Re: small net patch

From: Chris PeBenito <pebenito@ieee.org>
To: russell@coker.com.au,
	"selinux-refpolicy@vger.kernel.org" 
	<selinux-refpolicy@vger.kernel.org>
Subject: Re: small net patch
Date: Sun, 16 Feb 2020 10:16:22 -0500
Message-ID: <dbdee536-bccc-fdcd-7ed8-b268c71f2076@ieee.org> (raw)
In-Reply-To: <10271002.VOa6tZZ1Ku@xev>

On 2/11/20 10:11 PM, Russell Coker wrote:
> This patch against git refpolicy adds a few small network related policy
> changes.  I think it's ready to be included.

Please inline patch and add signed-off-by.

> --- refpolicy-2.20200209.orig/policy/modules/admin/netutils.te
> +++ refpolicy-2.20200209/policy/modules/admin/netutils.te
> @@ -110,6 +110,7 @@ allow ping_t self:tcp_socket create_sock
>  allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr };
>  allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
>  allow ping_t self:netlink_route_socket create_netlink_socket_perms;
> +allow ping_t self:icmp_socket create;
>  
>  corenet_all_recvfrom_unlabeled(ping_t)
>  corenet_all_recvfrom_netlabel(ping_t)
> Index: refpolicy-2.20200209/policy/modules/system/sysnetwork.fc
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/system/sysnetwork.fc
> +++ refpolicy-2.20200209/policy/modules/system/sysnetwork.fc
> @@ -27,6 +27,7 @@ ifdef(`distro_debian',`
>  /etc/dhcp3?/dhclient.*		gen_context(system_u:object_r:dhcp_etc_t,s0)
>  
>  /etc/systemd/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
> +/etc/tor/torsocks.conf	--	gen_context(system_u:object_r:net_conf_t,s0)
>  
>  ifdef(`distro_redhat',`
>  /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
> Index: refpolicy-2.20200209/policy/modules/system/sysnetwork.te
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/system/sysnetwork.te
> +++ refpolicy-2.20200209/policy/modules/system/sysnetwork.te
> @@ -5,6 +5,14 @@ policy_module(sysnetwork, 1.24.2)
>  # Declarations
>  #
>  
> +## <desc>
> +##      <p>
> +##      Determine whether DHCP client
> +##      can manage samba
> +##      </p>
> +## </desc>
> +gen_tunable(dhcpc_manage_samba, false)
> +
>  attribute_role dhcpc_roles;
>  roleattribute system_r dhcpc_roles;
>  
> @@ -171,6 +179,15 @@ ifdef(`init_systemd',`
>  ')
>  
>  optional_policy(`
> +	tunable_policy(`dhcpc_manage_samba',`
> +        	samba_manage_var_files(dhcpc_t)
> +		init_exec_script_files(dhcpc_t)
> +		init_get_system_status(dhcpc_t)
> +		samba_restart(dhcpc_t)

Please elaborate here. Is this to set WINS servers?

> +	')
> +')
> +
> +optional_policy(`
>  	avahi_domtrans(dhcpc_t)
>  ')
>  
> Index: refpolicy-2.20200209/policy/modules/roles/staff.te
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/roles/staff.te
> +++ refpolicy-2.20200209/policy/modules/roles/staff.te
> @@ -15,6 +15,10 @@ userdom_unpriv_user_template(staff)
>  #
>  corenet_ib_access_unlabeled_pkeys(staff_t)
>  
> +corenet_tcp_bind_all_unreserved_ports(staff_t)
> +corenet_udp_bind_all_unreserved_ports(staff_t)
> +corenet_tcp_bind_generic_node(staff_t)

No, this may be staff, but still unprivileged.

>  optional_policy(`
>  	apache_role(staff_r, staff_t)
>  ')
> @@ -36,6 +40,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	netutils_domtrans_ping(staff_t)
> +')
> +
> +optional_policy(`
>  	postgresql_role(staff_r, staff_t)
>  ')
>  
> @@ -65,6 +73,11 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	# for torbrowser-launcher
> +	xdg_exec_data(staff_t)
> +')
> +
> +optional_policy(`
>  	xscreensaver_role(staff_r, staff_t)
>  ')
>  
> Index: refpolicy-2.20200209/policy/modules/roles/unprivuser.te
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/roles/unprivuser.te
> +++ refpolicy-2.20200209/policy/modules/roles/unprivuser.te
> @@ -7,11 +7,23 @@ policy_module(unprivuser, 2.10.0)
>  #
>  # Declarations
>  #
> +## <desc>
> +## <p>
> +## Allow user to bind all unreserved ports
> +## </p>
> +## </desc>
> +gen_tunable(user_bind_unreserved, false)
>  
>  #role user_r;
>  
>  userdom_unpriv_user_template(user)
>  
> +tunable_policy(`user_bind_unreserved', `
> +	corenet_tcp_bind_all_unreserved_ports(user_t)
> +	corenet_udp_bind_all_unreserved_ports(user_t)
> +	corenet_tcp_bind_generic_node(user_t)
> +')

There's already a user_tcp_server tunable in 
userdom_unpriv_user_template() that should be used instead.

>  optional_policy(`
>  	apache_role(user_r, user_t)
>  ')
> @@ -25,6 +37,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	netutils_domtrans_ping(user_t)
> +')

This is already maanged in userdom_unpriv_user_template().

> +optional_policy(`
>  	screen_role_template(user, user_r, user_t)
>  ')
>  
> @@ -33,6 +49,11 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	# for torbrowser-launcher
> +	xdg_exec_data(user_t)
> +')

How about adding this to userdom_unpriv_user_template() or 
userdom_common_user_template() instead?

> +optional_policy(`
>  	xscreensaver_role(user_r, user_t)
>  ')
>  
> Index: refpolicy-2.20200209/policy/modules/services/samba.if
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/services/samba.if
> +++ refpolicy-2.20200209/policy/modules/services/samba.if
> @@ -714,3 +714,22 @@ interface(`samba_admin',`
>  	files_list_tmp($1)
>  	admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
>  ')
> +
> +########################################
> +## <summary>
> +##	Restart and get status of samba daemon
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`samba_restart',`
> +	gen_require(`
> +		type samba_unit_t;
> +	')
> +
> +	allow $1 samba_unit_t:file getattr;
> +	allow $1 samba_unit_t:service { start stop status reload };
> +')

Break this up into at least 3 interfaces, samba_startstop, samba_status, 
samba_reload.

> Index: refpolicy-2.20200209/policy/modules/system/xdg.if
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/system/xdg.if
> +++ refpolicy-2.20200209/policy/modules/system/xdg.if
> @@ -795,6 +795,24 @@ interface(`xdg_relabel_all_data',`
>  
>  ########################################
>  ## <summary>
> +##	Allow executing the xdg data home files
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdg_exec_data',`
> +	gen_require(`
> +		type xdg_data_t;
> +	')
> +
> +	can_exec($1, xdg_data_t)
> +')
> +
> +########################################
> +## <summary>
>  ##	Create objects in the user home dir with an automatic type transition to
>  ##	the xdg_documents_t type.
>  ## </summary>

-- 
Chris PeBenito