From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D1D04C43613 for ; Mon, 24 Jun 2019 01:46:08 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 92F9B205ED for ; Mon, 24 Jun 2019 01:46:08 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="QjdNLrYq" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726312AbfFXBqI (ORCPT ); Sun, 23 Jun 2019 21:46:08 -0400 Received: from mail-qk1-f196.google.com ([209.85.222.196]:33650 "EHLO mail-qk1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726351AbfFXBqI (ORCPT ); Sun, 23 Jun 2019 21:46:08 -0400 Received: by mail-qk1-f196.google.com with SMTP id r6so8624113qkc.0 for ; Sun, 23 Jun 2019 18:46:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=JTOi0IG/QDd99RRQfc/+MmR5XrPrHqkqWxPZ5UZc8rc=; b=QjdNLrYqR4BimhGP/mSnEuzBngvCQ9mnuOr8E247Iry0TlODU6gFZXV7xP2hJsXd/l qturBwu+Q59ZQjlyPI/d4l6HDbAmD17nZauzX7L0GQanr09NSFatf5Q7SDPuV3+AsDlM +pHceJ1/ozMXL4h0XZhLGuRhKGv+c04IlerzA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=JTOi0IG/QDd99RRQfc/+MmR5XrPrHqkqWxPZ5UZc8rc=; b=Y61L9yH2JdqatpdXnRvjXBr7TiQXfT0sOjVXyEci+qXi0mZbejzhb/k6xRIzasBvqZ WktgBzztO2Eg1fDMRuuL2kR1ajuC19Sb7P4hLFIwNT89DCiMc4g5igXI6CPpZ2nsIrU/ iTzUbNVnnsgV2lMXCgNnAo7r5TEPjz6zZ1NG21uMnteY6MnivC8ITXtczJ6pMpqls5E7 Mn6/7O1TTrttM6ts3rZPTQ2FG6gCt/9WmsIqdNoOBCt0YvsZjTWFq18HjhmYQ6DoHzTX oIG4+uKGQg+FkP/gjJtinq90lkZ++05N+TW/20vDATgLbYgLCcLqMjIOog+h0T1z1YfL mPQg== X-Gm-Message-State: APjAAAXYD+8hpWzZIdiK82PC6tVuoq0wD1ia8gdrNNHIgWxJWSUVOL5Z RXjB8+LRzoNZRLHZOerxb2Iv/Q== X-Google-Smtp-Source: APXvYqxrSRdRrpBxs58zGKwD/jgS3zumpYwmwC5N2BPHf287NdASc8ILhX6VGBG0MR7JIufYIMZS9w== X-Received: by 2002:a37:8d82:: with SMTP id p124mr34610391qkd.63.1561338945948; Sun, 23 Jun 2019 18:15:45 -0700 (PDT) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id n184sm4362513qkc.114.2019.06.23.18.15.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 23 Jun 2019 18:15:45 -0700 (PDT) Subject: Re: [PATCH v2] Add lldpd policy To: Alexander Miroshnichenko , selinux-refpolicy@vger.kernel.org References: <749388e0-6da1-4b06-c62c-35302a5aba78@ieee.org> <20190617124207.25680-1-alex@millerson.name> Cc: dac.override@gmail.com From: Chris PeBenito Message-ID: Date: Sun, 23 Jun 2019 21:15:43 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <20190617124207.25680-1-alex@millerson.name> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 6/17/19 8:42 AM, Alexander Miroshnichenko wrote: > New policy for lldpd ( http://vincentbernat.github.io/lldpd ). I was about to merge this, when I realized there's the Intel LLDP module (lldpad) already in refpolicy. This has the CLI tool, but otherwise they are very similar. Did you consider merging this into that module? > Signed-off-by: Alexander Miroshnichenko > --- > policy/modules/roles/sysadm.te | 4 ++ > policy/modules/services/lldpd.fc | 9 ++++ > policy/modules/services/lldpd.if | 83 ++++++++++++++++++++++++++++++++ > policy/modules/services/lldpd.te | 79 ++++++++++++++++++++++++++++++ > 4 files changed, 175 insertions(+) > create mode 100644 policy/modules/services/lldpd.fc > create mode 100644 policy/modules/services/lldpd.if > create mode 100644 policy/modules/services/lldpd.te > > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te > index 8f891c83865f..9a104fe8eb83 100644 > --- a/policy/modules/roles/sysadm.te > +++ b/policy/modules/roles/sysadm.te > @@ -595,6 +595,10 @@ optional_policy(` > lldpad_admin(sysadm_t, sysadm_r) > ') > > +optional_policy(` > + lldp_admin(sysadm_t, sysadm_r) > +') > + > optional_policy(` > lockdev_role(sysadm_r, sysadm_t) > ') > diff --git a/policy/modules/services/lldpd.fc b/policy/modules/services/lldpd.fc > new file mode 100644 > index 000000000000..19b66603add3 > --- /dev/null > +++ b/policy/modules/services/lldpd.fc > @@ -0,0 +1,9 @@ > +/etc/lldpd.conf -- gen_context(system_u:object_r:lldpd_conf_t,s0) > +/etc/lldpd.d(/.*)? gen_context(system_u:object_r:lldpd_conf_t,s0) > + > +/usr/sbin/lldpd -- gen_context(system_u:object_r:lldpd_exec_t,s0) > +/usr/sbin/lldpcli -- gen_context(system_u:object_r:lldp_cli_exec_t,s0) > + > +/run/lldpd -d gen_context(system_u:object_r:lldpd_runtime_t,s0) > +/run/lldpd(/.*)? gen_context(system_u:object_r:lldpd_runtime_t,s0) > +/run/lldpd.pid -- gen_context(system_u:object_r:lldpd_runtime_t,s0) > diff --git a/policy/modules/services/lldpd.if b/policy/modules/services/lldpd.if > new file mode 100644 > index 000000000000..8859f8743ecf > --- /dev/null > +++ b/policy/modules/services/lldpd.if > @@ -0,0 +1,83 @@ > + > +## policy for lldpd > + > +######################################## > +## > +## Execute a domain transition to run lldpcli. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`lldp_domtrans_cli',` > + gen_require(` > + type lldp_cli_t, lldp_cli_exec_t; > + ') > + > + corecmd_search_bin($1) > + domtrans_pattern($1, lldp_cli_exec_t, lldp_cli_t) > +') > + > +######################################## > +## > +## Execute lldpcli in the lldp_cli domain, > +## and allow the specified role > +## the lldp_cli domain. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +## > +## > +## Role allowed access. > +## > +## > +# > +interface(`lldp_cli_run',` > + gen_require(` > + type lldp_cli_t; > + ') > + > + lldp_domtrans_cli($1) > + role $2 types lldp_cli_t; > +') > + > +######################################## > +## > +## All of the rules required to administrate > +## an lldpd environment > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## Role allowed access. > +## > +## > +## > +# > +interface(`lldp_admin',` > + gen_require(` > + type lldpd_t; > + type lldpd_conf_t; > + type lldpd_runtime_t; > + ') > + > + allow $1 lldpd_t:process { signal_perms }; > + ps_process_pattern($1, lldpd_t) > + > + files_search_etc($1) > + admin_pattern($1, lldpd_conf_t) > + > + files_search_pids($1) > + admin_pattern($1, lldpd_runtime_t) > + > + lldp_cli_run($1, $2) > +') > diff --git a/policy/modules/services/lldpd.te b/policy/modules/services/lldpd.te > new file mode 100644 > index 000000000000..457243b0112e > --- /dev/null > +++ b/policy/modules/services/lldpd.te > @@ -0,0 +1,79 @@ > +policy_module(lldpd, 1.0.0) > + > +######################################## > +# > +# Declarations > +# > + > +type lldpd_t; > +type lldpd_exec_t; > +init_daemon_domain(lldpd_t, lldpd_exec_t) > + > +type lldp_cli_t; > +type lldp_cli_exec_t; > +init_system_domain(lldp_cli_t, lldp_cli_exec_t) > +application_domain(lldp_cli_t, lldp_cli_exec_t) > + > +type lldpd_conf_t; > +files_config_file(lldpd_conf_t) > + > +type lldpd_runtime_t; > +files_pid_file(lldpd_runtime_t) > +init_daemon_pid_file(lldpd_runtime_t, dir, "lldpd") > + > +######################################## > +# > +# lldpd local policy > +# > +allow lldpd_t self:capability { chown dac_read_search dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_chroot }; > +allow lldpd_t self:process { fork signal_perms }; > +allow lldpd_t self:fifo_file rw_fifo_file_perms; > +allow lldpd_t self:unix_stream_socket create_stream_socket_perms; > +allow lldpd_t self:packet_socket create_socket_perms; > + > +lldp_domtrans_cli(lldpd_t) > + > +kernel_read_net_sysctls(lldpd_t) > + > +list_dirs_pattern(lldpd_t, lldpd_conf_t, lldpd_conf_t) > +read_files_pattern(lldpd_t, lldpd_conf_t, lldpd_conf_t) > + > +manage_dirs_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t) > +manage_files_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t) > +manage_sock_files_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t) > +manage_lnk_files_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t) > +files_pid_filetrans(lldpd_t, lldpd_runtime_t, {file dir sock_file}) > + > +files_read_etc_files(lldpd_t) > + > +logging_send_syslog_msg(lldpd_t) > + > +miscfiles_read_localization(lldpd_t) > + > +sysnet_dns_name_resolve(lldpd_t) > + > +######################################## > +# > +# lldp_cli local policy > +# > +allow lldp_cli_t self:capability dac_override; > +allow lldp_cli_t self:unix_dgram_socket { connect create }; > +allow lldp_cli_t self:unix_stream_socket { connect create read write }; > +allow lldp_cli_t self:process signal; > + > +allow lldp_cli_t lldpd_runtime_t:sock_file read_sock_file_perms; > +stream_connect_pattern(lldp_cli_t, lldpd_runtime_t, lldpd_runtime_t, lldpd_t) > + > +domain_use_interactive_fds(lldp_cli_t) > + > +files_search_etc(lldp_cli_t) > +list_dirs_pattern(lldp_cli_t, lldpd_conf_t, lldpd_conf_t) > +read_files_pattern(lldp_cli_t, lldpd_conf_t, lldpd_conf_t) > + > +logging_send_syslog_msg(lldp_cli_t) > + > +files_dontaudit_read_etc_files(lldp_cli_t) > + > +miscfiles_read_localization(lldp_cli_t) > + > +userdom_use_user_ptys(lldp_cli_t) > -- Chris PeBenito