Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp7251352ybi; Mon, 8 Jul 2019 17:56:16 -0700 (PDT) X-Google-Smtp-Source: APXvYqzs85YaxbqY3HFaIGGqu+869cWKCCtpkkB2Hl7yakZweWgMtS0/xUooO53R0WhmpksKu+oK X-Received: by 2002:a65:48c3:: with SMTP id o3mr27658633pgs.70.1562633775877; Mon, 08 Jul 2019 17:56:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562633775; cv=none; d=google.com; s=arc-20160816; b=kmS4mClBG9wZGQ77CJkQOrYEtEYhB/3ih21tB2RRQcNEzTXn5PkmXBllKRgrpmIi15 qGk3xMQokwtEKser5ItKb5fKHJXvEkGJ3ylH8MKMTRHmAXQKELSCbE4ivDTXF1Ad3h2m /KXcdsylK1vj/F34Hstp4ao/05DHoA/en9DPxYsd81H0QeskGWmFy7wv31BYKPgeEX+C P397TRz4AMY2phSmDywso0eT7SJLySrkhuQ0IIwhB2u0DXF7psf3qlf5Venkwn7gLhGk qv749mXCZ0zKmXW/THV5xse9iL0GGf0wniD3vpMd+b4EwLhLMG+BHPNOAPBYXFkDXwR2 b/og== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:dkim-signature; bh=plnoIjdsN56akKoROzdLvl8EpbKuHDNjzocuYPoIn3o=; b=GsF0wggleF21TpR5Jn0bjWVxmlOiBuAcIavu08Zu7aSjzp98IBpxY5QDF9s6aRrZ4y PerxIJfzugPt4nHMFYQ4q1v9sWPPp5MpzW6gIWtd1im1nBh3X8VETD93FpX31mXbiIp5 flKYyNlrG7D6QsjJ7pzmDt2QxSq6x6q4kjZ/0uP1PADLCKH78pUWrZoYqvd9RonHejjb lpzBgvgWG2S3iMZomhSOin+NaN8VaWC6KmTCvVfg6doEO7Zh5tnebrjavT2w2IMlIUo9 l8pgZASdOe1AKNMXDXl76r3d4tlfuu/29AcvQ1KtSUXxiWELyZjlmtcnyzvHbCFEpMit /vbA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=TicJlHwN; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g2si18916138plp.1.2019.07.08.17.56.14; Mon, 08 Jul 2019 17:56:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=TicJlHwN; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727151AbfGIAuE (ORCPT + 11 others); Mon, 8 Jul 2019 20:50:04 -0400 Received: from mail-qk1-f193.google.com ([209.85.222.193]:37277 "EHLO mail-qk1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725857AbfGIAuD (ORCPT ); Mon, 8 Jul 2019 20:50:03 -0400 Received: by mail-qk1-f193.google.com with SMTP id d15so14798145qkl.4 for ; Mon, 08 Jul 2019 17:50:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=plnoIjdsN56akKoROzdLvl8EpbKuHDNjzocuYPoIn3o=; b=TicJlHwNhYK8QwI1/al+Ww/csd0/NTokzx54OP8kAzoL3AKAdLNSHvgV8CI41L2Z+5 DBnvwNkykU0QwJvDc0/kC4gMUCeWaYyYhtbgY0papGV+u3003aL/4H6Y+cED+B/uPPJD U3j6Nix0XLR9/peWnRD6uqU2jqBJbPz9emaN4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=plnoIjdsN56akKoROzdLvl8EpbKuHDNjzocuYPoIn3o=; b=rz5/LnmjlXgKDTVgmuUnVlyykCEyzVp1GHucy0uxJ/ceNYa9m/sJtiHv9xxBgg6cVL IqWTRcJ4ey2L587Z8wNlJB8yzoES+g1UrT9MBYxzJpb1QxQq5kippGjiw4msMkQqf+ax 1Gw7ieEisHhkz124MOgkTrrz046nHu4CjXh7qKZsqHLqNBvdPAxBmHgE2VZRQkCrl1nv oA4JAKKJdQoQZ1SgHoLtsmsJWEZ9sT7RzSwO92+bj7UwoXgRnZPxpbp6ZIXbmn93lnoa v+4YwHTs6T7urEtu3ZXDTr++iBqUvyawVirMUzRP1ZkWzdP6IDOuBy2YVbvPu66A/hOa 4Pdg== X-Gm-Message-State: APjAAAWBT/1FLWrBVwCbj/EjO0Wkm0J7HndHlcduxKcGodJWzaL/dj37 INDet6sB92o7UBESs5EW7JsbBQS++yI= X-Received: by 2002:a05:620a:1648:: with SMTP id c8mr16014622qko.106.1562633402452; Mon, 08 Jul 2019 17:50:02 -0700 (PDT) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id m12sm5267947qkk.123.2019.07.08.17.50.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Jul 2019 17:50:02 -0700 (PDT) Subject: Re: [PATCH v2] Add knot module To: Alexander Miroshnichenko , selinux-refpolicy@vger.kernel.org References: <20190702155823.GA27193@brutus.lan> <20190705120251.1121-1-alex@millerson.name> From: Chris PeBenito Message-ID: <1e3cd1ef-1643-ee92-d6f3-55c45bdee331@ieee.org> Date: Mon, 8 Jul 2019 20:47:45 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <20190705120251.1121-1-alex@millerson.name> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 7/5/19 8:02 AM, Alexander Miroshnichenko wrote: > Add a SELinux Reference Policy module for the > Knot authoritative-only DNS server. > > Signed-off-by: Alexander Miroshnichenko > --- > policy/modules/roles/sysadm.te | 4 + > policy/modules/services/knot.fc | 9 ++ > policy/modules/services/knot.if | 219 ++++++++++++++++++++++++++++++++ > policy/modules/services/knot.te | 104 +++++++++++++++ > policy/modules/system/init.te | 4 + > 5 files changed, 340 insertions(+) > create mode 100644 policy/modules/services/knot.fc > create mode 100644 policy/modules/services/knot.if > create mode 100644 policy/modules/services/knot.te I think the rules are probably ok, but the interface names need work. They should all start with knot_*, for starters. See below. > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te > index 8f891c83865f..e3079ad65d17 100644 > --- a/policy/modules/roles/sysadm.te > +++ b/policy/modules/roles/sysadm.te > @@ -550,6 +550,10 @@ optional_policy(` > keystone_admin(sysadm_t, sysadm_r) > ') > > +optional_policy(` > + knotc_role(sysadm_r, sysadm_t) > +') > + > optional_policy(` > kismet_admin(sysadm_t, sysadm_r) > ') > diff --git a/policy/modules/services/knot.fc b/policy/modules/services/knot.fc > new file mode 100644 > index 000000000000..02a1c2022661 > --- /dev/null > +++ b/policy/modules/services/knot.fc > @@ -0,0 +1,9 @@ > +/etc/knot(/.*)? gen_context(system_u:object_r:knot_conf_t,s0) > + > +/usr/sbin/knotd -- gen_context(system_u:object_r:knotd_exec_t,s0) > + > +/usr/sbin/knotc -- gen_context(system_u:object_r:knotc_exec_t,s0) > + > +/var/lib/knot(/.*)? gen_context(system_u:object_r:knot_var_lib_t,s0) > + > +/run/knot(/.*)? gen_context(system_u:object_r:knot_runtime_t,s0) > diff --git a/policy/modules/services/knot.if b/policy/modules/services/knot.if > new file mode 100644 > index 000000000000..fef08da46a79 > --- /dev/null > +++ b/policy/modules/services/knot.if > @@ -0,0 +1,219 @@ > +## high-performance authoritative-only DNS server. > + > +######################################## > +## > +## Execute knotd_exec_t in the knotd domain. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`knotd_domtrans',` > + gen_require(` > + type knotd_t, knotd_exec_t; > + ') > + > + corecmd_search_bin($1) > + domtrans_pattern($1, knotd_exec_t, knotd_t) > +') This doesn't seem needed, since a service is usually started by init. If it is needed, then it should be something like knot_domtrans(), and then the latter knotc_domtrans should be something like knot_domtrans_client(). > +######################################## > +## > +## Manage Knot runtime. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`knot_manage_runtime',` > + gen_require(` > + type knot_runtime_t; > + ') > + > + manage_dirs_pattern($1, knot_runtime_t, knot_runtime_t) > + manage_files_pattern($1, knot_runtime_t, knot_runtime_t) > + manage_lnk_files_pattern($1, knot_runtime_t, knot_runtime_t) > + manage_sock_files_pattern($1, knot_runtime_t, knot_runtime_t) > + files_search_pids($1) While there are a few interfaces that have this, I don't want this to be the standard. This should either be split into 4 different interfaces or put the rules directly in knot.te. > +') > + > +######################################## > +## > +## Manage knot var lib. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`knot_manage_var_lib',` > + gen_require(` > + type knot_var_lib_t; > + ') > + > + manage_dirs_pattern($1, knot_var_lib_t, knot_var_lib_t) > + manage_files_pattern($1, knot_var_lib_t, knot_var_lib_t) > + manage_lnk_files_pattern($1, knot_var_lib_t, knot_var_lib_t) > + files_search_var_lib($1) > +') Same thing as above. > +######################################## > +## > +## Mmap knot var lib files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`knot_mmap_var_lib_files',` "map" not "mmap" > + gen_require(` > + type knot_var_lib_t; > + ') > + > + allow $1 knot_var_lib_t:file map; > +') > + > +######################################## > +## > +## Read, mmap knot config files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`knot_mmap_config_file',` In this case, mmap_read, not just mmap. Or split map perm to another interface. > + gen_require(` > + type knot_conf_t; > + ') > + > + mmap_read_files_pattern($1, knot_conf_t, knot_conf_t) > + files_search_etc($1) > +') > + > +######################################## > +## > +## Manage knot tmp. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`knot_manage_tmp',` > + gen_require(` > + type knot_tmp_t; > + ') > + > + allow $1 knot_tmp_t:file manage_file_perms; > + allow $1 knot_tmp_t:dir manage_dir_perms; Needs 2 interfaces. > +') > + > +######################################## > +## > +## Mmap knot tmp. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`knot_mmap_tmp_files',` Similar comment to above. > + gen_require(` > + type knot_tmp_t; > + ') > + > + allow $1 knot_tmp_t:file map; > +') > + > +######################################## > +## > +## Create knot tmp files, directories in > +## temporary directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The type of the object to be created > +## > +## > +## > +## > +## The object class. > +## > +## > +## > +## > +## The name of the object being created. > +## > +## > +# > +interface(`knot_tmp_filetrans',` > + gen_require(` > + type knot_tmp_t; > + ') > + > + files_tmp_filetrans($1, knot_tmp_t, { file dir }) > +') > + > +######################################## > +## > +## Execute knotc in the knotc domain. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`knotc_domtrans',` > + gen_require(` > + type knotc_t, knotc_exec_t; > + ') > + > + corecmd_search_bin($1) > + domtrans_pattern($1, knotc_exec_t, knotc_t) > +') > + > +######################################## > +## > +## Role access for knotc > +## > +## > +## > +## Role allowed access > +## > +## > +## > +## > +## User domain for the role > +## > +## > +# > +interface(`knotc_role',` > + gen_require(` > + type knotc_t; > + attribute_role knotc_roles; > + ') > + > + roleattribute $1 knotc_roles; > + > + knotc_domtrans($2) > + > + ps_process_pattern($2, knotc_t) > + allow $2 knotc_t:process { signull signal sigkill }; > +') > diff --git a/policy/modules/services/knot.te b/policy/modules/services/knot.te > new file mode 100644 > index 000000000000..780535759cf5 > --- /dev/null > +++ b/policy/modules/services/knot.te > @@ -0,0 +1,104 @@ > +policy_module(knot, 1.0.0) > + > +######################################## > +# > +# Declarations > +# > + > +type knotd_t; > +type knotd_exec_t; > +init_daemon_domain(knotd_t, knotd_exec_t) > + > +type knotc_t; > +type knotc_exec_t; > +application_domain(knotc_t, knotc_exec_t) > +init_daemon_domain(knotc_t, knotc_exec_t) > +role knotc_roles types knotc_t; > + > +attribute_role knotc_roles; > + > +type knot_conf_t; > +files_config_file(knot_conf_t) > + > +type knot_runtime_t; > +files_pid_file(knot_runtime_t) > + > +type knot_var_lib_t; > +files_type(knot_var_lib_t) > + > +type knot_tmp_t; > +files_tmp_file(knot_tmp_t) > + > +######################################## > +# > +# knotd local policy > +# > +allow knotd_t self:capability { dac_override dac_read_search setgid setpcap setuid }; > +allow knotd_t self:process { signal_perms getcap getsched setsched }; > +allow knotd_t self:tcp_socket create_stream_socket_perms; > +allow knotd_t self:udp_socket create_socket_perms; > +allow knotd_t self:unix_stream_socket create_stream_socket_perms; > + > +corenet_tcp_bind_generic_node(knotd_t) > +corenet_udp_bind_generic_node(knotd_t) > + > +corenet_sendrecv_dns_server_packets(knotd_t) > +corenet_tcp_bind_dns_port(knotd_t) > +corenet_udp_bind_dns_port(knotd_t) > +# Slave replication > +corenet_tcp_connect_dns_port(knotd_t) > + > +kernel_read_kernel_sysctls(knotd_t) > + > +knot_mmap_config_file(knotd_t) > + > +knot_manage_runtime(knotd_t) > +files_pid_filetrans(knotd_t, knot_runtime_t, dir) > + > +knot_manage_var_lib(knotd_t) > +knot_mmap_var_lib_files(knotd_t) > +files_var_lib_filetrans(knotd_t, knot_var_lib_t, dir) > + > +knot_manage_tmp(knotd_t) > +knot_mmap_tmp_files(knotd_t) > +knot_tmp_filetrans(knotd_t) > + > +files_map_etc_files(knotd_t) > + > +fs_getattr_xattr_fs(knotd_t) > + > +fs_getattr_tmpfs(knotd_t) > + > +auth_use_nsswitch(knotd_t) > + > +logging_send_syslog_msg(knotd_t) > + > +miscfiles_read_localization(knotd_t) > + > +######################################## > +# > +# knotc local policy > +# > +allow knotc_t self:capability { dac_override dac_read_search }; > +allow knotc_t self:process signal; > + > +stream_connect_pattern(knotc_t, knot_runtime_t, knot_runtime_t, knotd_t) > + > +knot_mmap_config_file(knotc_t) > + > +knot_manage_tmp(knotc_t) > +knot_mmap_tmp_files(knotc_t) > +knot_tmp_filetrans(knotc_t) > + > +knot_manage_var_lib(knotc_t) > +knot_mmap_var_lib_files(knotc_t) > + > +files_read_etc_files(knotc_t) > + > +fs_getattr_tmpfs(knotc_t) > + > +domain_use_interactive_fds(knotc_t) > + > +miscfiles_read_localization(knotc_t) > + > +userdom_use_user_ptys(knotc_t) > diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te > index f4d27bff3ea2..d38a0a8549d3 100644 > --- a/policy/modules/system/init.te > +++ b/policy/modules/system/init.te > @@ -1158,6 +1158,10 @@ optional_policy(` > kerberos_use(initrc_t) > ') > > +optional_policy(` > + knot_mmap_config_file(initrc_t) > +') > + > optional_policy(` > ldap_read_config(initrc_t) > ldap_list_db(initrc_t) > -- Chris PeBenito