SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* small net patch
@ 2020-02-12  3:11 Russell Coker
  2020-02-16 15:16 ` Chris PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2020-02-12  3:11 UTC (permalink / raw)
  To: selinux-refpolicy


[-- Attachment #1: Type: text/plain, Size: 217 bytes --]

This patch against git refpolicy adds a few small network related policy 
changes.  I think it's ready to be included.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[-- Attachment #2: net.diff --]
[-- Type: text/x-patch, Size: 5728 bytes --]

Index: refpolicy-2.20200209/policy/modules/admin/netutils.te
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/admin/netutils.te
+++ refpolicy-2.20200209/policy/modules/admin/netutils.te
@@ -110,6 +110,7 @@ allow ping_t self:tcp_socket create_sock
 allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr };
 allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
 allow ping_t self:netlink_route_socket create_netlink_socket_perms;
+allow ping_t self:icmp_socket create;
 
 corenet_all_recvfrom_unlabeled(ping_t)
 corenet_all_recvfrom_netlabel(ping_t)
Index: refpolicy-2.20200209/policy/modules/system/sysnetwork.fc
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/system/sysnetwork.fc
+++ refpolicy-2.20200209/policy/modules/system/sysnetwork.fc
@@ -27,6 +27,7 @@ ifdef(`distro_debian',`
 /etc/dhcp3?/dhclient.*		gen_context(system_u:object_r:dhcp_etc_t,s0)
 
 /etc/systemd/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
+/etc/tor/torsocks.conf	--	gen_context(system_u:object_r:net_conf_t,s0)
 
 ifdef(`distro_redhat',`
 /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
Index: refpolicy-2.20200209/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20200209/policy/modules/system/sysnetwork.te
@@ -5,6 +5,14 @@ policy_module(sysnetwork, 1.24.2)
 # Declarations
 #
 
+## <desc>
+##      <p>
+##      Determine whether DHCP client
+##      can manage samba
+##      </p>
+## </desc>
+gen_tunable(dhcpc_manage_samba, false)
+
 attribute_role dhcpc_roles;
 roleattribute system_r dhcpc_roles;
 
@@ -171,6 +179,15 @@ ifdef(`init_systemd',`
 ')
 
 optional_policy(`
+	tunable_policy(`dhcpc_manage_samba',`
+        	samba_manage_var_files(dhcpc_t)
+		init_exec_script_files(dhcpc_t)
+		init_get_system_status(dhcpc_t)
+		samba_restart(dhcpc_t)
+	')
+')
+
+optional_policy(`
 	avahi_domtrans(dhcpc_t)
 ')
 
Index: refpolicy-2.20200209/policy/modules/roles/staff.te
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/roles/staff.te
+++ refpolicy-2.20200209/policy/modules/roles/staff.te
@@ -15,6 +15,10 @@ userdom_unpriv_user_template(staff)
 #
 corenet_ib_access_unlabeled_pkeys(staff_t)
 
+corenet_tcp_bind_all_unreserved_ports(staff_t)
+corenet_udp_bind_all_unreserved_ports(staff_t)
+corenet_tcp_bind_generic_node(staff_t)
+
 optional_policy(`
 	apache_role(staff_r, staff_t)
 ')
@@ -36,6 +40,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	netutils_domtrans_ping(staff_t)
+')
+
+optional_policy(`
 	postgresql_role(staff_r, staff_t)
 ')
 
@@ -65,6 +73,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	# for torbrowser-launcher
+	xdg_exec_data(staff_t)
+')
+
+optional_policy(`
 	xscreensaver_role(staff_r, staff_t)
 ')
 
Index: refpolicy-2.20200209/policy/modules/roles/unprivuser.te
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/roles/unprivuser.te
+++ refpolicy-2.20200209/policy/modules/roles/unprivuser.te
@@ -7,11 +7,23 @@ policy_module(unprivuser, 2.10.0)
 #
 # Declarations
 #
+## <desc>
+## <p>
+## Allow user to bind all unreserved ports
+## </p>
+## </desc>
+gen_tunable(user_bind_unreserved, false)
 
 #role user_r;
 
 userdom_unpriv_user_template(user)
 
+tunable_policy(`user_bind_unreserved', `
+	corenet_tcp_bind_all_unreserved_ports(user_t)
+	corenet_udp_bind_all_unreserved_ports(user_t)
+	corenet_tcp_bind_generic_node(user_t)
+')
+
 optional_policy(`
 	apache_role(user_r, user_t)
 ')
@@ -25,6 +37,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	netutils_domtrans_ping(user_t)
+')
+
+optional_policy(`
 	screen_role_template(user, user_r, user_t)
 ')
 
@@ -33,6 +49,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	# for torbrowser-launcher
+	xdg_exec_data(user_t)
+')
+
+optional_policy(`
 	xscreensaver_role(user_r, user_t)
 ')
 
Index: refpolicy-2.20200209/policy/modules/services/samba.if
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/services/samba.if
+++ refpolicy-2.20200209/policy/modules/services/samba.if
@@ -714,3 +714,22 @@ interface(`samba_admin',`
 	files_list_tmp($1)
 	admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
 ')
+
+########################################
+## <summary>
+##	Restart and get status of samba daemon
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_restart',`
+	gen_require(`
+		type samba_unit_t;
+	')
+
+	allow $1 samba_unit_t:file getattr;
+	allow $1 samba_unit_t:service { start stop status reload };
+')
Index: refpolicy-2.20200209/policy/modules/system/xdg.if
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/system/xdg.if
+++ refpolicy-2.20200209/policy/modules/system/xdg.if
@@ -795,6 +795,24 @@ interface(`xdg_relabel_all_data',`
 
 ########################################
 ## <summary>
+##	Allow executing the xdg data home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_exec_data',`
+	gen_require(`
+		type xdg_data_t;
+	')
+
+	can_exec($1, xdg_data_t)
+')
+
+########################################
+## <summary>
 ##	Create objects in the user home dir with an automatic type transition to
 ##	the xdg_documents_t type.
 ## </summary>

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: small net patch
  2020-02-12  3:11 small net patch Russell Coker
@ 2020-02-16 15:16 ` Chris PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2020-02-16 15:16 UTC (permalink / raw)
  To: russell, selinux-refpolicy

On 2/11/20 10:11 PM, Russell Coker wrote:
> This patch against git refpolicy adds a few small network related policy
> changes.  I think it's ready to be included.

Please inline patch and add signed-off-by.

> --- refpolicy-2.20200209.orig/policy/modules/admin/netutils.te
> +++ refpolicy-2.20200209/policy/modules/admin/netutils.te
> @@ -110,6 +110,7 @@ allow ping_t self:tcp_socket create_sock
>  allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr };
>  allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
>  allow ping_t self:netlink_route_socket create_netlink_socket_perms;
> +allow ping_t self:icmp_socket create;
>  
>  corenet_all_recvfrom_unlabeled(ping_t)
>  corenet_all_recvfrom_netlabel(ping_t)
> Index: refpolicy-2.20200209/policy/modules/system/sysnetwork.fc
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/system/sysnetwork.fc
> +++ refpolicy-2.20200209/policy/modules/system/sysnetwork.fc
> @@ -27,6 +27,7 @@ ifdef(`distro_debian',`
>  /etc/dhcp3?/dhclient.*		gen_context(system_u:object_r:dhcp_etc_t,s0)
>  
>  /etc/systemd/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
> +/etc/tor/torsocks.conf	--	gen_context(system_u:object_r:net_conf_t,s0)
>  
>  ifdef(`distro_redhat',`
>  /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
> Index: refpolicy-2.20200209/policy/modules/system/sysnetwork.te
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/system/sysnetwork.te
> +++ refpolicy-2.20200209/policy/modules/system/sysnetwork.te
> @@ -5,6 +5,14 @@ policy_module(sysnetwork, 1.24.2)
>  # Declarations
>  #
>  
> +## <desc>
> +##      <p>
> +##      Determine whether DHCP client
> +##      can manage samba
> +##      </p>
> +## </desc>
> +gen_tunable(dhcpc_manage_samba, false)
> +
>  attribute_role dhcpc_roles;
>  roleattribute system_r dhcpc_roles;
>  
> @@ -171,6 +179,15 @@ ifdef(`init_systemd',`
>  ')
>  
>  optional_policy(`
> +	tunable_policy(`dhcpc_manage_samba',`
> +        	samba_manage_var_files(dhcpc_t)
> +		init_exec_script_files(dhcpc_t)
> +		init_get_system_status(dhcpc_t)
> +		samba_restart(dhcpc_t)

Please elaborate here. Is this to set WINS servers?

> +	')
> +')
> +
> +optional_policy(`
>  	avahi_domtrans(dhcpc_t)
>  ')
>  
> Index: refpolicy-2.20200209/policy/modules/roles/staff.te
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/roles/staff.te
> +++ refpolicy-2.20200209/policy/modules/roles/staff.te
> @@ -15,6 +15,10 @@ userdom_unpriv_user_template(staff)
>  #
>  corenet_ib_access_unlabeled_pkeys(staff_t)
>  
> +corenet_tcp_bind_all_unreserved_ports(staff_t)
> +corenet_udp_bind_all_unreserved_ports(staff_t)
> +corenet_tcp_bind_generic_node(staff_t)

No, this may be staff, but still unprivileged.

>  optional_policy(`
>  	apache_role(staff_r, staff_t)
>  ')
> @@ -36,6 +40,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	netutils_domtrans_ping(staff_t)
> +')
> +
> +optional_policy(`
>  	postgresql_role(staff_r, staff_t)
>  ')
>  
> @@ -65,6 +73,11 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	# for torbrowser-launcher
> +	xdg_exec_data(staff_t)
> +')
> +
> +optional_policy(`
>  	xscreensaver_role(staff_r, staff_t)
>  ')
>  
> Index: refpolicy-2.20200209/policy/modules/roles/unprivuser.te
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/roles/unprivuser.te
> +++ refpolicy-2.20200209/policy/modules/roles/unprivuser.te
> @@ -7,11 +7,23 @@ policy_module(unprivuser, 2.10.0)
>  #
>  # Declarations
>  #
> +## <desc>
> +## <p>
> +## Allow user to bind all unreserved ports
> +## </p>
> +## </desc>
> +gen_tunable(user_bind_unreserved, false)
>  
>  #role user_r;
>  
>  userdom_unpriv_user_template(user)
>  
> +tunable_policy(`user_bind_unreserved', `
> +	corenet_tcp_bind_all_unreserved_ports(user_t)
> +	corenet_udp_bind_all_unreserved_ports(user_t)
> +	corenet_tcp_bind_generic_node(user_t)
> +')

There's already a user_tcp_server tunable in 
userdom_unpriv_user_template() that should be used instead.

>  optional_policy(`
>  	apache_role(user_r, user_t)
>  ')
> @@ -25,6 +37,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	netutils_domtrans_ping(user_t)
> +')

This is already maanged in userdom_unpriv_user_template().

> +optional_policy(`
>  	screen_role_template(user, user_r, user_t)
>  ')
>  
> @@ -33,6 +49,11 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	# for torbrowser-launcher
> +	xdg_exec_data(user_t)
> +')

How about adding this to userdom_unpriv_user_template() or 
userdom_common_user_template() instead?

> +optional_policy(`
>  	xscreensaver_role(user_r, user_t)
>  ')
>  
> Index: refpolicy-2.20200209/policy/modules/services/samba.if
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/services/samba.if
> +++ refpolicy-2.20200209/policy/modules/services/samba.if
> @@ -714,3 +714,22 @@ interface(`samba_admin',`
>  	files_list_tmp($1)
>  	admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
>  ')
> +
> +########################################
> +## <summary>
> +##	Restart and get status of samba daemon
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`samba_restart',`
> +	gen_require(`
> +		type samba_unit_t;
> +	')
> +
> +	allow $1 samba_unit_t:file getattr;
> +	allow $1 samba_unit_t:service { start stop status reload };
> +')

Break this up into at least 3 interfaces, samba_startstop, samba_status, 
samba_reload.


> Index: refpolicy-2.20200209/policy/modules/system/xdg.if
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/system/xdg.if
> +++ refpolicy-2.20200209/policy/modules/system/xdg.if
> @@ -795,6 +795,24 @@ interface(`xdg_relabel_all_data',`
>  
>  ########################################
>  ## <summary>
> +##	Allow executing the xdg data home files
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdg_exec_data',`
> +	gen_require(`
> +		type xdg_data_t;
> +	')
> +
> +	can_exec($1, xdg_data_t)
> +')
> +
> +########################################
> +## <summary>
>  ##	Create objects in the user home dir with an automatic type transition to
>  ##	the xdg_documents_t type.
>  ## </summary>

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-12  3:11 small net patch Russell Coker
2020-02-16 15:16 ` Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git