SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
From: Dominick Grift <dominick.grift@defensec.nl>
To: Russell Coker <russell@coker.com.au>
Cc: selinux-refpolicy@vger.kernel.org
Subject: Re: another memlockd patch
Date: Fri, 10 Apr 2020 10:10:57 +0200
Message-ID: <ypjl369bn4ku.fsf@defensec.nl> (raw)
In-Reply-To: <20200410060317.GB35896@xev> (Russell Coker's message of "Fri, 10 Apr 2020 16:03:17 +1000")

Russell Coker <russell@coker.com.au> writes:

> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> I think this resolves all issues Chris raised.
>
>
> Index: refpolicy-2.20200410/policy/modules/services/memlockd.fc
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20200410/policy/modules/services/memlockd.fc
> @@ -0,0 +1 @@
> +/usr/sbin/memlockd	--	gen_context(system_u:object_r:memlockd_exec_t,s0)
> Index: refpolicy-2.20200410/policy/modules/services/memlockd.if
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20200410/policy/modules/services/memlockd.if
> @@ -0,0 +1,2 @@
> +## <summary>memory lock daemon, keeps important files in RAM.</summary>
> +
> Index: refpolicy-2.20200410/policy/modules/services/memlockd.te
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20200410/policy/modules/services/memlockd.te
> @@ -0,0 +1,37 @@
> +policy_module(memlockd, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type memlockd_t;
> +type memlockd_exec_t;
> +init_daemon_domain(memlockd_t, memlockd_exec_t)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow memlockd_t self:capability { setgid setuid ipc_lock };
> +allow memlockd_t self:fifo_file rw_file_perms;
> +allow memlockd_t self:unix_dgram_socket { create connect };

the unix dgram socket creating is probably redundant and implied with
logging_send_logs_msg() as journald uses dgram_sendto for logging?

> +
> +# cache /etc/shadow too
> +auth_read_shadow(memlockd_t)

Hmm since /etc/shadow is mode 000, how is memlock able to read this
without cap_dac_read_search access. is that implied?

> +auth_map_shadow(memlockd_t)
> +
> +corecmd_exec_all_executables(memlockd_t)
> +corecmd_exec_bin(memlockd_t)
> +corecmd_exec_shell(memlockd_t)
> +corecmd_read_all_executables(memlockd_t)
> +corecmd_search_bin(memlockd_t)
> +files_read_etc_files(memlockd_t)
> +libs_exec_ld_so(memlockd_t)
> +files_map_etc_files(memlockd_t)
> +
> +logging_send_syslog_msg(memlockd_t)
> +miscfiles_read_localization(memlockd_t)
> +
> +sysnet_mmap_read_config(memlockd_t)
> Index: refpolicy-2.20200410/policy/modules/system/sysnetwork.if
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/system/sysnetwork.if
> +++ refpolicy-2.20200410/policy/modules/system/sysnetwork.if
> @@ -391,6 +391,31 @@ interface(`sysnet_mmap_config_files',`
>  
>  #######################################
>  ## <summary>
> +##	map network config files.
> +## </summary>
> +## <desc>
> +##	<p>
> +##	Allow the specified domain to mmap the
> +##	general network configuration files.
> +##	</p>
> +## </desc>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`sysnet_mmap_read_config',`
> +	gen_require(`
> +		type net_conf_t;
> +	')
> +
> +	files_search_etc($1)
> +	allow $1 net_conf_t:file mmap_read_file_perms;
> +')
> +
> +#######################################
> +## <summary>
>  ##	Do not audit attempts to read network config files.
>  ## </summary>
>  ## <param name="domain">
> Index: refpolicy-2.20200410/policy/modules/system/authlogin.if
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/system/authlogin.if
> +++ refpolicy-2.20200410/policy/modules/system/authlogin.if
> @@ -577,6 +577,23 @@ interface(`auth_read_shadow',`
>  
>  ########################################
>  ## <summary>
> +##	Map the shadow passwords file (/etc/shadow)
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`auth_map_shadow',`
> +	gen_require(`
> +		type shadow_t;
> +	')
> +	allow $1 shadow_t:file map;
> +')
> +
> +########################################
> +## <summary>
>  ##	Pass shadow assertion for reading.
>  ## </summary>
>  ## <desc>

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

  reply index

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-10  6:03 Russell Coker
2020-04-10  8:10 ` Dominick Grift [this message]
2020-04-10  9:40   ` Russell Coker
2020-04-14 15:04     ` Chris PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ypjl369bn4ku.fsf@defensec.nl \
    --to=dominick.grift@defensec.nl \
    --cc=russell@coker.com.au \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git