From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.4 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B0161C71142 for ; Sat, 13 Jul 2019 18:12:23 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 7D8942064A for ; Sat, 13 Jul 2019 18:12:23 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="JVqaQPXT" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727877AbfGMSMX (ORCPT ); Sat, 13 Jul 2019 14:12:23 -0400 Received: from mail-qt1-f195.google.com ([209.85.160.195]:40445 "EHLO mail-qt1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727834AbfGMSMW (ORCPT ); Sat, 13 Jul 2019 14:12:22 -0400 Received: by mail-qt1-f195.google.com with SMTP id a15so11595075qtn.7 for ; Sat, 13 Jul 2019 11:12:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=vlxHdaIrqCftMeSZfgghakW85/n7gv2+j2P0zixsw+Y=; b=JVqaQPXTFVs+zRUsY8+5R87ruRBwVjzGY8M1m2vngU9e/P6Pm5iXoIhjrMUNsMxEk8 eHzYbupP4+yA3JRBWBOaMBuIWQ/3A7/3fu7pDlNd3SkhPfjn1Sa60lIXoL0arXIhl/fK 0t+fsg2Z0+v2SDCB4yboYsiPDFq1OVF419cJk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=vlxHdaIrqCftMeSZfgghakW85/n7gv2+j2P0zixsw+Y=; b=aEvnRVACGGBMfpBt57wknWbfDnz4rN/C8zRpOalw/OCk0wVAIjQAfjfFVzsXcqumsm qQoAKYy3I7FGXH8MSrx10aTDh5nn1OdMf64nLHeabR1qNiXKBkVdUkXNXyhrOdxibX4Q sdz75VnGCSG7KHfZzdKvpcJC8XLu0RfFefBxDL0cvTjRcAccdxuw5NYgtyA287JoPdJY 7W9hvgPOIGVL6O3/8bYk1EDvwYRfcJLKWvaf09/ae1fXndZj0GKYMAKzU/PD/w+9SuWO CZvisRPkdqbDKMkG0hsoI/+1EnQXr7cZParV+Wqbdtg6aj+tA8kRPjSqxLnaR7CVFdC8 m/Bg== X-Gm-Message-State: APjAAAX73IkDd0hS/Q5LFLBSjxlPofpL/6ZcfuOicjtIhQAo0gMzobxE oh4JIxyoHKW9WKdRzIjTVllDhR904cE= X-Google-Smtp-Source: APXvYqw3bDEMYEupvXFv0lPqAb2Zm6vfXgPKxz0JNdqeuC9+assBB/7cSyuCklmNuh+0C391zWBmGQ== X-Received: by 2002:ac8:7b99:: with SMTP id p25mr11593209qtu.243.1563041541780; Sat, 13 Jul 2019 11:12:21 -0700 (PDT) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id p13sm4568182qkj.4.2019.07.13.11.12.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 13 Jul 2019 11:12:21 -0700 (PDT) Subject: Re: [PATCH v4] Add knot module To: Alexander Miroshnichenko , selinux-refpolicy@vger.kernel.org Cc: dac.override@gmail.com References: <20190710105254.GA5889@brutus.lan> <20190710125401.17541-1-alex@millerson.name> From: Chris PeBenito Message-ID: Date: Sat, 13 Jul 2019 14:08:41 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <20190710125401.17541-1-alex@millerson.name> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 7/10/19 8:54 AM, Alexander Miroshnichenko wrote: > Add a SELinux Reference Policy module for the > Knot authoritative-only DNS server. > > Signed-off-by: Alexander Miroshnichenko > --- > policy/modules/roles/sysadm.te | 5 ++ > policy/modules/services/knot.fc | 11 +++ > policy/modules/services/knot.if | 108 ++++++++++++++++++++++++++++ > policy/modules/services/knot.te | 121 ++++++++++++++++++++++++++++++++ > policy/modules/system/init.te | 4 ++ > 5 files changed, 249 insertions(+) > create mode 100644 policy/modules/services/knot.fc > create mode 100644 policy/modules/services/knot.if > create mode 100644 policy/modules/services/knot.te > > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te > index 8f891c83865f..1f986432e2af 100644 > --- a/policy/modules/roles/sysadm.te > +++ b/policy/modules/roles/sysadm.te > @@ -550,6 +550,11 @@ optional_policy(` > keystone_admin(sysadm_t, sysadm_r) > ') > > +optional_policy(` > + knot_admin(sysadm_t, sysadm_r) > + knot_run_client(sysadm_t, sysadm_r) > +') > + > optional_policy(` > kismet_admin(sysadm_t, sysadm_r) > ') > diff --git a/policy/modules/services/knot.fc b/policy/modules/services/knot.fc > new file mode 100644 > index 000000000000..bbf8a3526aeb > --- /dev/null > +++ b/policy/modules/services/knot.fc > @@ -0,0 +1,11 @@ > +/etc/rc\.d/init\.d/knot -- gen_context(system_u:object_r:knot_initrc_exec_t,s0) > + > +/etc/knot(/.*)? gen_context(system_u:object_r:knot_conf_t,s0) > + > +/usr/sbin/knotd -- gen_context(system_u:object_r:knotd_exec_t,s0) > + > +/usr/sbin/knotc -- gen_context(system_u:object_r:knotc_exec_t,s0) > + > +/var/lib/knot(/.*)? gen_context(system_u:object_r:knot_var_lib_t,s0) > + > +/run/knot(/.*)? gen_context(system_u:object_r:knot_runtime_t,s0) > diff --git a/policy/modules/services/knot.if b/policy/modules/services/knot.if > new file mode 100644 > index 000000000000..a3792c3d15d0 > --- /dev/null > +++ b/policy/modules/services/knot.if > @@ -0,0 +1,108 @@ > +## high-performance authoritative-only DNS server. > + > +######################################## > +## > +## Execute knotc in the knotc domain. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`knot_domtrans_client',` > + gen_require(` > + type knotc_t, knotc_exec_t; > + ') > + > + corecmd_search_bin($1) > + domtrans_pattern($1, knotc_exec_t, knotc_t) > +') > + > +######################################## > +## > +## Execute knotc in the knotc domain, and > +## allow the specified role the knotc domain. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +## > +## > +## Role allowed access. > +## > +## > +## > +# > +interface(`knot_run_client',` > + gen_require(` > + attribute_role knot_roles; > + ') > + > + knot_domtrans_client($1) > + roleattribute $2 knot_roles; > +') > + > +######################################## > +## > +## Read knot config files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`knot_read_config_files',` > + gen_require(` > + type knot_conf_t; > + ') > + > + read_files_pattern($1, knot_conf_t, knot_conf_t) > + files_search_etc($1) > +') > + > +######################################## > +## > +## All of the rules required to > +## administrate an knot environment. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## Role allowed access. > +## > +## > +## > +# > +interface(`knot_admin',` > + gen_require(` > + type knotc_t, knotd_t, knot_conf_t, knot_initrc_exec_t; > + type knot_runtime_t, knot_tmp_t, knot_var_lib_t; > + ') > + > + allow $1 knotc_t:process signal_perms; > + allow $1 knotd_t:process { ptrace signal_perms }; > + ps_process_pattern($1, knotc_t) > + ps_process_pattern($1, knotd_t) > + > + init_startstop_service($1, $2, knotd_t, knot_initrc_exec_t) > + > + files_search_etc($1) > + admin_pattern($1, knot_conf_t) > + > + files_search_pids($1) > + admin_pattern($1, knot_runtime_t) > + > + files_search_tmp($1) > + admin_pattern($1, knot_tmp_t) > + > + files_search_var_lib($1) > + admin_pattern($1, knot_var_lib_t) > +') > diff --git a/policy/modules/services/knot.te b/policy/modules/services/knot.te > new file mode 100644 > index 000000000000..04a9aff00be6 > --- /dev/null > +++ b/policy/modules/services/knot.te > @@ -0,0 +1,121 @@ > +policy_module(knot, 1.0.0) > + > +######################################## > +# > +# Declarations > +# > + > +attribute_role knot_roles; > + > +type knotd_t; > +type knotd_exec_t; > +init_daemon_domain(knotd_t, knotd_exec_t) > + > +type knotc_t; > +type knotc_exec_t; > +application_domain(knotc_t, knotc_exec_t) > +init_system_domain(knotc_t, knotc_exec_t) > +role knot_roles types knotc_t; > + > +type knot_conf_t; > +files_config_file(knot_conf_t) > + > +type knot_initrc_exec_t; > +init_script_file(knot_initrc_exec_t) > + > +type knot_runtime_t; > +files_pid_file(knot_runtime_t) > + > +type knot_var_lib_t; > +files_type(knot_var_lib_t) > + > +type knot_tmp_t; > +files_tmp_file(knot_tmp_t) > + > +######################################## > +# > +# knotd local policy > +# > +allow knotd_t self:capability { dac_override dac_read_search setgid setpcap setuid }; > +allow knotd_t self:process { signal_perms getcap getsched setsched }; > +allow knotd_t self:tcp_socket create_stream_socket_perms; > +allow knotd_t self:udp_socket create_socket_perms; > +allow knotd_t self:unix_stream_socket create_stream_socket_perms; > + > +corenet_tcp_bind_generic_node(knotd_t) > +corenet_udp_bind_generic_node(knotd_t) > + > +corenet_sendrecv_dns_server_packets(knotd_t) > +corenet_tcp_bind_dns_port(knotd_t) > +corenet_udp_bind_dns_port(knotd_t) > +# Slave replication > +corenet_tcp_connect_dns_port(knotd_t) > + > +kernel_read_kernel_sysctls(knotd_t) > + > +allow knotd_t knot_conf_t:file map; > +knot_read_config_files(knotd_t) > + > +manage_dirs_pattern(knotd_t, knot_runtime_t, knot_runtime_t) > +manage_files_pattern(knotd_t, knot_runtime_t, knot_runtime_t) > +manage_lnk_files_pattern(knotd_t, knot_runtime_t, knot_runtime_t) > +manage_sock_files_pattern(knotd_t, knot_runtime_t, knot_runtime_t) > +files_pid_filetrans(knotd_t, knot_runtime_t, dir) > + > +allow knotd_t knot_tmp_t:file map; > +allow knotd_t knot_tmp_t:file manage_file_perms; > +allow knotd_t knot_tmp_t:dir manage_dir_perms; > +files_tmp_filetrans(knotd_t, knot_tmp_t, { file dir }) > + > +allow knotd_t knot_var_lib_t:file map; > +manage_dirs_pattern(knotd_t, knot_var_lib_t, knot_var_lib_t) > +manage_files_pattern(knotd_t, knot_var_lib_t, knot_var_lib_t) > +manage_lnk_files_pattern(knotd_t, knot_var_lib_t, knot_var_lib_t) > +files_var_lib_filetrans(knotd_t, knot_var_lib_t, dir) > + > +files_map_etc_files(knotd_t) > +files_search_var_lib(knotd_t) > + > +fs_getattr_xattr_fs(knotd_t) > + > +fs_getattr_tmpfs(knotd_t) > + > +auth_use_nsswitch(knotd_t) > + > +logging_send_syslog_msg(knotd_t) > + > +miscfiles_read_localization(knotd_t) > + > +######################################## > +# > +# knotc local policy > +# > +allow knotc_t self:capability { dac_override dac_read_search }; > +allow knotc_t self:process signal; > + > +stream_connect_pattern(knotc_t, knot_runtime_t, knot_runtime_t, knotd_t) > + > +allow knotc_t knot_conf_t:file map; > +knot_read_config_files(knotc_t) > + > +allow knotc_t knot_tmp_t:file map; > +allow knotc_t knot_tmp_t:file manage_file_perms; > +allow knotc_t knot_tmp_t:dir manage_dir_perms; > +files_tmp_filetrans(knotc_t, knot_tmp_t, { file dir }) > + > +allow knotc_t knot_var_lib_t:file map; > +manage_dirs_pattern(knotc_t, knot_var_lib_t, knot_var_lib_t) > +manage_files_pattern(knotc_t, knot_var_lib_t, knot_var_lib_t) > +manage_lnk_files_pattern(knotc_t, knot_var_lib_t, knot_var_lib_t) > + > +files_read_etc_files(knotc_t) > +files_search_pids(knotc_t) > +files_search_var_lib(knotc_t) > + > +fs_getattr_tmpfs(knotc_t) > + > +domain_use_interactive_fds(knotc_t) > + > +miscfiles_read_localization(knotc_t) > + > +userdom_use_user_ptys(knotc_t) > diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te > index f4d27bff3ea2..d118290e6c19 100644 > --- a/policy/modules/system/init.te > +++ b/policy/modules/system/init.te > @@ -1158,6 +1158,10 @@ optional_policy(` > kerberos_use(initrc_t) > ') > > +optional_policy(` > + knot_read_config_files(initrc_t) > +') > + > optional_policy(` > ldap_read_config(initrc_t) > ldap_list_db(initrc_t) Merged. -- Chris PeBenito