From: Chris PeBenito <pebenito@ieee.org> To: russell@coker.com.au, "selinux-refpolicy@vger.kernel.org" <selinux-refpolicy@vger.kernel.org> Subject: Re: small net patch Date: Sun, 16 Feb 2020 10:16:22 -0500 Message-ID: <dbdee536-bccc-fdcd-7ed8-b268c71f2076@ieee.org> (raw) In-Reply-To: <10271002.VOa6tZZ1Ku@xev> On 2/11/20 10:11 PM, Russell Coker wrote: > This patch against git refpolicy adds a few small network related policy > changes. I think it's ready to be included. Please inline patch and add signed-off-by. > --- refpolicy-2.20200209.orig/policy/modules/admin/netutils.te > +++ refpolicy-2.20200209/policy/modules/admin/netutils.te > @@ -110,6 +110,7 @@ allow ping_t self:tcp_socket create_sock > allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr }; > allow ping_t self:packet_socket { create ioctl read write bind getopt setopt }; > allow ping_t self:netlink_route_socket create_netlink_socket_perms; > +allow ping_t self:icmp_socket create; > > corenet_all_recvfrom_unlabeled(ping_t) > corenet_all_recvfrom_netlabel(ping_t) > Index: refpolicy-2.20200209/policy/modules/system/sysnetwork.fc > =================================================================== > --- refpolicy-2.20200209.orig/policy/modules/system/sysnetwork.fc > +++ refpolicy-2.20200209/policy/modules/system/sysnetwork.fc > @@ -27,6 +27,7 @@ ifdef(`distro_debian',` > /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) > > /etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) > +/etc/tor/torsocks.conf -- gen_context(system_u:object_r:net_conf_t,s0) > > ifdef(`distro_redhat',` > /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) > Index: refpolicy-2.20200209/policy/modules/system/sysnetwork.te > =================================================================== > --- refpolicy-2.20200209.orig/policy/modules/system/sysnetwork.te > +++ refpolicy-2.20200209/policy/modules/system/sysnetwork.te > @@ -5,6 +5,14 @@ policy_module(sysnetwork, 1.24.2) > # Declarations > # > > +## <desc> > +## <p> > +## Determine whether DHCP client > +## can manage samba > +## </p> > +## </desc> > +gen_tunable(dhcpc_manage_samba, false) > + > attribute_role dhcpc_roles; > roleattribute system_r dhcpc_roles; > > @@ -171,6 +179,15 @@ ifdef(`init_systemd',` > ') > > optional_policy(` > + tunable_policy(`dhcpc_manage_samba',` > + samba_manage_var_files(dhcpc_t) > + init_exec_script_files(dhcpc_t) > + init_get_system_status(dhcpc_t) > + samba_restart(dhcpc_t) Please elaborate here. Is this to set WINS servers? > + ') > +') > + > +optional_policy(` > avahi_domtrans(dhcpc_t) > ') > > Index: refpolicy-2.20200209/policy/modules/roles/staff.te > =================================================================== > --- refpolicy-2.20200209.orig/policy/modules/roles/staff.te > +++ refpolicy-2.20200209/policy/modules/roles/staff.te > @@ -15,6 +15,10 @@ userdom_unpriv_user_template(staff) > # > corenet_ib_access_unlabeled_pkeys(staff_t) > > +corenet_tcp_bind_all_unreserved_ports(staff_t) > +corenet_udp_bind_all_unreserved_ports(staff_t) > +corenet_tcp_bind_generic_node(staff_t) No, this may be staff, but still unprivileged. > optional_policy(` > apache_role(staff_r, staff_t) > ') > @@ -36,6 +40,10 @@ optional_policy(` > ') > > optional_policy(` > + netutils_domtrans_ping(staff_t) > +') > + > +optional_policy(` > postgresql_role(staff_r, staff_t) > ') > > @@ -65,6 +73,11 @@ optional_policy(` > ') > > optional_policy(` > + # for torbrowser-launcher > + xdg_exec_data(staff_t) > +') > + > +optional_policy(` > xscreensaver_role(staff_r, staff_t) > ') > > Index: refpolicy-2.20200209/policy/modules/roles/unprivuser.te > =================================================================== > --- refpolicy-2.20200209.orig/policy/modules/roles/unprivuser.te > +++ refpolicy-2.20200209/policy/modules/roles/unprivuser.te > @@ -7,11 +7,23 @@ policy_module(unprivuser, 2.10.0) > # > # Declarations > # > +## <desc> > +## <p> > +## Allow user to bind all unreserved ports > +## </p> > +## </desc> > +gen_tunable(user_bind_unreserved, false) > > #role user_r; > > userdom_unpriv_user_template(user) > > +tunable_policy(`user_bind_unreserved', ` > + corenet_tcp_bind_all_unreserved_ports(user_t) > + corenet_udp_bind_all_unreserved_ports(user_t) > + corenet_tcp_bind_generic_node(user_t) > +') There's already a user_tcp_server tunable in userdom_unpriv_user_template() that should be used instead. > optional_policy(` > apache_role(user_r, user_t) > ') > @@ -25,6 +37,10 @@ optional_policy(` > ') > > optional_policy(` > + netutils_domtrans_ping(user_t) > +') This is already maanged in userdom_unpriv_user_template(). > +optional_policy(` > screen_role_template(user, user_r, user_t) > ') > > @@ -33,6 +49,11 @@ optional_policy(` > ') > > optional_policy(` > + # for torbrowser-launcher > + xdg_exec_data(user_t) > +') How about adding this to userdom_unpriv_user_template() or userdom_common_user_template() instead? > +optional_policy(` > xscreensaver_role(user_r, user_t) > ') > > Index: refpolicy-2.20200209/policy/modules/services/samba.if > =================================================================== > --- refpolicy-2.20200209.orig/policy/modules/services/samba.if > +++ refpolicy-2.20200209/policy/modules/services/samba.if > @@ -714,3 +714,22 @@ interface(`samba_admin',` > files_list_tmp($1) > admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t }) > ') > + > +######################################## > +## <summary> > +## Restart and get status of samba daemon > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`samba_restart',` > + gen_require(` > + type samba_unit_t; > + ') > + > + allow $1 samba_unit_t:file getattr; > + allow $1 samba_unit_t:service { start stop status reload }; > +') Break this up into at least 3 interfaces, samba_startstop, samba_status, samba_reload. > Index: refpolicy-2.20200209/policy/modules/system/xdg.if > =================================================================== > --- refpolicy-2.20200209.orig/policy/modules/system/xdg.if > +++ refpolicy-2.20200209/policy/modules/system/xdg.if > @@ -795,6 +795,24 @@ interface(`xdg_relabel_all_data',` > > ######################################## > ## <summary> > +## Allow executing the xdg data home files > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`xdg_exec_data',` > + gen_require(` > + type xdg_data_t; > + ') > + > + can_exec($1, xdg_data_t) > +') > + > +######################################## > +## <summary> > ## Create objects in the user home dir with an automatic type transition to > ## the xdg_documents_t type. > ## </summary> -- Chris PeBenito
prev parent reply index Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-02-12 3:11 Russell Coker 2020-02-16 15:16 ` Chris PeBenito [this message]
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=dbdee536-bccc-fdcd-7ed8-b268c71f2076@ieee.org \ --to=pebenito@ieee.org \ --cc=russell@coker.com.au \ --cc=selinux-refpolicy@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
SELinux-Refpolicy Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \ selinux-refpolicy@vger.kernel.org public-inbox-index selinux-refpolicy Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy AGPL code for this site: git clone https://public-inbox.org/public-inbox.git