SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] add lldpd policy
@ 2019-06-10 14:20 Alexander Miroshnichenko
  2019-06-15 16:08 ` Chris PeBenito
  0 siblings, 1 reply; 8+ messages in thread
From: Alexander Miroshnichenko @ 2019-06-10 14:20 UTC (permalink / raw)
  To: selinux-refpolicy; +Cc: Alexander Miroshnichenko

New policy for lldpd ( http://vincentbernat.github.io/lldpd ).

Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
---
 policy/modules/roles/sysadm.te   |   4 +
 policy/modules/services/lldpd.fc |   9 ++
 policy/modules/services/lldpd.if | 206 +++++++++++++++++++++++++++++++
 policy/modules/services/lldpd.te |  80 ++++++++++++
 4 files changed, 299 insertions(+)
 create mode 100644 policy/modules/services/lldpd.fc
 create mode 100644 policy/modules/services/lldpd.if
 create mode 100644 policy/modules/services/lldpd.te

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 8f891c83865f..ea4e06a29e30 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -595,6 +595,10 @@ optional_policy(`
 	lldpad_admin(sysadm_t, sysadm_r)
 ')
 
+optional_policy(`
+        lldp_admin(sysadm_t, sysadm_r)
+')
+
 optional_policy(`
 	lockdev_role(sysadm_r, sysadm_t)
 ')
diff --git a/policy/modules/services/lldpd.fc b/policy/modules/services/lldpd.fc
new file mode 100644
index 000000000000..997a80a3baf9
--- /dev/null
+++ b/policy/modules/services/lldpd.fc
@@ -0,0 +1,9 @@
+/etc/lldpd.conf		--	gen_context(system_u:object_r:lldpd_etc_t,s0)
+/etc/lldpd.d(/.*)?		gen_context(system_u:object_r:lldpd_etc_t,s0)
+
+/usr/sbin/lldpd		--	gen_context(system_u:object_r:lldpd_exec_t,s0)
+/usr/sbin/lldpcli         --      gen_context(system_u:object_r:lldp_cli_exec_t,s0)
+
+/run/lldpd		-d      gen_context(system_u:object_r:lldpd_var_run_t,s0)
+/run/lldpd(/.*)?		gen_context(system_u:object_r:lldpd_var_run_t,s0)
+/run/lldpd.pid		--	gen_context(system_u:object_r:lldpd_var_run_t,s0)
diff --git a/policy/modules/services/lldpd.if b/policy/modules/services/lldpd.if
new file mode 100644
index 000000000000..f7030b1ead19
--- /dev/null
+++ b/policy/modules/services/lldpd.if
@@ -0,0 +1,206 @@
+
+## <summary>policy for lldpd</summary>
+
+########################################
+## <summary>
+##	Execute lldpd_exec_t in the lldpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lldpd_domtrans',`
+	gen_require(`
+		type lldpd_t, lldpd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, lldpd_exec_t, lldpd_t)
+')
+
+########################################
+## <summary>
+##      Execute a domain transition to run lldpcli.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`lldp_cli_domtrans',`
+        gen_require(`
+                type lldp_cli_t, lldp_cli_exec_t;
+        ')
+
+        corecmd_search_bin($1)
+        can_exec($1, lldp_cli_exec_t)
+        domtrans_pattern($1, lldp_cli_exec_t, lldp_cli_t)
+')
+
+########################################
+## <summary>
+##      Execute lldpcli in the lldp_cli domain,
+##      and allow the specified role
+##      the lldp_cli domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      Role allowed access.
+##      </summary>
+## </param>
+#
+interface(`lldp_cli_run',`
+        gen_require(`
+                type lldp_cli_t;
+        ')
+
+        lldp_cli_domtrans($1)
+        role $2 types lldp_cli_t;
+')
+
+######################################
+## <summary>
+##	Execute lldpd in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lldpd_exec',`
+	gen_require(`
+		type lldpd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, lldpd_exec_t)
+')
+
+########################################
+## <summary>
+##	Search lldpd conf directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lldpd_search_conf',`
+	gen_require(`
+		type lldpd_etc_t;
+	')
+
+	allow $1 lldpd_etc_t:dir search_dir_perms;
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Read lldpd conf files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lldpd_read_conf_files',`
+	gen_require(`
+		type lldpd_etc_t;
+	')
+
+	allow $1 lldpd_etc_t:dir list_dir_perms;
+	read_files_pattern($1, lldpd_etc_t, lldpd_etc_t)
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Manage lldpd conf files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lldpd_manage_conf_files',`
+	gen_require(`
+		type lldpd_etc_t;
+	')
+
+	manage_files_pattern($1, lldpd_etc_t, lldpd_etc_t)
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##      lldpd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lldpd_manage_pid_files',`
+	gen_require(`
+		type lldpd_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, lldpd_var_run_t, lldpd_var_run_t)
+	manage_dirs_pattern($1, lldpd_var_run_t, lldpd_var_run_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an lldpd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`lldp_admin',`
+	gen_require(`
+		type lldpd_t;
+		type lldpd_etc_t;
+		type lldpd_var_run_t;
+	')
+
+	allow $1 lldpd_t:process { signal_perms };
+	ps_process_pattern($1, lldpd_t)
+
+    tunable_policy(`allow_ptrace',`
+        allow $1 lldpd_t:process ptrace;
+    ')
+
+	files_search_etc($1)
+	admin_pattern($1, lldpd_etc_t)
+
+	files_search_pids($1)
+	admin_pattern($1, lldpd_var_run_t)
+
+	lldp_cli_run($1, $2)
+')
diff --git a/policy/modules/services/lldpd.te b/policy/modules/services/lldpd.te
new file mode 100644
index 000000000000..9a0f68dc4b7b
--- /dev/null
+++ b/policy/modules/services/lldpd.te
@@ -0,0 +1,80 @@
+policy_module(lldpd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type lldpd_t;
+type lldpd_exec_t;
+init_daemon_domain(lldpd_t, lldpd_exec_t)
+
+type lldp_cli_t;
+type lldp_cli_exec_t;
+init_system_domain(lldp_cli_t, lldp_cli_exec_t)
+application_domain(lldp_cli_t, lldp_cli_exec_t)
+
+type lldpd_etc_t;
+files_config_file(lldpd_etc_t)
+
+type lldpd_var_run_t;
+files_pid_file(lldpd_var_run_t)
+init_daemon_pid_file(lldpd_var_run_t, dir, "lldpd")
+typealias lldpd_var_run_t alias lldp_sock_t;
+
+########################################
+#
+# lldpd local policy
+#
+allow lldpd_t self:capability { chown dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_chroot };
+allow lldpd_t self:process { fork signal_perms };
+allow lldpd_t self:fifo_file rw_fifo_file_perms;
+allow lldpd_t self:unix_stream_socket { accept listen };
+allow lldpd_t lldp_sock_t:sock_file { create_sock_file_perms delete_sock_file_perms setattr };
+allow lldpd_t self:packet_socket create_socket_perms;
+
+lldp_cli_domtrans(lldpd_t)
+
+kernel_read_net_sysctls(lldpd_t)
+
+lldpd_read_conf_files(lldpd_t)
+
+lldpd_manage_pid_files(lldpd_t)
+manage_sock_files_pattern(lldpd_t, lldpd_var_run_t, lldpd_var_run_t)
+manage_lnk_files_pattern(lldpd_t, lldpd_var_run_t, lldpd_var_run_t)
+files_pid_filetrans(lldpd_t, lldpd_var_run_t, {file dir sock_file})
+
+domain_use_interactive_fds(lldpd_t)
+
+files_read_etc_files(lldpd_t)
+
+logging_send_syslog_msg(lldpd_t)
+
+miscfiles_read_localization(lldpd_t)
+
+sysnet_dns_name_resolve(lldpd_t)
+
+########################################
+#
+# lldp_cli local policy
+#
+allow lldp_cli_t self:capability dac_override;
+allow lldp_cli_t self:unix_dgram_socket { connect create };
+allow lldp_cli_t self:unix_stream_socket { connect create read write };
+allow lldp_cli_t self:process signal;
+
+allow lldp_cli_t lldpd_t:unix_stream_socket connectto;
+allow lldp_cli_t lldpd_var_run_t:sock_file { read write };
+
+lldpd_read_conf_files(lldp_cli_t)
+
+logging_send_syslog_msg(lldp_cli_t)
+
+files_dontaudit_read_etc_files(lldp_cli_t)
+
+miscfiles_read_localization(lldp_cli_t)
+
+domain_use_interactive_fds(lldp_cli_t)
+userdom_use_user_ptys(lldp_cli_t)
+
+init_dontaudit_use_script_ptys(lldp_cli_t)
-- 
2.21.0


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] add lldpd policy
  2019-06-10 14:20 [PATCH] add lldpd policy Alexander Miroshnichenko
@ 2019-06-15 16:08 ` Chris PeBenito
  2019-06-15 17:58   ` Dominick Grift
                     ` (2 more replies)
  0 siblings, 3 replies; 8+ messages in thread
From: Chris PeBenito @ 2019-06-15 16:08 UTC (permalink / raw)
  To: Alexander Miroshnichenko, selinux-refpolicy

On 6/10/19 10:20 AM, Alexander Miroshnichenko wrote:
> New policy for lldpd ( http://vincentbernat.github.io/lldpd ).
> 
> Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
> ---
>   policy/modules/roles/sysadm.te   |   4 +
>   policy/modules/services/lldpd.fc |   9 ++
>   policy/modules/services/lldpd.if | 206 +++++++++++++++++++++++++++++++
>   policy/modules/services/lldpd.te |  80 ++++++++++++
>   4 files changed, 299 insertions(+)
>   create mode 100644 policy/modules/services/lldpd.fc
>   create mode 100644 policy/modules/services/lldpd.if
>   create mode 100644 policy/modules/services/lldpd.te
> 
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 8f891c83865f..ea4e06a29e30 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -595,6 +595,10 @@ optional_policy(`
>   	lldpad_admin(sysadm_t, sysadm_r)
>   ')
>   
> +optional_policy(`
> +        lldp_admin(sysadm_t, sysadm_r)

A whitespace problem here (spaces instead of tab).

> +')
> +
>   optional_policy(`
>   	lockdev_role(sysadm_r, sysadm_t)
>   ')
> diff --git a/policy/modules/services/lldpd.fc b/policy/modules/services/lldpd.fc
> new file mode 100644
> index 000000000000..997a80a3baf9
> --- /dev/null
> +++ b/policy/modules/services/lldpd.fc
> @@ -0,0 +1,9 @@
> +/etc/lldpd.conf		--	gen_context(system_u:object_r:lldpd_etc_t,s0)
> +/etc/lldpd.d(/.*)?		gen_context(system_u:object_r:lldpd_etc_t,s0)
> +
> +/usr/sbin/lldpd		--	gen_context(system_u:object_r:lldpd_exec_t,s0)
> +/usr/sbin/lldpcli         --      gen_context(system_u:object_r:lldp_cli_exec_t,s0)
> +
> +/run/lldpd		-d      gen_context(system_u:object_r:lldpd_var_run_t,s0)
> +/run/lldpd(/.*)?		gen_context(system_u:object_r:lldpd_var_run_t,s0)
> +/run/lldpd.pid		--	gen_context(system_u:object_r:lldpd_var_run_t,s0)
> diff --git a/policy/modules/services/lldpd.if b/policy/modules/services/lldpd.if
> new file mode 100644
> index 000000000000..f7030b1ead19
> --- /dev/null
> +++ b/policy/modules/services/lldpd.if
> @@ -0,0 +1,206 @@
> +
> +## <summary>policy for lldpd</summary>
> +
> +########################################
> +## <summary>
> +##	Execute lldpd_exec_t in the lldpd domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +##	Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`lldpd_domtrans',`
> +	gen_require(`
> +		type lldpd_t, lldpd_exec_t;
> +	')
> +
> +	corecmd_search_bin($1)
> +	domtrans_pattern($1, lldpd_exec_t, lldpd_t)
> +')
> +
> +########################################
> +## <summary>
> +##      Execute a domain transition to run lldpcli.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed to transition.
> +##      </summary>
> +## </param>
> +#
> +interface(`lldp_cli_domtrans',`

Interface name should be lldp_domtrans_cli

> +        gen_require(`
> +                type lldp_cli_t, lldp_cli_exec_t;
> +        ')
> +
> +        corecmd_search_bin($1)
> +        can_exec($1, lldp_cli_exec_t)

This can_exec should not be in a domtrans interface, as it provides 
execute_no_trans, which isn't necessary for domtrans.

> +        domtrans_pattern($1, lldp_cli_exec_t, lldp_cli_t)
> +')
> +
> +########################################
> +## <summary>
> +##      Execute lldpcli in the lldp_cli domain,
> +##      and allow the specified role
> +##      the lldp_cli domain.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed to transition.
> +##      </summary>
> +## </param>
> +## <param name="role">
> +##      <summary>
> +##      Role allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`lldp_cli_run',`

lldp_run_cli

> +        gen_require(`
> +                type lldp_cli_t;
> +        ')
> +
> +        lldp_cli_domtrans($1)
> +        role $2 types lldp_cli_t;
> +')
> +
> +######################################
> +## <summary>
> +##	Execute lldpd in the caller domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`lldpd_exec',`
> +	gen_require(`
> +		type lldpd_exec_t;
> +	')
> +
> +	corecmd_search_bin($1)
> +	can_exec($1, lldpd_exec_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Search lldpd conf directories.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`lldpd_search_conf',`
> +	gen_require(`
> +		type lldpd_etc_t;
> +	')
> +
> +	allow $1 lldpd_etc_t:dir search_dir_perms;
> +	files_search_etc($1)
> +')
> +
> +########################################
> +## <summary>
> +##	Read lldpd conf files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`lldpd_read_conf_files',`
> +	gen_require(`
> +		type lldpd_etc_t;
> +	')
> +
> +	allow $1 lldpd_etc_t:dir list_dir_perms;
> +	read_files_pattern($1, lldpd_etc_t, lldpd_etc_t)
> +	files_search_etc($1)
> +')
> +
> +########################################
> +## <summary>
> +##	Manage lldpd conf files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`lldpd_manage_conf_files',`
> +	gen_require(`
> +		type lldpd_etc_t;
> +	')
> +
> +	manage_files_pattern($1, lldpd_etc_t, lldpd_etc_t)
> +	files_search_etc($1)
> +')
> +
> +########################################
> +## <summary>
> +##	Create, read, write, and delete
> +##      lldpd PID files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`lldpd_manage_pid_files',`
> +	gen_require(`
> +		type lldpd_var_run_t;
> +	')
> +
> +	files_search_pids($1)
> +	manage_files_pattern($1, lldpd_var_run_t, lldpd_var_run_t)
> +	manage_dirs_pattern($1, lldpd_var_run_t, lldpd_var_run_t)
> +')
> +
> +
> +########################################
> +## <summary>
> +##	All of the rules required to administrate
> +##	an lldpd environment
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`lldp_admin',`
> +	gen_require(`
> +		type lldpd_t;
> +		type lldpd_etc_t;
> +		type lldpd_var_run_t;
> +	')
> +
> +	allow $1 lldpd_t:process { signal_perms };
> +	ps_process_pattern($1, lldpd_t)
> +
> +    tunable_policy(`allow_ptrace',`
> +        allow $1 lldpd_t:process ptrace;
> +    ')

allow_ptrace is not a global tunable and cannot be used here.  Also 
there are whitespace problems.

> +	files_search_etc($1)
> +	admin_pattern($1, lldpd_etc_t)
> +
> +	files_search_pids($1)
> +	admin_pattern($1, lldpd_var_run_t)
> +
> +	lldp_cli_run($1, $2)
> +')
> diff --git a/policy/modules/services/lldpd.te b/policy/modules/services/lldpd.te
> new file mode 100644
> index 000000000000..9a0f68dc4b7b
> --- /dev/null
> +++ b/policy/modules/services/lldpd.te
> @@ -0,0 +1,80 @@
> +policy_module(lldpd, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type lldpd_t;
> +type lldpd_exec_t;
> +init_daemon_domain(lldpd_t, lldpd_exec_t)
> +
> +type lldp_cli_t;
> +type lldp_cli_exec_t;
> +init_system_domain(lldp_cli_t, lldp_cli_exec_t)
> +application_domain(lldp_cli_t, lldp_cli_exec_t)
> +
> +type lldpd_etc_t;

Please rename to lldpd_conf_t, as I'd like to try to get away from 
encoding paths into type names.

> +files_config_file(lldpd_etc_t)
> +
> +type lldpd_var_run_t;

Same thing here, lldpd_runtime_t.


> +files_pid_file(lldpd_var_run_t)
> +init_daemon_pid_file(lldpd_var_run_t, dir, "lldpd")
> +typealias lldpd_var_run_t alias lldp_sock_t;

Not really a necessary alias.  I'd prefer to keep aliases for backwards 
compatibility situations.


> +
> +########################################
> +#
> +# lldpd local policy
> +#
> +allow lldpd_t self:capability { chown dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_chroot };
> +allow lldpd_t self:process { fork signal_perms };
> +allow lldpd_t self:fifo_file rw_fifo_file_perms;
> +allow lldpd_t self:unix_stream_socket { accept listen };

These perms should probably be create_stream_socket_perms.


> +allow lldpd_t lldp_sock_t:sock_file { create_sock_file_perms delete_sock_file_perms setattr };

This is not necessary, as there is a sock_file rule below.


> +allow lldpd_t self:packet_socket create_socket_perms;
> +
> +lldp_cli_domtrans(lldpd_t)

The daemon runs the cli tool?



> +kernel_read_net_sysctls(lldpd_t)
> +
> +lldpd_read_conf_files(lldpd_t)
> +
> +lldpd_manage_pid_files(lldpd_t)

Since there are other rules that explicitly operate on lldpd_var_run_t, 
it would be clearer to do the same for files instead of calling its own 
interface.

> +manage_sock_files_pattern(lldpd_t, lldpd_var_run_t, lldpd_var_run_t)
> +manage_lnk_files_pattern(lldpd_t, lldpd_var_run_t, lldpd_var_run_t)
> +files_pid_filetrans(lldpd_t, lldpd_var_run_t, {file dir sock_file})
> +
> +domain_use_interactive_fds(lldpd_t)

This does not seem likely since it is a daemon, not an interactive process.


> +files_read_etc_files(lldpd_t)
> +
> +logging_send_syslog_msg(lldpd_t)
> +
> +miscfiles_read_localization(lldpd_t)
> +
> +sysnet_dns_name_resolve(lldpd_t)
> +
> +########################################
> +#
> +# lldp_cli local policy
> +#
> +allow lldp_cli_t self:capability dac_override;
> +allow lldp_cli_t self:unix_dgram_socket { connect create };
> +allow lldp_cli_t self:unix_stream_socket { connect create read write };
> +allow lldp_cli_t self:process signal;
> +
> +allow lldp_cli_t lldpd_t:unix_stream_socket connectto;
> +allow lldp_cli_t lldpd_var_run_t:sock_file { read write };

Please use stream_connect_pattern()


> +
> +lldpd_read_conf_files(lldp_cli_t)
> +
> +logging_send_syslog_msg(lldp_cli_t)
> +
> +files_dontaudit_read_etc_files(lldp_cli_t)
> +
> +miscfiles_read_localization(lldp_cli_t)
> +
> +domain_use_interactive_fds(lldp_cli_t)

This line is in the wrong place.

> +userdom_use_user_ptys(lldp_cli_t)

> +init_dontaudit_use_script_ptys(lldp_cli_t)

This should not be necessary, as this is allowed via init_system_domain().



-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] add lldpd policy
  2019-06-15 16:08 ` Chris PeBenito
@ 2019-06-15 17:58   ` Dominick Grift
  2019-06-15 19:24     ` Chris PeBenito
  2019-06-17 12:23   ` Alexander Miroshnichenko
  2019-06-17 12:42   ` [PATCH v2] Add " Alexander Miroshnichenko
  2 siblings, 1 reply; 8+ messages in thread
From: Dominick Grift @ 2019-06-15 17:58 UTC (permalink / raw)
  To: Chris PeBenito; +Cc: Alexander Miroshnichenko, selinux-refpolicy

[-- Attachment #1: Type: text/plain, Size: 11929 bytes --]

On Sat, Jun 15, 2019 at 12:08:16PM -0400, Chris PeBenito wrote:
> On 6/10/19 10:20 AM, Alexander Miroshnichenko wrote:
> > New policy for lldpd ( http://vincentbernat.github.io/lldpd ).
> > 
> > Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
> > ---
> >   policy/modules/roles/sysadm.te   |   4 +
> >   policy/modules/services/lldpd.fc |   9 ++
> >   policy/modules/services/lldpd.if | 206 +++++++++++++++++++++++++++++++
> >   policy/modules/services/lldpd.te |  80 ++++++++++++
> >   4 files changed, 299 insertions(+)
> >   create mode 100644 policy/modules/services/lldpd.fc
> >   create mode 100644 policy/modules/services/lldpd.if
> >   create mode 100644 policy/modules/services/lldpd.te
> > 
> > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> > index 8f891c83865f..ea4e06a29e30 100644
> > --- a/policy/modules/roles/sysadm.te
> > +++ b/policy/modules/roles/sysadm.te
> > @@ -595,6 +595,10 @@ optional_policy(`
> >   	lldpad_admin(sysadm_t, sysadm_r)
> >   ')
> > +optional_policy(`
> > +        lldp_admin(sysadm_t, sysadm_r)
> 
> A whitespace problem here (spaces instead of tab).
> 
> > +')
> > +
> >   optional_policy(`
> >   	lockdev_role(sysadm_r, sysadm_t)
> >   ')
> > diff --git a/policy/modules/services/lldpd.fc b/policy/modules/services/lldpd.fc
> > new file mode 100644
> > index 000000000000..997a80a3baf9
> > --- /dev/null
> > +++ b/policy/modules/services/lldpd.fc
> > @@ -0,0 +1,9 @@
> > +/etc/lldpd.conf		--	gen_context(system_u:object_r:lldpd_etc_t,s0)
> > +/etc/lldpd.d(/.*)?		gen_context(system_u:object_r:lldpd_etc_t,s0)
> > +
> > +/usr/sbin/lldpd		--	gen_context(system_u:object_r:lldpd_exec_t,s0)
> > +/usr/sbin/lldpcli         --      gen_context(system_u:object_r:lldp_cli_exec_t,s0)
> > +
> > +/run/lldpd		-d      gen_context(system_u:object_r:lldpd_var_run_t,s0)
> > +/run/lldpd(/.*)?		gen_context(system_u:object_r:lldpd_var_run_t,s0)
> > +/run/lldpd.pid		--	gen_context(system_u:object_r:lldpd_var_run_t,s0)
> > diff --git a/policy/modules/services/lldpd.if b/policy/modules/services/lldpd.if
> > new file mode 100644
> > index 000000000000..f7030b1ead19
> > --- /dev/null
> > +++ b/policy/modules/services/lldpd.if
> > @@ -0,0 +1,206 @@
> > +
> > +## <summary>policy for lldpd</summary>
> > +
> > +########################################
> > +## <summary>
> > +##	Execute lldpd_exec_t in the lldpd domain.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +##	Domain allowed to transition.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`lldpd_domtrans',`
> > +	gen_require(`
> > +		type lldpd_t, lldpd_exec_t;
> > +	')
> > +
> > +	corecmd_search_bin($1)
> > +	domtrans_pattern($1, lldpd_exec_t, lldpd_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +##      Execute a domain transition to run lldpcli.
> > +## </summary>
> > +## <param name="domain">
> > +##      <summary>
> > +##      Domain allowed to transition.
> > +##      </summary>
> > +## </param>
> > +#
> > +interface(`lldp_cli_domtrans',`
> 
> Interface name should be lldp_domtrans_cli
> 
> > +        gen_require(`
> > +                type lldp_cli_t, lldp_cli_exec_t;
> > +        ')
> > +
> > +        corecmd_search_bin($1)
> > +        can_exec($1, lldp_cli_exec_t)
> 
> This can_exec should not be in a domtrans interface, as it provides
> execute_no_trans, which isn't necessary for domtrans.
> 
> > +        domtrans_pattern($1, lldp_cli_exec_t, lldp_cli_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +##      Execute lldpcli in the lldp_cli domain,
> > +##      and allow the specified role
> > +##      the lldp_cli domain.
> > +## </summary>
> > +## <param name="domain">
> > +##      <summary>
> > +##      Domain allowed to transition.
> > +##      </summary>
> > +## </param>
> > +## <param name="role">
> > +##      <summary>
> > +##      Role allowed access.
> > +##      </summary>
> > +## </param>
> > +#
> > +interface(`lldp_cli_run',`
> 
> lldp_run_cli
> 
> > +        gen_require(`
> > +                type lldp_cli_t;
> > +        ')
> > +
> > +        lldp_cli_domtrans($1)
> > +        role $2 types lldp_cli_t;
> > +')
> > +
> > +######################################
> > +## <summary>
> > +##	Execute lldpd in the caller domain.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`lldpd_exec',`
> > +	gen_require(`
> > +		type lldpd_exec_t;
> > +	')
> > +
> > +	corecmd_search_bin($1)
> > +	can_exec($1, lldpd_exec_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +##	Search lldpd conf directories.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`lldpd_search_conf',`
> > +	gen_require(`
> > +		type lldpd_etc_t;
> > +	')
> > +
> > +	allow $1 lldpd_etc_t:dir search_dir_perms;
> > +	files_search_etc($1)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +##	Read lldpd conf files.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`lldpd_read_conf_files',`
> > +	gen_require(`
> > +		type lldpd_etc_t;
> > +	')
> > +
> > +	allow $1 lldpd_etc_t:dir list_dir_perms;
> > +	read_files_pattern($1, lldpd_etc_t, lldpd_etc_t)
> > +	files_search_etc($1)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +##	Manage lldpd conf files.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`lldpd_manage_conf_files',`
> > +	gen_require(`
> > +		type lldpd_etc_t;
> > +	')
> > +
> > +	manage_files_pattern($1, lldpd_etc_t, lldpd_etc_t)
> > +	files_search_etc($1)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +##	Create, read, write, and delete
> > +##      lldpd PID files.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`lldpd_manage_pid_files',`
> > +	gen_require(`
> > +		type lldpd_var_run_t;
> > +	')
> > +
> > +	files_search_pids($1)
> > +	manage_files_pattern($1, lldpd_var_run_t, lldpd_var_run_t)
> > +	manage_dirs_pattern($1, lldpd_var_run_t, lldpd_var_run_t)
> > +')
> > +
> > +
> > +########################################
> > +## <summary>
> > +##	All of the rules required to administrate
> > +##	an lldpd environment
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +## <param name="role">
> > +##	<summary>
> > +##	Role allowed access.
> > +##	</summary>
> > +## </param>
> > +## <rolecap/>
> > +#
> > +interface(`lldp_admin',`
> > +	gen_require(`
> > +		type lldpd_t;
> > +		type lldpd_etc_t;
> > +		type lldpd_var_run_t;
> > +	')
> > +
> > +	allow $1 lldpd_t:process { signal_perms };
> > +	ps_process_pattern($1, lldpd_t)
> > +
> > +    tunable_policy(`allow_ptrace',`
> > +        allow $1 lldpd_t:process ptrace;
> > +    ')
> 
> allow_ptrace is not a global tunable and cannot be used here.  Also there
> are whitespace problems.
> 
> > +	files_search_etc($1)
> > +	admin_pattern($1, lldpd_etc_t)
> > +
> > +	files_search_pids($1)
> > +	admin_pattern($1, lldpd_var_run_t)
> > +
> > +	lldp_cli_run($1, $2)
> > +')
> > diff --git a/policy/modules/services/lldpd.te b/policy/modules/services/lldpd.te
> > new file mode 100644
> > index 000000000000..9a0f68dc4b7b
> > --- /dev/null
> > +++ b/policy/modules/services/lldpd.te
> > @@ -0,0 +1,80 @@
> > +policy_module(lldpd, 1.0.0)
> > +
> > +########################################
> > +#
> > +# Declarations
> > +#
> > +
> > +type lldpd_t;
> > +type lldpd_exec_t;
> > +init_daemon_domain(lldpd_t, lldpd_exec_t)
> > +
> > +type lldp_cli_t;
> > +type lldp_cli_exec_t;
> > +init_system_domain(lldp_cli_t, lldp_cli_exec_t)
> > +application_domain(lldp_cli_t, lldp_cli_exec_t)
> > +
> > +type lldpd_etc_t;
> 
> Please rename to lldpd_conf_t, as I'd like to try to get away from encoding
> paths into type names.
> 
> > +files_config_file(lldpd_etc_t)
> > +
> > +type lldpd_var_run_t;
> 
> Same thing here, lldpd_runtime_t.
> 
> 
> > +files_pid_file(lldpd_var_run_t)
> > +init_daemon_pid_file(lldpd_var_run_t, dir, "lldpd")
> > +typealias lldpd_var_run_t alias lldp_sock_t;
> 
> Not really a necessary alias.  I'd prefer to keep aliases for backwards
> compatibility situations.
> 
> 
> > +
> > +########################################
> > +#
> > +# lldpd local policy
> > +#
> > +allow lldpd_t self:capability { chown dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_chroot };
> > +allow lldpd_t self:process { fork signal_perms };
> > +allow lldpd_t self:fifo_file rw_fifo_file_perms;
> > +allow lldpd_t self:unix_stream_socket { accept listen };
> 
> These perms should probably be create_stream_socket_perms.

the other permissions are already provided with logging_send_syslog_msg() so would be reduntant

> 
> 
> > +allow lldpd_t lldp_sock_t:sock_file { create_sock_file_perms delete_sock_file_perms setattr };
> 
> This is not necessary, as there is a sock_file rule below.
> 
> 
> > +allow lldpd_t self:packet_socket create_socket_perms;
> > +
> > +lldp_cli_domtrans(lldpd_t)
> 
> The daemon runs the cli tool?
> 
> 
> 
> > +kernel_read_net_sysctls(lldpd_t)
> > +
> > +lldpd_read_conf_files(lldpd_t)
> > +
> > +lldpd_manage_pid_files(lldpd_t)
> 
> Since there are other rules that explicitly operate on lldpd_var_run_t, it
> would be clearer to do the same for files instead of calling its own
> interface.
> 
> > +manage_sock_files_pattern(lldpd_t, lldpd_var_run_t, lldpd_var_run_t)
> > +manage_lnk_files_pattern(lldpd_t, lldpd_var_run_t, lldpd_var_run_t)
> > +files_pid_filetrans(lldpd_t, lldpd_var_run_t, {file dir sock_file})
> > +
> > +domain_use_interactive_fds(lldpd_t)
> 
> This does not seem likely since it is a daemon, not an interactive process.
> 
> 
> > +files_read_etc_files(lldpd_t)
> > +
> > +logging_send_syslog_msg(lldpd_t)
> > +
> > +miscfiles_read_localization(lldpd_t)
> > +
> > +sysnet_dns_name_resolve(lldpd_t)
> > +
> > +########################################
> > +#
> > +# lldp_cli local policy
> > +#
> > +allow lldp_cli_t self:capability dac_override;
> > +allow lldp_cli_t self:unix_dgram_socket { connect create };
> > +allow lldp_cli_t self:unix_stream_socket { connect create read write };
> > +allow lldp_cli_t self:process signal;
> > +
> > +allow lldp_cli_t lldpd_t:unix_stream_socket connectto;
> > +allow lldp_cli_t lldpd_var_run_t:sock_file { read write };
> 
> Please use stream_connect_pattern()
> 
> 
> > +
> > +lldpd_read_conf_files(lldp_cli_t)
> > +
> > +logging_send_syslog_msg(lldp_cli_t)
> > +
> > +files_dontaudit_read_etc_files(lldp_cli_t)
> > +
> > +miscfiles_read_localization(lldp_cli_t)
> > +
> > +domain_use_interactive_fds(lldp_cli_t)
> 
> This line is in the wrong place.
> 
> > +userdom_use_user_ptys(lldp_cli_t)
> 
> > +init_dontaudit_use_script_ptys(lldp_cli_t)
> 
> This should not be necessary, as this is allowed via init_system_domain().
> 
> 
> 
> -- 
> Chris PeBenito

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] add lldpd policy
  2019-06-15 17:58   ` Dominick Grift
@ 2019-06-15 19:24     ` Chris PeBenito
  2019-06-15 19:43       ` Dominick Grift
  0 siblings, 1 reply; 8+ messages in thread
From: Chris PeBenito @ 2019-06-15 19:24 UTC (permalink / raw)
  To: Alexander Miroshnichenko, selinux-refpolicy

On 6/15/19 1:58 PM, Dominick Grift wrote:
> On Sat, Jun 15, 2019 at 12:08:16PM -0400, Chris PeBenito wrote:
>> On 6/10/19 10:20 AM, Alexander Miroshnichenko wrote:

>>> +allow lldpd_t self:process { fork signal_perms };
>>> +allow lldpd_t self:fifo_file rw_fifo_file_perms;
>>> +allow lldpd_t self:unix_stream_socket { accept listen };
>>
>> These perms should probably be create_stream_socket_perms.
> 
> the other permissions are already provided with logging_send_syslog_msg() so would be reduntant

This is true.  However,the syslog socket is not the only socket in use. 
Since it also listens on its own stream socket, the 
create_stream_socket_perms more clearly shows the intent.


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] add lldpd policy
  2019-06-15 19:24     ` Chris PeBenito
@ 2019-06-15 19:43       ` Dominick Grift
  0 siblings, 0 replies; 8+ messages in thread
From: Dominick Grift @ 2019-06-15 19:43 UTC (permalink / raw)
  To: Chris PeBenito; +Cc: Alexander Miroshnichenko, selinux-refpolicy

[-- Attachment #1: Type: text/plain, Size: 1148 bytes --]

On Sat, Jun 15, 2019 at 03:24:03PM -0400, Chris PeBenito wrote:
> On 6/15/19 1:58 PM, Dominick Grift wrote:
> > On Sat, Jun 15, 2019 at 12:08:16PM -0400, Chris PeBenito wrote:
> > > On 6/10/19 10:20 AM, Alexander Miroshnichenko wrote:
> 
> > > > +allow lldpd_t self:process { fork signal_perms };
> > > > +allow lldpd_t self:fifo_file rw_fifo_file_perms;
> > > > +allow lldpd_t self:unix_stream_socket { accept listen };
> > > 
> > > These perms should probably be create_stream_socket_perms.
> > 
> > the other permissions are already provided with logging_send_syslog_msg() so would be reduntant
> 
> This is true.  However,the syslog socket is not the only socket in use.
> Since it also listens on its own stream socket, the
> create_stream_socket_perms more clearly shows the intent.

The compiler will remove the duplicate rules, and yes the intent is more clear.
It just feels strange writing and reading duplicate policy.

> 
> 
> -- 
> Chris PeBenito

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] add lldpd policy
  2019-06-15 16:08 ` Chris PeBenito
  2019-06-15 17:58   ` Dominick Grift
@ 2019-06-17 12:23   ` Alexander Miroshnichenko
  2019-06-17 12:42   ` [PATCH v2] Add " Alexander Miroshnichenko
  2 siblings, 0 replies; 8+ messages in thread
From: Alexander Miroshnichenko @ 2019-06-17 12:23 UTC (permalink / raw)
  To: Chris PeBenito; +Cc: selinux-refpolicy

>> +lldp_cli_domtrans(lldpd_t)
>
> The daemon runs the cli tool?

Yes.

>> +init_dontaudit_use_script_ptys(lldp_cli_t)
>
> This should not be necessary, as this is allowed via init_system_domain().

Without this rule I have such denies:
type=AVC msg=audit(1560772835.304:520336): avc:  denied  { read write } for 
 pid=20384 comm="lldpcli" path="/dev/pts/2" dev="devpts" ino=5 
scontext=system_u:system_r:lldp_cli_t:s0 
tcontext=system_u:object_r:initrc_devpts_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1560773162.058:520386): avc:  denied  { read write } for 
 pid=20583 comm="lldpcli" path="/dev/pts/2" dev="devpts" ino=5 
scontext=system_u:system_r:lldp_cli_t:s0 
tcontext=system_u:object_r:initrc_devpts_t:s0 tclass=chr_file permissive=0
It can be safely omitted.

--
Alexander Miroshnichenko

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH v2] Add lldpd policy
  2019-06-15 16:08 ` Chris PeBenito
  2019-06-15 17:58   ` Dominick Grift
  2019-06-17 12:23   ` Alexander Miroshnichenko
@ 2019-06-17 12:42   ` " Alexander Miroshnichenko
  2019-06-24  1:15     ` Chris PeBenito
  2 siblings, 1 reply; 8+ messages in thread
From: Alexander Miroshnichenko @ 2019-06-17 12:42 UTC (permalink / raw)
  To: selinux-refpolicy; +Cc: pebenito, Alexander Miroshnichenko

New policy for lldpd ( http://vincentbernat.github.io/lldpd ).

Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
---
 policy/modules/roles/sysadm.te   |  4 ++
 policy/modules/services/lldpd.fc |  9 ++++
 policy/modules/services/lldpd.if | 83 ++++++++++++++++++++++++++++++++
 policy/modules/services/lldpd.te | 79 ++++++++++++++++++++++++++++++
 4 files changed, 175 insertions(+)
 create mode 100644 policy/modules/services/lldpd.fc
 create mode 100644 policy/modules/services/lldpd.if
 create mode 100644 policy/modules/services/lldpd.te

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 8f891c83865f..9a104fe8eb83 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -595,6 +595,10 @@ optional_policy(`
 	lldpad_admin(sysadm_t, sysadm_r)
 ')
 
+optional_policy(`
+	lldp_admin(sysadm_t, sysadm_r)
+')
+
 optional_policy(`
 	lockdev_role(sysadm_r, sysadm_t)
 ')
diff --git a/policy/modules/services/lldpd.fc b/policy/modules/services/lldpd.fc
new file mode 100644
index 000000000000..19b66603add3
--- /dev/null
+++ b/policy/modules/services/lldpd.fc
@@ -0,0 +1,9 @@
+/etc/lldpd.conf		--	gen_context(system_u:object_r:lldpd_conf_t,s0)
+/etc/lldpd.d(/.*)?		gen_context(system_u:object_r:lldpd_conf_t,s0)
+
+/usr/sbin/lldpd		--	gen_context(system_u:object_r:lldpd_exec_t,s0)
+/usr/sbin/lldpcli         --      gen_context(system_u:object_r:lldp_cli_exec_t,s0)
+
+/run/lldpd		-d      gen_context(system_u:object_r:lldpd_runtime_t,s0)
+/run/lldpd(/.*)?		gen_context(system_u:object_r:lldpd_runtime_t,s0)
+/run/lldpd.pid		--	gen_context(system_u:object_r:lldpd_runtime_t,s0)
diff --git a/policy/modules/services/lldpd.if b/policy/modules/services/lldpd.if
new file mode 100644
index 000000000000..8859f8743ecf
--- /dev/null
+++ b/policy/modules/services/lldpd.if
@@ -0,0 +1,83 @@
+
+## <summary>policy for lldpd</summary>
+
+########################################
+## <summary>
+##      Execute a domain transition to run lldpcli.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`lldp_domtrans_cli',`
+        gen_require(`
+                type lldp_cli_t, lldp_cli_exec_t;
+        ')
+
+        corecmd_search_bin($1)
+        domtrans_pattern($1, lldp_cli_exec_t, lldp_cli_t)
+')
+
+########################################
+## <summary>
+##      Execute lldpcli in the lldp_cli domain,
+##      and allow the specified role
+##      the lldp_cli domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      Role allowed access.
+##      </summary>
+## </param>
+#
+interface(`lldp_cli_run',`
+        gen_require(`
+                type lldp_cli_t;
+        ')
+
+        lldp_domtrans_cli($1)
+        role $2 types lldp_cli_t;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an lldpd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`lldp_admin',`
+	gen_require(`
+		type lldpd_t;
+		type lldpd_conf_t;
+		type lldpd_runtime_t;
+	')
+
+	allow $1 lldpd_t:process { signal_perms };
+	ps_process_pattern($1, lldpd_t)
+
+	files_search_etc($1)
+	admin_pattern($1, lldpd_conf_t)
+
+	files_search_pids($1)
+	admin_pattern($1, lldpd_runtime_t)
+
+	lldp_cli_run($1, $2)
+')
diff --git a/policy/modules/services/lldpd.te b/policy/modules/services/lldpd.te
new file mode 100644
index 000000000000..457243b0112e
--- /dev/null
+++ b/policy/modules/services/lldpd.te
@@ -0,0 +1,79 @@
+policy_module(lldpd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type lldpd_t;
+type lldpd_exec_t;
+init_daemon_domain(lldpd_t, lldpd_exec_t)
+
+type lldp_cli_t;
+type lldp_cli_exec_t;
+init_system_domain(lldp_cli_t, lldp_cli_exec_t)
+application_domain(lldp_cli_t, lldp_cli_exec_t)
+
+type lldpd_conf_t;
+files_config_file(lldpd_conf_t)
+
+type lldpd_runtime_t;
+files_pid_file(lldpd_runtime_t)
+init_daemon_pid_file(lldpd_runtime_t, dir, "lldpd")
+
+########################################
+#
+# lldpd local policy
+#
+allow lldpd_t self:capability { chown dac_read_search dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_chroot };
+allow lldpd_t self:process { fork signal_perms };
+allow lldpd_t self:fifo_file rw_fifo_file_perms;
+allow lldpd_t self:unix_stream_socket create_stream_socket_perms;
+allow lldpd_t self:packet_socket create_socket_perms;
+
+lldp_domtrans_cli(lldpd_t)
+
+kernel_read_net_sysctls(lldpd_t)
+
+list_dirs_pattern(lldpd_t, lldpd_conf_t, lldpd_conf_t)
+read_files_pattern(lldpd_t, lldpd_conf_t, lldpd_conf_t)
+
+manage_dirs_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t)
+manage_files_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t)
+manage_sock_files_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t)
+manage_lnk_files_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t)
+files_pid_filetrans(lldpd_t, lldpd_runtime_t, {file dir sock_file})
+
+files_read_etc_files(lldpd_t)
+
+logging_send_syslog_msg(lldpd_t)
+
+miscfiles_read_localization(lldpd_t)
+
+sysnet_dns_name_resolve(lldpd_t)
+
+########################################
+#
+# lldp_cli local policy
+#
+allow lldp_cli_t self:capability dac_override;
+allow lldp_cli_t self:unix_dgram_socket { connect create };
+allow lldp_cli_t self:unix_stream_socket { connect create read write };
+allow lldp_cli_t self:process signal;
+
+allow lldp_cli_t lldpd_runtime_t:sock_file read_sock_file_perms;
+stream_connect_pattern(lldp_cli_t, lldpd_runtime_t, lldpd_runtime_t, lldpd_t)
+
+domain_use_interactive_fds(lldp_cli_t)
+
+files_search_etc(lldp_cli_t)
+list_dirs_pattern(lldp_cli_t, lldpd_conf_t, lldpd_conf_t)
+read_files_pattern(lldp_cli_t, lldpd_conf_t, lldpd_conf_t)
+
+logging_send_syslog_msg(lldp_cli_t)
+
+files_dontaudit_read_etc_files(lldp_cli_t)
+
+miscfiles_read_localization(lldp_cli_t)
+
+userdom_use_user_ptys(lldp_cli_t)
-- 
2.21.0


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] Add lldpd policy
  2019-06-17 12:42   ` [PATCH v2] Add " Alexander Miroshnichenko
@ 2019-06-24  1:15     ` Chris PeBenito
  0 siblings, 0 replies; 8+ messages in thread
From: Chris PeBenito @ 2019-06-24  1:15 UTC (permalink / raw)
  To: Alexander Miroshnichenko, selinux-refpolicy; +Cc: dac.override

On 6/17/19 8:42 AM, Alexander Miroshnichenko wrote:
> New policy for lldpd ( http://vincentbernat.github.io/lldpd ).

I was about to merge this, when I realized there's the Intel LLDP module 
(lldpad) already in refpolicy.  This has the CLI tool, but otherwise 
they are very similar.  Did you consider merging this into that module?


> Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
> ---
>   policy/modules/roles/sysadm.te   |  4 ++
>   policy/modules/services/lldpd.fc |  9 ++++
>   policy/modules/services/lldpd.if | 83 ++++++++++++++++++++++++++++++++
>   policy/modules/services/lldpd.te | 79 ++++++++++++++++++++++++++++++
>   4 files changed, 175 insertions(+)
>   create mode 100644 policy/modules/services/lldpd.fc
>   create mode 100644 policy/modules/services/lldpd.if
>   create mode 100644 policy/modules/services/lldpd.te
> 
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 8f891c83865f..9a104fe8eb83 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -595,6 +595,10 @@ optional_policy(`
>   	lldpad_admin(sysadm_t, sysadm_r)
>   ')
>   
> +optional_policy(`
> +	lldp_admin(sysadm_t, sysadm_r)
> +')
> +
>   optional_policy(`
>   	lockdev_role(sysadm_r, sysadm_t)
>   ')
> diff --git a/policy/modules/services/lldpd.fc b/policy/modules/services/lldpd.fc
> new file mode 100644
> index 000000000000..19b66603add3
> --- /dev/null
> +++ b/policy/modules/services/lldpd.fc
> @@ -0,0 +1,9 @@
> +/etc/lldpd.conf		--	gen_context(system_u:object_r:lldpd_conf_t,s0)
> +/etc/lldpd.d(/.*)?		gen_context(system_u:object_r:lldpd_conf_t,s0)
> +
> +/usr/sbin/lldpd		--	gen_context(system_u:object_r:lldpd_exec_t,s0)
> +/usr/sbin/lldpcli         --      gen_context(system_u:object_r:lldp_cli_exec_t,s0)
> +
> +/run/lldpd		-d      gen_context(system_u:object_r:lldpd_runtime_t,s0)
> +/run/lldpd(/.*)?		gen_context(system_u:object_r:lldpd_runtime_t,s0)
> +/run/lldpd.pid		--	gen_context(system_u:object_r:lldpd_runtime_t,s0)
> diff --git a/policy/modules/services/lldpd.if b/policy/modules/services/lldpd.if
> new file mode 100644
> index 000000000000..8859f8743ecf
> --- /dev/null
> +++ b/policy/modules/services/lldpd.if
> @@ -0,0 +1,83 @@
> +
> +## <summary>policy for lldpd</summary>
> +
> +########################################
> +## <summary>
> +##      Execute a domain transition to run lldpcli.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed to transition.
> +##      </summary>
> +## </param>
> +#
> +interface(`lldp_domtrans_cli',`
> +        gen_require(`
> +                type lldp_cli_t, lldp_cli_exec_t;
> +        ')
> +
> +        corecmd_search_bin($1)
> +        domtrans_pattern($1, lldp_cli_exec_t, lldp_cli_t)
> +')
> +
> +########################################
> +## <summary>
> +##      Execute lldpcli in the lldp_cli domain,
> +##      and allow the specified role
> +##      the lldp_cli domain.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed to transition.
> +##      </summary>
> +## </param>
> +## <param name="role">
> +##      <summary>
> +##      Role allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`lldp_cli_run',`
> +        gen_require(`
> +                type lldp_cli_t;
> +        ')
> +
> +        lldp_domtrans_cli($1)
> +        role $2 types lldp_cli_t;
> +')
> +
> +########################################
> +## <summary>
> +##	All of the rules required to administrate
> +##	an lldpd environment
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`lldp_admin',`
> +	gen_require(`
> +		type lldpd_t;
> +		type lldpd_conf_t;
> +		type lldpd_runtime_t;
> +	')
> +
> +	allow $1 lldpd_t:process { signal_perms };
> +	ps_process_pattern($1, lldpd_t)
> +
> +	files_search_etc($1)
> +	admin_pattern($1, lldpd_conf_t)
> +
> +	files_search_pids($1)
> +	admin_pattern($1, lldpd_runtime_t)
> +
> +	lldp_cli_run($1, $2)
> +')
> diff --git a/policy/modules/services/lldpd.te b/policy/modules/services/lldpd.te
> new file mode 100644
> index 000000000000..457243b0112e
> --- /dev/null
> +++ b/policy/modules/services/lldpd.te
> @@ -0,0 +1,79 @@
> +policy_module(lldpd, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type lldpd_t;
> +type lldpd_exec_t;
> +init_daemon_domain(lldpd_t, lldpd_exec_t)
> +
> +type lldp_cli_t;
> +type lldp_cli_exec_t;
> +init_system_domain(lldp_cli_t, lldp_cli_exec_t)
> +application_domain(lldp_cli_t, lldp_cli_exec_t)
> +
> +type lldpd_conf_t;
> +files_config_file(lldpd_conf_t)
> +
> +type lldpd_runtime_t;
> +files_pid_file(lldpd_runtime_t)
> +init_daemon_pid_file(lldpd_runtime_t, dir, "lldpd")
> +
> +########################################
> +#
> +# lldpd local policy
> +#
> +allow lldpd_t self:capability { chown dac_read_search dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_chroot };
> +allow lldpd_t self:process { fork signal_perms };
> +allow lldpd_t self:fifo_file rw_fifo_file_perms;
> +allow lldpd_t self:unix_stream_socket create_stream_socket_perms;
> +allow lldpd_t self:packet_socket create_socket_perms;
> +
> +lldp_domtrans_cli(lldpd_t)
> +
> +kernel_read_net_sysctls(lldpd_t)
> +
> +list_dirs_pattern(lldpd_t, lldpd_conf_t, lldpd_conf_t)
> +read_files_pattern(lldpd_t, lldpd_conf_t, lldpd_conf_t)
> +
> +manage_dirs_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t)
> +manage_files_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t)
> +manage_sock_files_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t)
> +manage_lnk_files_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t)
> +files_pid_filetrans(lldpd_t, lldpd_runtime_t, {file dir sock_file})
> +
> +files_read_etc_files(lldpd_t)
> +
> +logging_send_syslog_msg(lldpd_t)
> +
> +miscfiles_read_localization(lldpd_t)
> +
> +sysnet_dns_name_resolve(lldpd_t)
> +
> +########################################
> +#
> +# lldp_cli local policy
> +#
> +allow lldp_cli_t self:capability dac_override;
> +allow lldp_cli_t self:unix_dgram_socket { connect create };
> +allow lldp_cli_t self:unix_stream_socket { connect create read write };
> +allow lldp_cli_t self:process signal;
> +
> +allow lldp_cli_t lldpd_runtime_t:sock_file read_sock_file_perms;
> +stream_connect_pattern(lldp_cli_t, lldpd_runtime_t, lldpd_runtime_t, lldpd_t)
> +
> +domain_use_interactive_fds(lldp_cli_t)
> +
> +files_search_etc(lldp_cli_t)
> +list_dirs_pattern(lldp_cli_t, lldpd_conf_t, lldpd_conf_t)
> +read_files_pattern(lldp_cli_t, lldpd_conf_t, lldpd_conf_t)
> +
> +logging_send_syslog_msg(lldp_cli_t)
> +
> +files_dontaudit_read_etc_files(lldp_cli_t)
> +
> +miscfiles_read_localization(lldp_cli_t)
> +
> +userdom_use_user_ptys(lldp_cli_t)
> 


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, back to index

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-10 14:20 [PATCH] add lldpd policy Alexander Miroshnichenko
2019-06-15 16:08 ` Chris PeBenito
2019-06-15 17:58   ` Dominick Grift
2019-06-15 19:24     ` Chris PeBenito
2019-06-15 19:43       ` Dominick Grift
2019-06-17 12:23   ` Alexander Miroshnichenko
2019-06-17 12:42   ` [PATCH v2] Add " Alexander Miroshnichenko
2019-06-24  1:15     ` Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox