Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp9054950ybi;
        Wed, 10 Jul 2019 03:58:51 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwkKCxOY2SP/tcr/cp5bzxN5cFdOjqjjHRk4zubgDPVjVGXgBgn2sMRr0XQu+wPQ2qLHDOn
X-Received: by 2002:a63:714a:: with SMTP id b10mr32700245pgn.25.1562756331138;
        Wed, 10 Jul 2019 03:58:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1562756331; cv=none;
        d=google.com; s=arc-20160816;
        b=XYSe3Hsf+D2iKXCs8TCe27yPGlyPY+UegdoWDDBOafmw9qt+h4mBwoHrI/e2kApUlb
         J3MRIhdZmtkFtrHaJwvl0ZVe1zqUjwUPn07Ju3hkMFV6VJqDKzqkJTjuexf+tTQ0sCYE
         VnNPfPn3jjKIAOCUmdVZO2BncgKJvU3y1kRGMlUSLWPz6uHtu2ne8Lk4y8FuinYz3gRV
         l9Lrk/F8lWjMBT3n8+B6KL8ycLCdkMcD/Qd06OheDnwAy2mdXgbSsm2TsVxWJRb4xwrU
         5wHEJy8VTa28fYIHBquS+O5iWcU8v4vkxE5FdNB/gqq2/lKz4yN7aXP0yiSu6UOuHK+h
         Tzkw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:mail-followup-to
         :message-id:subject:cc:to:from:date:dkim-signature;
        bh=y0gfsGkesrn2O0wMq95VQIo2bWQ7dC1I4PmSZEjUVvk=;
        b=r+btnMHwfwgu12QIBUmvWDCVll3Kv9jcX9cNnD3IW0tFdMVs6oLxdwjzoWnehygnw5
         0F8LARlZIUs+67g1hAEVB4n2tsE0frqf3BC1v6zrHIEiwAzmrVwhI5GP4wQN65/1FeDo
         7UZzFmYjly+mthgvpLzN8vrb1z/e5VcfT9MgzdduJrcrSxQYcOVDvdgn8G/gmUA3xq3c
         2ldQ3dF4rwSCL+VvCOlya3CaYuocPstXaG/gM4m3tDPBw0sL2N55uZnYeuMuul0e+XRL
         PoWZWfSes3bfcS9p7zH0KiPS9S2vkyv4KLDeoAoyvyvMqUUy+YTPp/yoOYmQ+RK8KoJp
         KTzg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=HXpX5+4U;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z15si2042511pgf.85.2019.07.10.03.58.47;
        Wed, 10 Jul 2019 03:58:51 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=HXpX5+4U;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727184AbfGJKw7 (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 11 others); Wed, 10 Jul 2019 06:52:59 -0400
Received: from mail-ed1-f65.google.com ([209.85.208.65]:38088 "EHLO
        mail-ed1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726130AbfGJKw7 (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Wed, 10 Jul 2019 06:52:59 -0400
Received: by mail-ed1-f65.google.com with SMTP id r12so1726141edo.5
        for <selinux-refpolicy@vger.kernel.org>; Wed, 10 Jul 2019 03:52:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:mail-followup-to:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=y0gfsGkesrn2O0wMq95VQIo2bWQ7dC1I4PmSZEjUVvk=;
        b=HXpX5+4Ukdd/gXy7ds6flyAPSlZrwK5KGCqav1LldzA446opI8b0ahjcK5tj3Q89qG
         zqpnja8tRbYNhHvAR+RIQY58sx5mHYoJL9oJxWS5CctYTNssNcRQC3o4k2JkFv8Zu3jF
         wpMdnvuuX5Aa2f1uY4QyEQxK4EOlXz1QwvgB5UQq4Dyjeti85vu8gkbzZPETsOndb83Z
         f2tIzAQd14oxQOVz9gfMY+jbvje99B6nbi/1x2xzQYxa4kkRiyOCoOsVdt+O/ZdaFNdv
         3I3bPE+RB3UPAskhYPFvUVF8v6Sa29T3KleKKVD3Mi2F4EEQNH0W8CVWgzR/kI3gghEW
         +72g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id
         :mail-followup-to:references:mime-version:content-disposition
         :in-reply-to:user-agent;
        bh=y0gfsGkesrn2O0wMq95VQIo2bWQ7dC1I4PmSZEjUVvk=;
        b=tv2kRU6kyrOAaToz/MDn4kaVfprIsZ4eDmKKxzAz1xzrILKhqwWbmQGKPXIsbCtyxe
         VkElQVbY+IcXuloBl3FPnv/HoxD2T09JrZKmqYiwtat7d6DoSLGtvg2aeV9KiUIQr+bI
         SM6XLpNHdXtMlD4xBdLwERx3WkLSOH1KzxNHwGiwaovbtQq/F4lpsBrc0ouezJ1F6JBo
         05snAUlpyfXsnRg3BYgtWaWeKtZJViQX06FbDBdCWURqOTXoq0NB5arMQA50PAfdtJ1r
         C+3LIYujABHHY7VAv4aDSfBHWbXXkqwrVl6JIZZa1QI6NN6wNszAup+u4adeKmYfY9fc
         XgSg==
X-Gm-Message-State: APjAAAXCGPPYyPhk2rVhIEq9LKO0NHuoLq57Cv0TAcnFZ5t+YBevf6oj
        GJTklCMPEohic1qek9AxXD4=
X-Received: by 2002:a50:eb4d:: with SMTP id z13mr31004320edp.271.1562755976896;
        Wed, 10 Jul 2019 03:52:56 -0700 (PDT)
Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438])
        by smtp.gmail.com with ESMTPSA id m2sm433360ejn.57.2019.07.10.03.52.55
        (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
        Wed, 10 Jul 2019 03:52:55 -0700 (PDT)
Date:   Wed, 10 Jul 2019 12:52:54 +0200
From:   Dominick Grift <dac.override@gmail.com>
To:     Alexander Miroshnichenko <alex@millerson.name>
Cc:     selinux-refpolicy@vger.kernel.org, pebenito@ieee.org
Subject: Re: [PATCH v3] Add knot module
Message-ID: <20190710105254.GA5889@brutus.lan>
Mail-Followup-To: Alexander Miroshnichenko <alex@millerson.name>,
        selinux-refpolicy@vger.kernel.org, pebenito@ieee.org
References: <1e3cd1ef-1643-ee92-d6f3-55c45bdee331@ieee.org>
 <20190710085520.14010-1-alex@millerson.name>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
        protocol="application/pgp-signature"; boundary="sm4nu43k4a2Rpi4c"
Content-Disposition: inline
In-Reply-To: <20190710085520.14010-1-alex@millerson.name>
User-Agent: Every email client sucks, this one just sucks less.
X-PGP-Key: https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org


--sm4nu43k4a2Rpi4c
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Jul 10, 2019 at 11:55:20AM +0300, Alexander Miroshnichenko wrote:
> Add a SELinux Reference Policy module for the
> Knot authoritative-only DNS server.

You forgot to make knotc init_system_domain() instead of init_daemon_domain=
()
also "file" should be plural "files": knot_read_config_files()

>=20
> Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
> ---
>  policy/modules/roles/sysadm.te  |   5 ++
>  policy/modules/services/knot.fc |  11 +++
>  policy/modules/services/knot.if | 108 ++++++++++++++++++++++++++++
>  policy/modules/services/knot.te | 121 ++++++++++++++++++++++++++++++++
>  policy/modules/system/init.te   |   4 ++
>  5 files changed, 249 insertions(+)
>  create mode 100644 policy/modules/services/knot.fc
>  create mode 100644 policy/modules/services/knot.if
>  create mode 100644 policy/modules/services/knot.te
>=20
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm=
=2Ete
> index 8f891c83865f..1f986432e2af 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -550,6 +550,11 @@ optional_policy(`
>  	keystone_admin(sysadm_t, sysadm_r)
>  ')
> =20
> +optional_policy(`
> +	knot_admin(sysadm_t, sysadm_r)
> +	knot_run_client(sysadm_t, sysadm_r)
> +')
> +
>  optional_policy(`
>  	kismet_admin(sysadm_t, sysadm_r)
>  ')
> diff --git a/policy/modules/services/knot.fc b/policy/modules/services/kn=
ot.fc
> new file mode 100644
> index 000000000000..bbf8a3526aeb
> --- /dev/null
> +++ b/policy/modules/services/knot.fc
> @@ -0,0 +1,11 @@
> +/etc/rc\.d/init\.d/knot	--	gen_context(system_u:object_r:knot_initrc_exe=
c_t,s0)
> +
> +/etc/knot(/.*)?		gen_context(system_u:object_r:knot_conf_t,s0)
> +
> +/usr/sbin/knotd		--	gen_context(system_u:object_r:knotd_exec_t,s0)
> +
> +/usr/sbin/knotc		--      gen_context(system_u:object_r:knotc_exec_t,s0)
> +
> +/var/lib/knot(/.*)?	gen_context(system_u:object_r:knot_var_lib_t,s0)
> +
> +/run/knot(/.*)?		gen_context(system_u:object_r:knot_runtime_t,s0)
> diff --git a/policy/modules/services/knot.if b/policy/modules/services/kn=
ot.if
> new file mode 100644
> index 000000000000..93285a91a5da
> --- /dev/null
> +++ b/policy/modules/services/knot.if
> @@ -0,0 +1,108 @@
> +## <summary>high-performance authoritative-only DNS server.</summary>
> +
> +########################################
> +## <summary>
> +##      Execute knotc in the knotc domain.
> +## </summary>
> +## <param name=3D"domain">
> +## <summary>
> +##      Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`knot_domtrans_client',`
> +	gen_require(`
> +		type knotc_t, knotc_exec_t;
> +	')
> +
> +	corecmd_search_bin($1)
> +	domtrans_pattern($1, knotc_exec_t, knotc_t)
> +')
> +
> +########################################
> +## <summary>
> +##      Execute knotc in the knotc domain, and
> +##      allow the specified role the knotc domain.
> +## </summary>
> +## <param name=3D"domain">
> +##      <summary>
> +##      Domain allowed to transition.
> +##      </summary>
> +## </param>
> +## <param name=3D"role">
> +##      <summary>
> +##      Role allowed access.
> +##      </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`knot_run_client',`
> +	gen_require(`
> +		attribute_role knot_roles;
> +	')
> +
> +	knot_domtrans_client($1)
> +	roleattribute $2 knot_roles;
> +')
> +
> +########################################
> +## <summary>
> +##      Read knot config files.
> +## </summary>
> +## <param name=3D"domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`knot_read_config_file',`
> +	gen_require(`
> +		type knot_conf_t;
> +	')
> +
> +	read_files_pattern($1, knot_conf_t, knot_conf_t)
> +	files_search_etc($1)
> +')
> +
> +########################################
> +## <summary>
> +##      All of the rules required to
> +##      administrate an knot environment.
> +## </summary>
> +## <param name=3D"domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +## <param name=3D"role">
> +##      <summary>
> +##      Role allowed access.
> +##      </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`knot_admin',`
> +	gen_require(`
> +		type knotc_t, knotd_t, knot_conf_t, knot_initrc_exec_t;
> +		type knot_runtime_t, knot_tmp_t, knot_var_lib_t;
> +	')
> +
> +	allow $1 knotc_t:process signal_perms;
> +	allow $1 knotd_t:process { ptrace signal_perms };
> +	ps_process_pattern($1, knotc_t)
> +	ps_process_pattern($1, knotd_t)
> +
> +	init_startstop_service($1, $2, knotd_t, knot_initrc_exec_t)
> +
> +	files_search_etc($1)
> +	admin_pattern($1, knot_conf_t)
> +
> +	files_search_pids($1)
> +	admin_pattern($1, knot_runtime_t)
> +
> +	files_search_tmp($1)
> +	admin_pattern($1, knot_tmp_t)
> +
> +	files_search_var_lib($1)
> +	admin_pattern($1, knot_var_lib_t)
> +')
> diff --git a/policy/modules/services/knot.te b/policy/modules/services/kn=
ot.te
> new file mode 100644
> index 000000000000..8749bed5c53d
> --- /dev/null
> +++ b/policy/modules/services/knot.te
> @@ -0,0 +1,121 @@
> +policy_module(knot, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +attribute_role knot_roles;
> +
> +type knotd_t;
> +type knotd_exec_t;
> +init_daemon_domain(knotd_t, knotd_exec_t)
> +
> +type knotc_t;
> +type knotc_exec_t;
> +application_domain(knotc_t, knotc_exec_t)
> +init_daemon_domain(knotc_t, knotc_exec_t)
> +role knot_roles types knotc_t;
> +
> +type knot_conf_t;
> +files_config_file(knot_conf_t)
> +
> +type knot_initrc_exec_t;
> +init_script_file(knot_initrc_exec_t)
> +
> +type knot_runtime_t;
> +files_pid_file(knot_runtime_t)
> +
> +type knot_var_lib_t;
> +files_type(knot_var_lib_t)
> +
> +type knot_tmp_t;
> +files_tmp_file(knot_tmp_t)
> +
> +########################################
> +#
> +# knotd local policy
> +#
> +allow knotd_t self:capability { dac_override dac_read_search setgid setp=
cap setuid };
> +allow knotd_t self:process { signal_perms getcap getsched setsched };
> +allow knotd_t self:tcp_socket create_stream_socket_perms;
> +allow knotd_t self:udp_socket create_socket_perms;
> +allow knotd_t self:unix_stream_socket create_stream_socket_perms;
> +
> +corenet_tcp_bind_generic_node(knotd_t)
> +corenet_udp_bind_generic_node(knotd_t)
> +
> +corenet_sendrecv_dns_server_packets(knotd_t)
> +corenet_tcp_bind_dns_port(knotd_t)
> +corenet_udp_bind_dns_port(knotd_t)
> +# Slave replication
> +corenet_tcp_connect_dns_port(knotd_t)
> +
> +kernel_read_kernel_sysctls(knotd_t)
> +
> +allow knotd_t knot_conf_t:file map;
> +knot_read_config_file(knotd_t)
> +
> +manage_dirs_pattern(knotd_t, knot_runtime_t, knot_runtime_t)
> +manage_files_pattern(knotd_t, knot_runtime_t, knot_runtime_t)
> +manage_lnk_files_pattern(knotd_t, knot_runtime_t, knot_runtime_t)
> +manage_sock_files_pattern(knotd_t, knot_runtime_t, knot_runtime_t)
> +files_pid_filetrans(knotd_t, knot_runtime_t, dir)
> +
> +allow knotd_t knot_tmp_t:file map;
> +allow knotd_t knot_tmp_t:file manage_file_perms;
> +allow knotd_t knot_tmp_t:dir manage_dir_perms;
> +files_tmp_filetrans(knotd_t, knot_tmp_t, { file dir })
> +
> +allow knotd_t knot_var_lib_t:file map;
> +manage_dirs_pattern(knotd_t, knot_var_lib_t, knot_var_lib_t)
> +manage_files_pattern(knotd_t, knot_var_lib_t, knot_var_lib_t)
> +manage_lnk_files_pattern(knotd_t, knot_var_lib_t, knot_var_lib_t)
> +files_var_lib_filetrans(knotd_t, knot_var_lib_t, dir)
> +
> +files_map_etc_files(knotd_t)
> +files_search_var_lib(knotd_t)
> +
> +fs_getattr_xattr_fs(knotd_t)
> +
> +fs_getattr_tmpfs(knotd_t)
> +
> +auth_use_nsswitch(knotd_t)
> +
> +logging_send_syslog_msg(knotd_t)
> +
> +miscfiles_read_localization(knotd_t)
> +
> +########################################
> +#
> +# knotc local policy
> +#
> +allow knotc_t self:capability { dac_override dac_read_search };
> +allow knotc_t self:process signal;
> +
> +stream_connect_pattern(knotc_t, knot_runtime_t, knot_runtime_t, knotd_t)
> +
> +allow knotc_t knot_conf_t:file map;
> +knot_read_config_file(knotc_t)
> +
> +allow knotc_t knot_tmp_t:file map;
> +allow knotc_t knot_tmp_t:file manage_file_perms;
> +allow knotc_t knot_tmp_t:dir manage_dir_perms;
> +files_tmp_filetrans(knotc_t, knot_tmp_t, { file dir })
> +
> +allow knotc_t knot_var_lib_t:file map;
> +manage_dirs_pattern(knotc_t, knot_var_lib_t, knot_var_lib_t)
> +manage_files_pattern(knotc_t, knot_var_lib_t, knot_var_lib_t)
> +manage_lnk_files_pattern(knotc_t, knot_var_lib_t, knot_var_lib_t)
> +
> +files_read_etc_files(knotc_t)
> +files_search_pids(knotc_t)
> +files_search_var_lib(knotc_t)
> +
> +fs_getattr_tmpfs(knotc_t)
> +
> +domain_use_interactive_fds(knotc_t)
> +
> +miscfiles_read_localization(knotc_t)
> +
> +userdom_use_user_ptys(knotc_t)
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index f4d27bff3ea2..5824281090ee 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -1158,6 +1158,10 @@ optional_policy(`
>  	kerberos_use(initrc_t)
>  ')
> =20
> +optional_policy(`
> +	knot_read_config_file(initrc_t)
> +')
> +
>  optional_policy(`
>  	ldap_read_config(initrc_t)
>  	ldap_list_db(initrc_t)
> --=20
> 2.21.0
>=20

--=20
Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02
Dominick Grift

--sm4nu43k4a2Rpi4c
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAl0lw4EACgkQJXSOVTf5
R2m6dgv/QkKzv5mqCGtBOuw3PGD5/1Lji0Ek7OWWWhFw/7TPE6UnYKtfJ+Ks62ZW
sOysxkBuukGhH8flbulWOsS+/5RwHHL3dQ40SmtGhOYB3Td4fpu9f/4JQl/WJEOa
zX1b6qnBWOJ2k6RVf+3eSJeSpmTKo0ZSrbv6N3Pjc9vKnjYCREUEgZjZVdnJoUgw
s2m9keWYrJ4CmadPv5OiCFhKm9q0yDNApesyOAyUruU72UEr8B8UcwdU+Xq2I857
OSTZfLrnW+LhBu8towh6BRtt4LrqVo2DFTIhezRVwHvjSoagZZeqhOd82pkbVPVF
qsyeM3HevS2RZuduRPr8dVxEV2/V+K+19AJZDu1jsHyZOktnq6nSQNhwFuvTExLO
wF4c+YOd/fIOJMUL0rL/sdSZrCrCxhRZhTNS0F1x2aylbN0kSNZfheqwYn5zhhaH
GacshFTmoAXCdtg5O518/shBZWOi8l12jmQ2dmiPqPAhnYiHFD9vj6caPDrrRfCr
yMKyvbBo
=ucIX
-----END PGP SIGNATURE-----

--sm4nu43k4a2Rpi4c--