Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3318385ybi; Tue, 2 Jul 2019 05:56:25 -0700 (PDT) X-Google-Smtp-Source: APXvYqyiIgF65MiZy8+RXACmy32o7azguNdn6pJT5/8vA6Du8q4g0pNUmCHLPt6oP9hOt8jD90WC X-Received: by 2002:a17:90a:270f:: with SMTP id o15mr5512462pje.56.1562072185119; Tue, 02 Jul 2019 05:56:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562072185; cv=none; d=google.com; s=arc-20160816; b=VFLATViYhx/DXkBsKXGBA6Qz4h3UCi90qb1iLYdkRvAtXBeRtKDzT/+lIl/ANP2Xn1 6OnQLp+dv5i+LNg6hG0t90WS9Hsglm48+r3nhpVT7VKtMIwcWsDCfgk2Z2yeanWWD8un 2pMY+bdw8xrEKA/si485mBfSYqVwnnS6nIQ+ASuw3s4Cjt5ryQaCVGQ+fZUjumtjZNZk BBcQYOksfjuOMltdVHKwp2m517ZASG8Tc/fOW7vOPch8obYZ5XcncmwB4rZy9psuK+eh QKnDknv6knlvvr0qaYPVhR8recu6W2BpNa6KDnIj19pbxV7J6Oge0nc/QfrS5gk0HC3l 2j9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=dsY5BXrUggyeXkFjbAb3r1fQTNoKE1RjMm3kN5ZEKf4=; b=ILH4eYOBqy7ISSG2NF8UJcMThrt/yiRsz5gv98sZXX37MVUh1dgZksY9iuYzeWbL1Z mK+iKDdnXDo+u90ZQq40agmBw5VdpF4em5LriZHScDxbQ0O0QP+RUH0nfpeSQbG3puQb sNYidA3jgUAwmAnOnMwub1ISY/14GS4siYBVGRh3Dm3HIHKCPcIwP4Z0g7Mw8boiagC4 znipIcKVewfyvHyKaHDv+5nfWY4t1l/GO1IPgSVzYHUkmNzyt1qwz1xDyK7wVfh/RuBP uzdJYE84eTZA2fM/GrszhPYDUjT75pQNGNIfOsyNW73FncyWU7f3jSrY4Bl2SM3sO4a3 72oQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@millerson.name header.s=mail header.b=bfo7VC31; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=millerson.name Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q4si14075900pfh.12.2019.07.02.05.56.20; Tue, 02 Jul 2019 05:56:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@millerson.name header.s=mail header.b=bfo7VC31; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=millerson.name Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726457AbfGBM4O (ORCPT + 11 others); Tue, 2 Jul 2019 08:56:14 -0400 Received: from host89-222-249-147.netorn.net ([89.222.249.147]:46872 "EHLO mail.millerson.name" rhost-flags-OK-FAIL-OK-OK) by vger.kernel.org with ESMTP id S1726167AbfGBM4O (ORCPT ); Tue, 2 Jul 2019 08:56:14 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=millerson.name; s=mail; h=MIME-Version:Message-Id:Date:Subject:To:From: user-agent:in-reply-to; bh=dsY5BXrUggyeXkFjbAb3r1fQTNoKE1RjMm3kN5ZEKf4=; b=bf o7VC31zJq70tWs7vbTAmbIE1yuOmGKbUacaJ8tnEPeC8cr9cFQee33hSEOpYiNUE63UkIZjZysLJ3 jVv9fDI8yV7O8yR2vmiODQrS3cCGmdNYerySXWW2v8MyEXKYmC5dBhMmRh8ogGEKi62RFPVNNESG2 28b4VSr4aot0eZU=; Received: from localhost ([127.0.0.1] helo=mail.millerson.name) by mail.millerson.name with esmtpsa id 1hiIKS-0001pP-1e (envelope-from ); Tue, 02 Jul 2019 15:56:12 +0300 Received: from alex-office-laptop.msk1.rbkmoney.net ([2a04:4a00:5:967:fd2:bfae:dd0b:da19]) by mail.millerson.name with ESMTPSA id uaxFHmtUG110GwAAXPwaFA (envelope-from ); Tue, 02 Jul 2019 15:56:11 +0300 From: Alexander Miroshnichenko To: selinux-refpolicy@vger.kernel.org Cc: Alexander Miroshnichenko Subject: [PATCH] Add knot module Date: Tue, 2 Jul 2019 15:55:59 +0300 Message-Id: <20190702125559.15631-1-alex@millerson.name> X-Mailer: git-send-email 2.21.0 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit X-GIT-Signature: da957eb68d04a2a87d796fd3ed08a103 X-Spam-Score: 0.9 (/) X-Spam-Status: No Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Add a SELinux Reference Policy module for the Knot authoritative-only DNS server. Signed-off-by: Alexander Miroshnichenko --- policy/modules/roles/sysadm.te | 4 + policy/modules/services/knot.fc | 11 +++ policy/modules/services/knot.if | 156 ++++++++++++++++++++++++++++++++ policy/modules/services/knot.te | 92 +++++++++++++++++++ 4 files changed, 263 insertions(+) create mode 100644 policy/modules/services/knot.fc create mode 100644 policy/modules/services/knot.if create mode 100644 policy/modules/services/knot.te diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 8f891c83865f..e3079ad65d17 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -550,6 +550,10 @@ optional_policy(` keystone_admin(sysadm_t, sysadm_r) ') +optional_policy(` + knotc_role(sysadm_r, sysadm_t) +') + optional_policy(` kismet_admin(sysadm_t, sysadm_r) ') diff --git a/policy/modules/services/knot.fc b/policy/modules/services/knot.fc new file mode 100644 index 000000000000..a809fbc72b14 --- /dev/null +++ b/policy/modules/services/knot.fc @@ -0,0 +1,11 @@ +/etc/knot(/.*)? gen_context(system_u:object_r:knot_conf_t,s0) + +/usr/sbin/knotd -- gen_context(system_u:object_r:knotd_exec_t,s0) + +/usr/sbin/knotc -- gen_context(system_u:object_r:knotc_exec_t,s0) + +/var/lib/knot(/.*)? gen_context(system_u:object_r:knot_var_lib_t,s0) + +/run/knot -d gen_context(system_u:object_r:knot_runtime_t,s0) + +/run/knot(/.*)? gen_context(system_u:object_r:knot_runtime_t,s0) diff --git a/policy/modules/services/knot.if b/policy/modules/services/knot.if new file mode 100644 index 000000000000..71eec0c9c1e3 --- /dev/null +++ b/policy/modules/services/knot.if @@ -0,0 +1,156 @@ + +## policy for knotc + +######################################## +## +## Execute knotd_exec_t in the knotd domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`knotd_domtrans',` + gen_require(` + type knotd_t, knotd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, knotd_exec_t, knotd_t) +') + +######################################## +## +## Manage knot runtime files. +## +## +## +## Domain allowed access. +## +## +# +interface(`knot_manage_runtime_files',` + gen_require(` + type knot_runtime_t; + type var_run_t; + ') + + manage_dirs_pattern($1, knot_runtime_t, knot_runtime_t) + manage_files_pattern($1, knot_runtime_t, knot_runtime_t) + manage_lnk_files_pattern($1, knot_runtime_t, knot_runtime_t) + manage_sock_files_pattern($1, knot_runtime_t, knot_runtime_t) + search_dirs_pattern($1, knot_runtime_t, knot_runtime_t) + files_pid_filetrans($1, knot_runtime_t, { file dir sock_file}) +') + +######################################## +## +## Knot /var/lib files mamange. +## +## +## +## Domain allowed access. +## +## +# +interface(`knot_manage_var_lib_files',` + gen_require(` + type knot_var_lib_t; + ') + + manage_dirs_pattern($1, knot_var_lib_t, knot_var_lib_t) + manage_files_pattern($1, knot_var_lib_t, knot_var_lib_t) + manage_lnk_files_pattern($1, knot_var_lib_t, knot_var_lib_t) + allow $1 knot_var_lib_t:file map; + files_var_lib_filetrans($1, knot_var_lib_t, { file dir }) +') + +######################################## +## +## Knot /etc/knot files read. +## +## +## +## Domain allowed access. +## +## +# +interface(`knot_read_conf',` + gen_require(` + type knot_conf_t; + type initrc_t; + ') + + mmap_read_files_pattern($1, knot_conf_t, knot_conf_t) + read_files_pattern(initrc_t, knot_conf_t, knot_conf_t) +') + +######################################## +## +## Manage knot temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`knot_manage_tmpfs_files',` + gen_require(` + type knot_tmp_t; + ') + + files_tmp_filetrans($1, knot_tmp_t, { file dir }) + allow $1 knot_tmp_t:file map; + allow $1 knot_tmp_t:file manage_file_perms; + allow $1 knot_tmp_t:dir manage_dir_perms; +') + +######################################## +## +## Execute knotc_exec_t in the knotc domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`knotc_domtrans',` + gen_require(` + type knotc_t, knotc_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, knotc_exec_t, knotc_t) +') + +######################################## +## +## Role access for knotc +## +## +## +## Role allowed access +## +## +## +## +## User domain for the role +## +## +# +interface(`knotc_role',` + gen_require(` + type knotc_t; + attribute_role knotc_roles; + ') + + roleattribute $1 knotc_roles; + + knotc_domtrans($2) + + ps_process_pattern($2, knotc_t) + allow $2 knotc_t:process { signull signal sigkill }; +') diff --git a/policy/modules/services/knot.te b/policy/modules/services/knot.te new file mode 100644 index 000000000000..d96b7bf4ce98 --- /dev/null +++ b/policy/modules/services/knot.te @@ -0,0 +1,92 @@ +policy_module(knot, 1.0.0) + +######################################## +# +# Declarations +# + +type knotd_t; +type knotd_exec_t; +init_daemon_domain(knotd_t, knotd_exec_t) + +type knotc_t; +type knotc_exec_t; +application_domain(knotc_t, knotc_exec_t) +init_daemon_domain(knotc_t, knotc_exec_t) +role knotc_roles types knotc_t; + +attribute_role knotc_roles; +roleattribute system_r knotc_roles; + +type knot_conf_t; +files_type(knot_conf_t) + +type knot_runtime_t; +files_pid_file(knot_runtime_t) + +type knot_var_lib_t; +files_type(knot_var_lib_t) + +type knot_tmp_t; +files_tmp_file(knot_tmp_t) + +######################################## +# +# knotd local policy +# +allow knotd_t self:capability { dac_read_search setgid setpcap setuid }; +allow knotd_t self:process { fork signal_perms getcap getsched setsched }; +allow knotd_t self:tcp_socket create_stream_socket_perms; +allow knotd_t self:udp_socket create_stream_socket_perms; +allow knotd_t self:unix_stream_socket create_stream_socket_perms; + +corenet_tcp_bind_generic_node(knotd_t) +corenet_udp_bind_generic_node(knotd_t) + +corenet_sendrecv_dns_server_packets(knotd_t) +corenet_tcp_bind_dns_port(knotd_t) +corenet_udp_bind_dns_port(knotd_t) +# Slave replication +corenet_tcp_connect_dns_port(knotd_t) + +kernel_read_kernel_sysctls(knotd_t) + +knot_read_conf(knotd_t) +knot_manage_runtime_files(knotd_t) +knot_manage_tmpfs_files(knotd_t) + +# Read /etc/passwd +files_read_etc_files(knotd_t) +# Read /etc/{resolv.conf,hosts} +sysnet_read_config(knotd_t) + +fs_dontaudit_getattr_xattr_fs(knotd_t) + +fs_dontaudit_getattr_tmpfs(knotd_t) + +logging_send_syslog_msg(knotd_t) + +miscfiles_read_localization(knotd_t) + +######################################## +# +# knotc local policy +# + +allow knotc_t self:capability { dac_override dac_read_search }; + +stream_connect_pattern(knotc_t, knot_runtime_t, knot_runtime_t, knotd_t) + +knot_read_conf(knotc_t) +knot_manage_tmpfs_files(knotc_t) +knot_manage_var_lib_files(knotc_t) + +files_dontaudit_search_var_lib(knotc_t) + +fs_dontaudit_getattr_tmpfs(knotc_t) + +domain_use_interactive_fds(knotc_t) + +miscfiles_read_localization(knotc_t) + +userdom_use_user_ptys(knotc_t) -- 2.21.0