
> +
> +########################################
> +## <summary>
> +##	Manage lldpd conf files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`lldpd_manage_conf_files',`
> +	gen_require(`
> +		type lldpd_etc_t;
> +	')
> +
> +	manage_files_pattern($1, lldpd_etc_t, lldpd_etc_t)
> +	files_search_etc($1)
> +')
> +
> +########################################
> +## <summary>
> +##	Create, read, write, and delete
> +##      lldpd PID files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`lldpd_manage_pid_files',`
> +	gen_require(`
> +		type lldpd_var_run_t;
> +	')
> +
> +	files_search_pids($1)
> +	manage_files_pattern($1, lldpd_var_run_t, lldpd_var_run_t)
> +	manage_dirs_pattern($1, lldpd_var_run_t, lldpd_var_run_t)
> +')
> +
> +
> +########################################
> +## <summary>
> +##	All of the rules required to administrate
> +##	an lldpd environment
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`lldp_admin',`
> +	gen_require(`
> +		type lldpd_t;
> +		type lldpd_etc_t;
> +		type lldpd_var_run_t;
> +	')
> +
> +	allow $1 lldpd_t:process { signal_perms };
> +	ps_process_pattern($1, lldpd_t)
> +
> +    tunable_policy(`allow_ptrace',`
> +        allow $1 lldpd_t:process ptrace;
> +    ')

allow_ptrace is not a global tunable and cannot be used here.  Also 
there are whitespace problems.

> +	files_search_etc($1)
> +	admin_pattern($1, lldpd_etc_t)
> +
> +	files_search_pids($1)
> +	admin_pattern($1, lldpd_var_run_t)
> +
> +	lldp_cli_run($1, $2)
> +')
> diff --git a/policy/modules/services/lldpd.te b/policy/modules/services/lldpd.te
> new file mode 100644
> index 000000000000..9a0f68dc4b7b
> --- /dev/null
> +++ b/policy/modules/services/lldpd.te
> @@ -0,0 +1,80 @@
> +policy_module(lldpd, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type lldpd_t;
> +type lldpd_exec_t;
> +init_daemon_domain(lldpd_t, lldpd_exec_t)
> +
> +type lldp_cli_t;
> +type lldp_cli_exec_t;
> +init_system_domain(lldp_cli_t, lldp_cli_exec_t)
> +application_domain(lldp_cli_t, lldp_cli_exec_t)
> +
> +type lldpd_etc_t;

Please rename to lldpd_conf_t, as I'd like to try to get away from 
encoding paths into type names.

> +files_config_file(lldpd_etc_t)
> +
> +type lldpd_var_run_t;

Same thing here, lldpd_runtime_t.


> +files_pid_file(lldpd_var_run_t)
> +init_daemon_pid_file(lldpd_var_run_t, dir, "lldpd")
> +typealias lldpd_var_run_t alias lldp_sock_t;

Not really a necessary alias.  I'd prefer to keep aliases for backwards 
compatibility situations.


> +
> +########################################
> +#
> +# lldpd local policy
> +#
> +allow lldpd_t self:capability { chown dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_chroot };
> +allow lldpd_t self:process { fork signal_perms };
> +allow lldpd_t self:fifo_file rw_fifo_file_perms;
> +allow lldpd_t self:unix_stream_socket { accept listen };

These perms should probably be create_stream_socket_perms.


> +allow lldpd_t lldp_sock_t:sock_file { create_sock_file_perms delete_sock_file_perms setattr };

This is not necessary, as there is a sock_file rule below.


> +allow lldpd_t self:packet_socket create_socket_perms;
> +
> +lldp_cli_domtrans(lldpd_t)

The daemon runs the cli tool?



> +kernel_read_net_sysctls(lldpd_t)
> +
> +lldpd_read_conf_files(lldpd_t)
> +
> +lldpd_manage_pid_files(lldpd_t)

Since there are other rules that explicitly operate on lldpd_var_run_t, 
it would be clearer to do the same for files instead of calling its own 
interface.

> +manage_sock_files_pattern(lldpd_t, lldpd_var_run_t, lldpd_var_run_t)
> +manage_lnk_files_pattern(lldpd_t, lldpd_var_run_t, lldpd_var_run_t)
> +files_pid_filetrans(lldpd_t, lldpd_var_run_t, {file dir sock_file})
> +
> +domain_use_interactive_fds(lldpd_t)

This does not seem likely since it is a daemon, not an interactive process.


> +files_read_etc_files(lldpd_t)
> +
> +logging_send_syslog_msg(lldpd_t)
> +
> +miscfiles_read_localization(lldpd_t)
> +
> +sysnet_dns_name_resolve(lldpd_t)
> +
> +########################################
> +#
> +# lldp_cli local policy
> +#
> +allow lldp_cli_t self:capability dac_override;
> +allow lldp_cli_t self:unix_dgram_socket { connect create };
> +allow lldp_cli_t self:unix_stream_socket { connect create read write };
> +allow lldp_cli_t self:process signal;
> +
> +allow lldp_cli_t lldpd_t:unix_stream_socket connectto;
> +allow lldp_cli_t lldpd_var_run_t:sock_file { read write };

Please use stream_connect_pattern()


> +
> +lldpd_read_conf_files(lldp_cli_t)
> +
> +logging_send_syslog_msg(lldp_cli_t)
> +
> +files_dontaudit_read_etc_files(lldp_cli_t)
> +
> +miscfiles_read_localization(lldp_cli_t)
> +
> +domain_use_interactive_fds(lldp_cli_t)

This line is in the wrong place.

> +userdom_use_user_ptys(lldp_cli_t)

> +init_dontaudit_use_script_ptys(lldp_cli_t)

This should not be necessary, as this is allowed via init_system_domain().



-- 
Chris PeBenito

  reply index

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-10 14:20 Alexander Miroshnichenko
2019-06-15 16:08 ` Chris PeBenito [this message]
2019-06-15 17:58   ` Dominick Grift
2019-06-15 19:24     ` Chris PeBenito
2019-06-15 19:43       ` Dominick Grift
2019-06-17 12:23   ` Alexander Miroshnichenko
2019-06-17 12:42   ` [PATCH v2] Add " Alexander Miroshnichenko
2019-06-24  1:15     ` Chris PeBenito

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=749388e0-6da1-4b06-c62c-35302a5aba78@ieee.org \
    --to=pebenito@ieee.org \
    --cc=alex@millerson.name \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox