SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
From: Chris PeBenito <pebenito@ieee.org>
To: russell@coker.com.au,
	"selinux-refpolicy@vger.kernel.org" 
	<selinux-refpolicy@vger.kernel.org>
Subject: Re: small net patch
Date: Sun, 16 Feb 2020 10:16:22 -0500
Message-ID: <dbdee536-bccc-fdcd-7ed8-b268c71f2076@ieee.org> (raw)
In-Reply-To: <10271002.VOa6tZZ1Ku@xev>

On 2/11/20 10:11 PM, Russell Coker wrote:
> This patch against git refpolicy adds a few small network related policy
> changes.  I think it's ready to be included.

Please inline patch and add signed-off-by.

> --- refpolicy-2.20200209.orig/policy/modules/admin/netutils.te
> +++ refpolicy-2.20200209/policy/modules/admin/netutils.te
> @@ -110,6 +110,7 @@ allow ping_t self:tcp_socket create_sock
>  allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr };
>  allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
>  allow ping_t self:netlink_route_socket create_netlink_socket_perms;
> +allow ping_t self:icmp_socket create;
>  
>  corenet_all_recvfrom_unlabeled(ping_t)
>  corenet_all_recvfrom_netlabel(ping_t)
> Index: refpolicy-2.20200209/policy/modules/system/sysnetwork.fc
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/system/sysnetwork.fc
> +++ refpolicy-2.20200209/policy/modules/system/sysnetwork.fc
> @@ -27,6 +27,7 @@ ifdef(`distro_debian',`
>  /etc/dhcp3?/dhclient.*		gen_context(system_u:object_r:dhcp_etc_t,s0)
>  
>  /etc/systemd/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
> +/etc/tor/torsocks.conf	--	gen_context(system_u:object_r:net_conf_t,s0)
>  
>  ifdef(`distro_redhat',`
>  /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
> Index: refpolicy-2.20200209/policy/modules/system/sysnetwork.te
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/system/sysnetwork.te
> +++ refpolicy-2.20200209/policy/modules/system/sysnetwork.te
> @@ -5,6 +5,14 @@ policy_module(sysnetwork, 1.24.2)
>  # Declarations
>  #
>  
> +## <desc>
> +##      <p>
> +##      Determine whether DHCP client
> +##      can manage samba
> +##      </p>
> +## </desc>
> +gen_tunable(dhcpc_manage_samba, false)
> +
>  attribute_role dhcpc_roles;
>  roleattribute system_r dhcpc_roles;
>  
> @@ -171,6 +179,15 @@ ifdef(`init_systemd',`
>  ')
>  
>  optional_policy(`
> +	tunable_policy(`dhcpc_manage_samba',`
> +        	samba_manage_var_files(dhcpc_t)
> +		init_exec_script_files(dhcpc_t)
> +		init_get_system_status(dhcpc_t)
> +		samba_restart(dhcpc_t)

Please elaborate here. Is this to set WINS servers?

> +	')
> +')
> +
> +optional_policy(`
>  	avahi_domtrans(dhcpc_t)
>  ')
>  
> Index: refpolicy-2.20200209/policy/modules/roles/staff.te
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/roles/staff.te
> +++ refpolicy-2.20200209/policy/modules/roles/staff.te
> @@ -15,6 +15,10 @@ userdom_unpriv_user_template(staff)
>  #
>  corenet_ib_access_unlabeled_pkeys(staff_t)
>  
> +corenet_tcp_bind_all_unreserved_ports(staff_t)
> +corenet_udp_bind_all_unreserved_ports(staff_t)
> +corenet_tcp_bind_generic_node(staff_t)

No, this may be staff, but still unprivileged.

>  optional_policy(`
>  	apache_role(staff_r, staff_t)
>  ')
> @@ -36,6 +40,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	netutils_domtrans_ping(staff_t)
> +')
> +
> +optional_policy(`
>  	postgresql_role(staff_r, staff_t)
>  ')
>  
> @@ -65,6 +73,11 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	# for torbrowser-launcher
> +	xdg_exec_data(staff_t)
> +')
> +
> +optional_policy(`
>  	xscreensaver_role(staff_r, staff_t)
>  ')
>  
> Index: refpolicy-2.20200209/policy/modules/roles/unprivuser.te
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/roles/unprivuser.te
> +++ refpolicy-2.20200209/policy/modules/roles/unprivuser.te
> @@ -7,11 +7,23 @@ policy_module(unprivuser, 2.10.0)
>  #
>  # Declarations
>  #
> +## <desc>
> +## <p>
> +## Allow user to bind all unreserved ports
> +## </p>
> +## </desc>
> +gen_tunable(user_bind_unreserved, false)
>  
>  #role user_r;
>  
>  userdom_unpriv_user_template(user)
>  
> +tunable_policy(`user_bind_unreserved', `
> +	corenet_tcp_bind_all_unreserved_ports(user_t)
> +	corenet_udp_bind_all_unreserved_ports(user_t)
> +	corenet_tcp_bind_generic_node(user_t)
> +')

There's already a user_tcp_server tunable in 
userdom_unpriv_user_template() that should be used instead.

>  optional_policy(`
>  	apache_role(user_r, user_t)
>  ')
> @@ -25,6 +37,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	netutils_domtrans_ping(user_t)
> +')

This is already maanged in userdom_unpriv_user_template().

> +optional_policy(`
>  	screen_role_template(user, user_r, user_t)
>  ')
>  
> @@ -33,6 +49,11 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	# for torbrowser-launcher
> +	xdg_exec_data(user_t)
> +')

How about adding this to userdom_unpriv_user_template() or 
userdom_common_user_template() instead?

> +optional_policy(`
>  	xscreensaver_role(user_r, user_t)
>  ')
>  
> Index: refpolicy-2.20200209/policy/modules/services/samba.if
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/services/samba.if
> +++ refpolicy-2.20200209/policy/modules/services/samba.if
> @@ -714,3 +714,22 @@ interface(`samba_admin',`
>  	files_list_tmp($1)
>  	admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
>  ')
> +
> +########################################
> +## <summary>
> +##	Restart and get status of samba daemon
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`samba_restart',`
> +	gen_require(`
> +		type samba_unit_t;
> +	')
> +
> +	allow $1 samba_unit_t:file getattr;
> +	allow $1 samba_unit_t:service { start stop status reload };
> +')

Break this up into at least 3 interfaces, samba_startstop, samba_status, 
samba_reload.


> Index: refpolicy-2.20200209/policy/modules/system/xdg.if
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/system/xdg.if
> +++ refpolicy-2.20200209/policy/modules/system/xdg.if
> @@ -795,6 +795,24 @@ interface(`xdg_relabel_all_data',`
>  
>  ########################################
>  ## <summary>
> +##	Allow executing the xdg data home files
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdg_exec_data',`
> +	gen_require(`
> +		type xdg_data_t;
> +	')
> +
> +	can_exec($1, xdg_data_t)
> +')
> +
> +########################################
> +## <summary>
>  ##	Create objects in the user home dir with an automatic type transition to
>  ##	the xdg_documents_t type.
>  ## </summary>

-- 
Chris PeBenito

      reply index

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-12  3:11 Russell Coker
2020-02-16 15:16 ` Chris PeBenito [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=dbdee536-bccc-fdcd-7ed8-b268c71f2076@ieee.org \
    --to=pebenito@ieee.org \
    --cc=russell@coker.com.au \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git