2021-01-27 08:41:49

by Russell Coker

[permalink] [raw]
Subject: [PATCH] misc network patches with Dominick's changes

Here's the latest version of my misc network patch with some changes
Dominick suggested and with the controversial things from my previous
patch removed.

Signed-off-by: Russell Coker <[email protected]>

Index: refpolicy-2.20210126/policy/modules/admin/netutils.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/admin/netutils.te
+++ refpolicy-2.20210126/policy/modules/admin/netutils.te
@@ -109,6 +109,7 @@ allow ping_t self:tcp_socket create_sock
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr };
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
allow ping_t self:netlink_route_socket create_netlink_socket_perms;
+allow ping_t self:icmp_socket create;

corenet_all_recvfrom_netlabel(ping_t)
corenet_sendrecv_icmp_packets(ping_t)
@@ -156,13 +157,14 @@ allow traceroute_t self:capability { net
allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms;
allow traceroute_t self:process signal;
allow traceroute_t self:rawip_socket create_socket_perms;
-allow traceroute_t self:packet_socket create_socket_perms;
+allow traceroute_t self:packet_socket { map create_socket_perms };
allow traceroute_t self:udp_socket create_socket_perms;

can_exec(traceroute_t, traceroute_exec_t)

kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
+kernel_search_fs_sysctls(traceroute_t)

corecmd_search_bin(traceroute_t)

@@ -197,6 +199,7 @@ auth_use_nsswitch(traceroute_t)

logging_send_syslog_msg(traceroute_t)

+miscfiles_read_generic_certs(traceroute_t)
miscfiles_read_localization(traceroute_t)

userdom_use_inherited_user_terminals(traceroute_t)
Index: refpolicy-2.20210126/policy/modules/system/sysnetwork.fc
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/system/sysnetwork.fc
+++ refpolicy-2.20210126/policy/modules/system/sysnetwork.fc
@@ -27,6 +27,7 @@ ifdef(`distro_debian',`
/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)

/etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/etc/tor/torsocks.conf -- gen_context(system_u:object_r:net_conf_t,s0)

ifdef(`distro_redhat',`
/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
Index: refpolicy-2.20210126/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20210126/policy/modules/system/sysnetwork.te
@@ -5,6 +5,14 @@ policy_module(sysnetwork, 1.26.5)
# Declarations
#

+## <desc>
+## <p>
+## Determine whether DHCP client
+## can manage samba
+## </p>
+## </desc>
+gen_tunable(dhcpc_manage_samba, false)
+
attribute_role dhcpc_roles;
roleattribute system_r dhcpc_roles;

@@ -175,6 +183,18 @@ ifdef(`init_systemd',`
')

optional_policy(`
+ tunable_policy(`dhcpc_manage_samba',`
+ samba_manage_var_files(dhcpc_t)
+ init_exec_script_files(dhcpc_t)
+ init_get_system_status(dhcpc_t)
+ samba_stop(dhcpc_t)
+ samba_start(dhcpc_t)
+ samba_reload(dhcpc_t)
+ samba_status(dhcpc_t)
+ ')
+')
+
+optional_policy(`
avahi_domtrans(dhcpc_t)
')

Index: refpolicy-2.20210126/policy/modules/roles/unprivuser.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/roles/unprivuser.te
+++ refpolicy-2.20210126/policy/modules/roles/unprivuser.te
@@ -25,6 +25,10 @@ optional_policy(`
')

optional_policy(`
+ netutils_domtrans_ping(user_t)
+')
+
+optional_policy(`
screen_role_template(user, user_r, user_t)
')

Index: refpolicy-2.20210126/policy/modules/services/samba.if
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/samba.if
+++ refpolicy-2.20210126/policy/modules/services/samba.if
@@ -729,3 +729,79 @@ interface(`samba_admin',`
files_list_tmp($1)
admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
')
+
+########################################
+## <summary>
+## start samba daemon
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_start',`
+ gen_require(`
+ type samba_unit_t;
+ ')
+
+ allow $1 samba_unit_t:file getattr;
+ allow $1 samba_unit_t:service start;
+')
+
+########################################
+## <summary>
+## stop samba daemon
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_stop',`
+ gen_require(`
+ type samba_unit_t;
+ ')
+
+ allow $1 samba_unit_t:file getattr;
+ allow $1 samba_unit_t:service stop;
+')
+
+########################################
+## <summary>
+## get status of samba daemon
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_status',`
+ gen_require(`
+ type samba_unit_t;
+ ')
+
+ allow $1 samba_unit_t:file getattr;
+ allow $1 samba_unit_t:service status;
+')
+
+########################################
+## <summary>
+## reload samba daemon
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_reload',`
+ gen_require(`
+ type samba_unit_t;
+ ')
+
+ allow $1 samba_unit_t:file getattr;
+ allow $1 samba_unit_t:service reload;
+')
Index: refpolicy-2.20210126/policy/modules/services/mon.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/mon.te
+++ refpolicy-2.20210126/policy/modules/services/mon.te
@@ -58,6 +58,9 @@ manage_files_pattern(mon_t, mon_var_log_
manage_files_pattern(mon_t, mon_runtime_t, mon_runtime_t)
files_runtime_filetrans(mon_t, mon_runtime_t, file)

+# to read fips_enabled
+kernel_read_crypto_sysctls(mon_t)
+
kernel_read_kernel_sysctls(mon_t)
kernel_read_network_state(mon_t)
kernel_read_system_state(mon_t)
Index: refpolicy-2.20210126/policy/modules/services/mailman.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/mailman.te
+++ refpolicy-2.20210126/policy/modules/services/mailman.te
@@ -112,6 +112,7 @@ corecmd_exec_bin(mailman_cgi_t)
dev_read_urand(mailman_cgi_t)

files_search_locks(mailman_cgi_t)
+files_read_usr_files(mailman_cgi_t)

term_use_controlling_term(mailman_cgi_t)

Index: refpolicy-2.20210126/policy/modules/services/dkim.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/dkim.te
+++ refpolicy-2.20210126/policy/modules/services/dkim.te
@@ -35,6 +35,7 @@ kernel_read_vm_overcommit_sysctl(dkim_mi

corenet_udp_bind_generic_node(dkim_milter_t)
corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
+corenet_udp_bind_generic_port(dkim_milter_t)

dev_read_urand(dkim_milter_t)
# for cpu/online


2021-01-27 13:33:36

by Dominick Grift

[permalink] [raw]
Subject: Re: [PATCH] misc network patches with Dominick's changes

Russell Coker <[email protected]> writes:

> Here's the latest version of my misc network patch with some changes
> Dominick suggested and with the controversial things from my previous
> patch removed.
>
> Signed-off-by: Russell Coker <[email protected]>
>
> Index: refpolicy-2.20210126/policy/modules/admin/netutils.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/admin/netutils.te
> +++ refpolicy-2.20210126/policy/modules/admin/netutils.te
> @@ -109,6 +109,7 @@ allow ping_t self:tcp_socket create_sock
> allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr };
> allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
> allow ping_t self:netlink_route_socket create_netlink_socket_perms;
> +allow ping_t self:icmp_socket create;
>
> corenet_all_recvfrom_netlabel(ping_t)
> corenet_sendrecv_icmp_packets(ping_t)
> @@ -156,13 +157,14 @@ allow traceroute_t self:capability { net
> allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms;
> allow traceroute_t self:process signal;
> allow traceroute_t self:rawip_socket create_socket_perms;
> -allow traceroute_t self:packet_socket create_socket_perms;
> +allow traceroute_t self:packet_socket { map create_socket_perms };
> allow traceroute_t self:udp_socket create_socket_perms;
>
> can_exec(traceroute_t, traceroute_exec_t)
>
> kernel_read_system_state(traceroute_t)
> kernel_read_network_state(traceroute_t)
> +kernel_search_fs_sysctls(traceroute_t)
>
> corecmd_search_bin(traceroute_t)
>
> @@ -197,6 +199,7 @@ auth_use_nsswitch(traceroute_t)
>
> logging_send_syslog_msg(traceroute_t)
>
> +miscfiles_read_generic_certs(traceroute_t)
> miscfiles_read_localization(traceroute_t)
>
> userdom_use_inherited_user_terminals(traceroute_t)
> Index: refpolicy-2.20210126/policy/modules/system/sysnetwork.fc
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/system/sysnetwork.fc
> +++ refpolicy-2.20210126/policy/modules/system/sysnetwork.fc
> @@ -27,6 +27,7 @@ ifdef(`distro_debian',`
> /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
>
> /etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
> +/etc/tor/torsocks.conf -- gen_context(system_u:object_r:net_conf_t,s0)

minor but bet to escape the period: /etc/tor/torsocks\.conf

not sure why you associate this with net_conf_t. I probably would have
labeled all of /etc/tor tor_conf_t (for confined tor administration etc)

>
> ifdef(`distro_redhat',`
> /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
> Index: refpolicy-2.20210126/policy/modules/system/sysnetwork.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/system/sysnetwork.te
> +++ refpolicy-2.20210126/policy/modules/system/sysnetwork.te
> @@ -5,6 +5,14 @@ policy_module(sysnetwork, 1.26.5)
> # Declarations
> #
>
> +## <desc>
> +## <p>
> +## Determine whether DHCP client
> +## can manage samba
> +## </p>
> +## </desc>
> +gen_tunable(dhcpc_manage_samba, false)
> +
> attribute_role dhcpc_roles;
> roleattribute system_r dhcpc_roles;
>
> @@ -175,6 +183,18 @@ ifdef(`init_systemd',`
> ')
>
> optional_policy(`
> + tunable_policy(`dhcpc_manage_samba',`
> + samba_manage_var_files(dhcpc_t)
> + init_exec_script_files(dhcpc_t)
> + init_get_system_status(dhcpc_t)
> + samba_stop(dhcpc_t)
> + samba_start(dhcpc_t)
> + samba_reload(dhcpc_t)
> + samba_status(dhcpc_t)
> + ')
> +')
> +
> +optional_policy(`
> avahi_domtrans(dhcpc_t)
> ')
>
> Index: refpolicy-2.20210126/policy/modules/roles/unprivuser.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/roles/unprivuser.te
> +++ refpolicy-2.20210126/policy/modules/roles/unprivuser.te
> @@ -25,6 +25,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + netutils_domtrans_ping(user_t)
> +')

this is already allowed conditionally as said before. you should be able
to remove this.

> +
> +optional_policy(`
> screen_role_template(user, user_r, user_t)
> ')
>
> Index: refpolicy-2.20210126/policy/modules/services/samba.if
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/services/samba.if
> +++ refpolicy-2.20210126/policy/modules/services/samba.if
> @@ -729,3 +729,79 @@ interface(`samba_admin',`
> files_list_tmp($1)
> admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
> ')
> +
> +########################################
> +## <summary>
> +## start samba daemon
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samba_start',`
> + gen_require(`
> + type samba_unit_t;
> + ')
> +
> + allow $1 samba_unit_t:file getattr;
> + allow $1 samba_unit_t:service start;
> +')
> +
> +########################################
> +## <summary>
> +## stop samba daemon
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samba_stop',`
> + gen_require(`
> + type samba_unit_t;
> + ')
> +
> + allow $1 samba_unit_t:file getattr;
> + allow $1 samba_unit_t:service stop;
> +')
> +
> +########################################
> +## <summary>
> +## get status of samba daemon
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samba_status',`
> + gen_require(`
> + type samba_unit_t;
> + ')
> +
> + allow $1 samba_unit_t:file getattr;
> + allow $1 samba_unit_t:service status;
> +')
> +
> +########################################
> +## <summary>
> +## reload samba daemon
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samba_reload',`
> + gen_require(`
> + type samba_unit_t;
> + ')
> +
> + allow $1 samba_unit_t:file getattr;
> + allow $1 samba_unit_t:service reload;
> +')
> Index: refpolicy-2.20210126/policy/modules/services/mon.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/services/mon.te
> +++ refpolicy-2.20210126/policy/modules/services/mon.te
> @@ -58,6 +58,9 @@ manage_files_pattern(mon_t, mon_var_log_
> manage_files_pattern(mon_t, mon_runtime_t, mon_runtime_t)
> files_runtime_filetrans(mon_t, mon_runtime_t, file)
>
> +# to read fips_enabled
> +kernel_read_crypto_sysctls(mon_t)
> +
> kernel_read_kernel_sysctls(mon_t)
> kernel_read_network_state(mon_t)
> kernel_read_system_state(mon_t)
> Index: refpolicy-2.20210126/policy/modules/services/mailman.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/services/mailman.te
> +++ refpolicy-2.20210126/policy/modules/services/mailman.te
> @@ -112,6 +112,7 @@ corecmd_exec_bin(mailman_cgi_t)
> dev_read_urand(mailman_cgi_t)
>
> files_search_locks(mailman_cgi_t)
> +files_read_usr_files(mailman_cgi_t)
>
> term_use_controlling_term(mailman_cgi_t)
>
> Index: refpolicy-2.20210126/policy/modules/services/dkim.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/services/dkim.te
> +++ refpolicy-2.20210126/policy/modules/services/dkim.te
> @@ -35,6 +35,7 @@ kernel_read_vm_overcommit_sysctl(dkim_mi
>
> corenet_udp_bind_generic_node(dkim_milter_t)
> corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
> +corenet_udp_bind_generic_port(dkim_milter_t)
>
> dev_read_urand(dkim_milter_t)
> # for cpu/online
>

--
gpg --locate-keys [email protected]
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

2021-01-27 16:39:36

by Russell Coker

[permalink] [raw]
Subject: Re: [PATCH] misc network patches with Dominick's changes

On Thursday, 28 January 2021 12:29:16 AM AEDT Dominick Grift wrote:
> > Index: refpolicy-2.20210126/policy/modules/system/sysnetwork.fc
> > ===================================================================
> > --- refpolicy-2.20210126.orig/policy/modules/system/sysnetwork.fc
> > +++ refpolicy-2.20210126/policy/modules/system/sysnetwork.fc
> > @@ -27,6 +27,7 @@ ifdef(`distro_debian',`
> >
> > /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
> >
> > /etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
> >
> > +/etc/tor/torsocks.conf -- gen_context(system_u:object_r:net_conf_t,s0)
>
> minor but bet to escape the period: /etc/tor/torsocks\.conf

OK fixed that.

> not sure why you associate this with net_conf_t. I probably would have
> labeled all of /etc/tor tor_conf_t (for confined tor administration etc)

Because other programs that want to use tor look at it for information on how
to connect to tor via socks.

> > Index: refpolicy-2.20210126/policy/modules/roles/unprivuser.te
> > ===================================================================
> > --- refpolicy-2.20210126.orig/policy/modules/roles/unprivuser.te
> > +++ refpolicy-2.20210126/policy/modules/roles/unprivuser.te
> > @@ -25,6 +25,10 @@ optional_policy(`
> >
> > ')
> >
> > optional_policy(`
> >
> > + netutils_domtrans_ping(user_t)
> > +')
>
> this is already allowed conditionally as said before. you should be able
> to remove this.

OK, removed that.

I'll send another patch now.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/