* small net patch
@ 2020-02-12 3:11 Russell Coker
2020-02-16 15:16 ` Chris PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2020-02-12 3:11 UTC (permalink / raw)
To: selinux-refpolicy
[-- Attachment #1: Type: text/plain, Size: 217 bytes --]
This patch against git refpolicy adds a few small network related policy
changes. I think it's ready to be included.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
[-- Attachment #2: net.diff --]
[-- Type: text/x-patch, Size: 5728 bytes --]
Index: refpolicy-2.20200209/policy/modules/admin/netutils.te
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/admin/netutils.te
+++ refpolicy-2.20200209/policy/modules/admin/netutils.te
@@ -110,6 +110,7 @@ allow ping_t self:tcp_socket create_sock
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr };
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
allow ping_t self:netlink_route_socket create_netlink_socket_perms;
+allow ping_t self:icmp_socket create;
corenet_all_recvfrom_unlabeled(ping_t)
corenet_all_recvfrom_netlabel(ping_t)
Index: refpolicy-2.20200209/policy/modules/system/sysnetwork.fc
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/system/sysnetwork.fc
+++ refpolicy-2.20200209/policy/modules/system/sysnetwork.fc
@@ -27,6 +27,7 @@ ifdef(`distro_debian',`
/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/etc/tor/torsocks.conf -- gen_context(system_u:object_r:net_conf_t,s0)
ifdef(`distro_redhat',`
/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
Index: refpolicy-2.20200209/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20200209/policy/modules/system/sysnetwork.te
@@ -5,6 +5,14 @@ policy_module(sysnetwork, 1.24.2)
# Declarations
#
+## <desc>
+## <p>
+## Determine whether DHCP client
+## can manage samba
+## </p>
+## </desc>
+gen_tunable(dhcpc_manage_samba, false)
+
attribute_role dhcpc_roles;
roleattribute system_r dhcpc_roles;
@@ -171,6 +179,15 @@ ifdef(`init_systemd',`
')
optional_policy(`
+ tunable_policy(`dhcpc_manage_samba',`
+ samba_manage_var_files(dhcpc_t)
+ init_exec_script_files(dhcpc_t)
+ init_get_system_status(dhcpc_t)
+ samba_restart(dhcpc_t)
+ ')
+')
+
+optional_policy(`
avahi_domtrans(dhcpc_t)
')
Index: refpolicy-2.20200209/policy/modules/roles/staff.te
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/roles/staff.te
+++ refpolicy-2.20200209/policy/modules/roles/staff.te
@@ -15,6 +15,10 @@ userdom_unpriv_user_template(staff)
#
corenet_ib_access_unlabeled_pkeys(staff_t)
+corenet_tcp_bind_all_unreserved_ports(staff_t)
+corenet_udp_bind_all_unreserved_ports(staff_t)
+corenet_tcp_bind_generic_node(staff_t)
+
optional_policy(`
apache_role(staff_r, staff_t)
')
@@ -36,6 +40,10 @@ optional_policy(`
')
optional_policy(`
+ netutils_domtrans_ping(staff_t)
+')
+
+optional_policy(`
postgresql_role(staff_r, staff_t)
')
@@ -65,6 +73,11 @@ optional_policy(`
')
optional_policy(`
+ # for torbrowser-launcher
+ xdg_exec_data(staff_t)
+')
+
+optional_policy(`
xscreensaver_role(staff_r, staff_t)
')
Index: refpolicy-2.20200209/policy/modules/roles/unprivuser.te
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/roles/unprivuser.te
+++ refpolicy-2.20200209/policy/modules/roles/unprivuser.te
@@ -7,11 +7,23 @@ policy_module(unprivuser, 2.10.0)
#
# Declarations
#
+## <desc>
+## <p>
+## Allow user to bind all unreserved ports
+## </p>
+## </desc>
+gen_tunable(user_bind_unreserved, false)
#role user_r;
userdom_unpriv_user_template(user)
+tunable_policy(`user_bind_unreserved', `
+ corenet_tcp_bind_all_unreserved_ports(user_t)
+ corenet_udp_bind_all_unreserved_ports(user_t)
+ corenet_tcp_bind_generic_node(user_t)
+')
+
optional_policy(`
apache_role(user_r, user_t)
')
@@ -25,6 +37,10 @@ optional_policy(`
')
optional_policy(`
+ netutils_domtrans_ping(user_t)
+')
+
+optional_policy(`
screen_role_template(user, user_r, user_t)
')
@@ -33,6 +49,11 @@ optional_policy(`
')
optional_policy(`
+ # for torbrowser-launcher
+ xdg_exec_data(user_t)
+')
+
+optional_policy(`
xscreensaver_role(user_r, user_t)
')
Index: refpolicy-2.20200209/policy/modules/services/samba.if
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/services/samba.if
+++ refpolicy-2.20200209/policy/modules/services/samba.if
@@ -714,3 +714,22 @@ interface(`samba_admin',`
files_list_tmp($1)
admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
')
+
+########################################
+## <summary>
+## Restart and get status of samba daemon
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_restart',`
+ gen_require(`
+ type samba_unit_t;
+ ')
+
+ allow $1 samba_unit_t:file getattr;
+ allow $1 samba_unit_t:service { start stop status reload };
+')
Index: refpolicy-2.20200209/policy/modules/system/xdg.if
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/system/xdg.if
+++ refpolicy-2.20200209/policy/modules/system/xdg.if
@@ -795,6 +795,24 @@ interface(`xdg_relabel_all_data',`
########################################
## <summary>
+## Allow executing the xdg data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_exec_data',`
+ gen_require(`
+ type xdg_data_t;
+ ')
+
+ can_exec($1, xdg_data_t)
+')
+
+########################################
+## <summary>
## Create objects in the user home dir with an automatic type transition to
## the xdg_documents_t type.
## </summary>
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: small net patch
2020-02-12 3:11 small net patch Russell Coker
@ 2020-02-16 15:16 ` Chris PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2020-02-16 15:16 UTC (permalink / raw)
To: russell, selinux-refpolicy
On 2/11/20 10:11 PM, Russell Coker wrote:
> This patch against git refpolicy adds a few small network related policy
> changes. I think it's ready to be included.
Please inline patch and add signed-off-by.
> --- refpolicy-2.20200209.orig/policy/modules/admin/netutils.te
> +++ refpolicy-2.20200209/policy/modules/admin/netutils.te
> @@ -110,6 +110,7 @@ allow ping_t self:tcp_socket create_sock
> allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr };
> allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
> allow ping_t self:netlink_route_socket create_netlink_socket_perms;
> +allow ping_t self:icmp_socket create;
>
> corenet_all_recvfrom_unlabeled(ping_t)
> corenet_all_recvfrom_netlabel(ping_t)
> Index: refpolicy-2.20200209/policy/modules/system/sysnetwork.fc
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/system/sysnetwork.fc
> +++ refpolicy-2.20200209/policy/modules/system/sysnetwork.fc
> @@ -27,6 +27,7 @@ ifdef(`distro_debian',`
> /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
>
> /etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
> +/etc/tor/torsocks.conf -- gen_context(system_u:object_r:net_conf_t,s0)
>
> ifdef(`distro_redhat',`
> /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
> Index: refpolicy-2.20200209/policy/modules/system/sysnetwork.te
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/system/sysnetwork.te
> +++ refpolicy-2.20200209/policy/modules/system/sysnetwork.te
> @@ -5,6 +5,14 @@ policy_module(sysnetwork, 1.24.2)
> # Declarations
> #
>
> +## <desc>
> +## <p>
> +## Determine whether DHCP client
> +## can manage samba
> +## </p>
> +## </desc>
> +gen_tunable(dhcpc_manage_samba, false)
> +
> attribute_role dhcpc_roles;
> roleattribute system_r dhcpc_roles;
>
> @@ -171,6 +179,15 @@ ifdef(`init_systemd',`
> ')
>
> optional_policy(`
> + tunable_policy(`dhcpc_manage_samba',`
> + samba_manage_var_files(dhcpc_t)
> + init_exec_script_files(dhcpc_t)
> + init_get_system_status(dhcpc_t)
> + samba_restart(dhcpc_t)
Please elaborate here. Is this to set WINS servers?
> + ')
> +')
> +
> +optional_policy(`
> avahi_domtrans(dhcpc_t)
> ')
>
> Index: refpolicy-2.20200209/policy/modules/roles/staff.te
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/roles/staff.te
> +++ refpolicy-2.20200209/policy/modules/roles/staff.te
> @@ -15,6 +15,10 @@ userdom_unpriv_user_template(staff)
> #
> corenet_ib_access_unlabeled_pkeys(staff_t)
>
> +corenet_tcp_bind_all_unreserved_ports(staff_t)
> +corenet_udp_bind_all_unreserved_ports(staff_t)
> +corenet_tcp_bind_generic_node(staff_t)
No, this may be staff, but still unprivileged.
> optional_policy(`
> apache_role(staff_r, staff_t)
> ')
> @@ -36,6 +40,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + netutils_domtrans_ping(staff_t)
> +')
> +
> +optional_policy(`
> postgresql_role(staff_r, staff_t)
> ')
>
> @@ -65,6 +73,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + # for torbrowser-launcher
> + xdg_exec_data(staff_t)
> +')
> +
> +optional_policy(`
> xscreensaver_role(staff_r, staff_t)
> ')
>
> Index: refpolicy-2.20200209/policy/modules/roles/unprivuser.te
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/roles/unprivuser.te
> +++ refpolicy-2.20200209/policy/modules/roles/unprivuser.te
> @@ -7,11 +7,23 @@ policy_module(unprivuser, 2.10.0)
> #
> # Declarations
> #
> +## <desc>
> +## <p>
> +## Allow user to bind all unreserved ports
> +## </p>
> +## </desc>
> +gen_tunable(user_bind_unreserved, false)
>
> #role user_r;
>
> userdom_unpriv_user_template(user)
>
> +tunable_policy(`user_bind_unreserved', `
> + corenet_tcp_bind_all_unreserved_ports(user_t)
> + corenet_udp_bind_all_unreserved_ports(user_t)
> + corenet_tcp_bind_generic_node(user_t)
> +')
There's already a user_tcp_server tunable in
userdom_unpriv_user_template() that should be used instead.
> optional_policy(`
> apache_role(user_r, user_t)
> ')
> @@ -25,6 +37,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + netutils_domtrans_ping(user_t)
> +')
This is already maanged in userdom_unpriv_user_template().
> +optional_policy(`
> screen_role_template(user, user_r, user_t)
> ')
>
> @@ -33,6 +49,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + # for torbrowser-launcher
> + xdg_exec_data(user_t)
> +')
How about adding this to userdom_unpriv_user_template() or
userdom_common_user_template() instead?
> +optional_policy(`
> xscreensaver_role(user_r, user_t)
> ')
>
> Index: refpolicy-2.20200209/policy/modules/services/samba.if
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/services/samba.if
> +++ refpolicy-2.20200209/policy/modules/services/samba.if
> @@ -714,3 +714,22 @@ interface(`samba_admin',`
> files_list_tmp($1)
> admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
> ')
> +
> +########################################
> +## <summary>
> +## Restart and get status of samba daemon
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samba_restart',`
> + gen_require(`
> + type samba_unit_t;
> + ')
> +
> + allow $1 samba_unit_t:file getattr;
> + allow $1 samba_unit_t:service { start stop status reload };
> +')
Break this up into at least 3 interfaces, samba_startstop, samba_status,
samba_reload.
> Index: refpolicy-2.20200209/policy/modules/system/xdg.if
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/system/xdg.if
> +++ refpolicy-2.20200209/policy/modules/system/xdg.if
> @@ -795,6 +795,24 @@ interface(`xdg_relabel_all_data',`
>
> ########################################
> ## <summary>
> +## Allow executing the xdg data home files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_exec_data',`
> + gen_require(`
> + type xdg_data_t;
> + ')
> +
> + can_exec($1, xdg_data_t)
> +')
> +
> +########################################
> +## <summary>
> ## Create objects in the user home dir with an automatic type transition to
> ## the xdg_documents_t type.
> ## </summary>
--
Chris PeBenito
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-02-16 15:34 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-12 3:11 small net patch Russell Coker
2020-02-16 15:16 ` Chris PeBenito
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).