Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp9174394ybi; Wed, 10 Jul 2019 05:59:39 -0700 (PDT) X-Google-Smtp-Source: APXvYqzZjs/h+hBtpzlngaic64G0uFdK7kBP/O1kJE/uTlXbORzdioRXwf0xlu3PoPTeG8w6SfFh X-Received: by 2002:a65:4844:: with SMTP id i4mr37605266pgs.113.1562763579205; Wed, 10 Jul 2019 05:59:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562763579; cv=none; d=google.com; s=arc-20160816; b=ZJk1pUyqg+NBUCVVlOItkjr6sn25vNbQY8VJ14F/PYhzKY7sbihrGjtc0w0DSPI78T Agsj5E/0Enjxzj0WjwdkBSurvn427xHSgCFpFZHPEe/Tyd3Z7CmKsCvm/ctaw6gSCTSV ahQb8+464mT0yTAor17yrxqaOes6Syntirx2QwXSHlblTA0UQ19RkXLdGRv0YrzU8/XU ox5NwWrrbUCFIxo1XyIwSUHBHt9m/R7Q/apLE7O7X7LP7ndbaYm4G4X0WldfWFkDaSxj G+8MSlKv7sSoU9R9WopzfIwa78CdKVXeHcSa/2Y3Mf1dWSlpp0hS3B4whknc305QQcvM 4+EQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=WGk4QOimDi+3eFx1Zi2c7VfnYwjao98tHBgZs9u3EXU=; b=xdn8joXEi6zrUpUSbQf45rzcaq2OhYVDXJzIlfYdaTUp+n0RSyRUBlz9Dc8YXFIxvG ueKpubM7g18M2oW7SbVNd+ceDBRdsle/eHdRugoFZQbJwSOmTR+GW5nJRnb1zPZ5GLj6 3fsNXWJRPvj7YTpQFo1vJ8OJKWUoUgO2rJ9DQacOBT9IcH8947HlGcysOAmtE4ZJcXTu N63qgovELm/sYEJFsLfEc4hhoGCCdeGNNF6sC9dEe+xFPoCzKx4VaSpLmIlrcC1S34Ra AmHuDAKtY5+khpc5+BqXgalcvtewtxr0ySPmKNmFDyaSKhZX6Im83q0SABjXZzTAN1BX 6tKQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@millerson.name header.s=mail header.b=MXV8abs0; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=millerson.name Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c21si2123853pjs.3.2019.07.10.05.59.35; Wed, 10 Jul 2019 05:59:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@millerson.name header.s=mail header.b=MXV8abs0; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=millerson.name Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726617AbfGJMyn (ORCPT + 11 others); Wed, 10 Jul 2019 08:54:43 -0400 Received: from host89-222-249-147.netorn.net ([89.222.249.147]:47656 "EHLO mail.millerson.name" rhost-flags-OK-FAIL-OK-OK) by vger.kernel.org with ESMTP id S1725956AbfGJMyn (ORCPT ); Wed, 10 Jul 2019 08:54:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=millerson.name; s=mail; h=MIME-Version:In-Reply-To:Message-Id:Date:Subject: To:From:user-agent; bh=WGk4QOimDi+3eFx1Zi2c7VfnYwjao98tHBgZs9u3EXU=; b=MXV8ab s0lK8MPK65Dq92IMmgC2Ew8ryfiKHmIgk/Gq1Akmau+ENQOb9lCTIoJ5I8KnTAAELWoeQw1WfgpAf TGiyAdS0XnARUf2u8LV0DXua6M1/QzBOzb8csKhrXzpMGSR96sTTj0vGlky2Hl3TsYSa90kMGMjOG pTBLix9P7t4=; Received: from localhost ([127.0.0.1] helo=mail.millerson.name) by mail.millerson.name with esmtpsa id 1hlC7E-0006v7-Dp (envelope-from ); Wed, 10 Jul 2019 15:54:35 +0300 Received: from alex-desktop.home ([10.24.17.100]) by mail.millerson.name with ESMTPSA id WjuFFQjgJV3rZwAAXPwaFA (envelope-from ); Wed, 10 Jul 2019 15:54:32 +0300 From: Alexander Miroshnichenko To: selinux-refpolicy@vger.kernel.org Cc: pebenito@ieee.org, dac.override@gmail.com, Alexander Miroshnichenko Subject: [PATCH v4] Add knot module Date: Wed, 10 Jul 2019 15:54:01 +0300 Message-Id: <20190710125401.17541-1-alex@millerson.name> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190710105254.GA5889@brutus.lan> References: <20190710105254.GA5889@brutus.lan> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit X-GIT-Signature: 9e020e4ec4acaeb3f0b08280da946360 X-Spam-Score: 0.9 (/) X-Spam-Status: No Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Add a SELinux Reference Policy module for the Knot authoritative-only DNS server. Signed-off-by: Alexander Miroshnichenko --- policy/modules/roles/sysadm.te | 5 ++ policy/modules/services/knot.fc | 11 +++ policy/modules/services/knot.if | 108 ++++++++++++++++++++++++++++ policy/modules/services/knot.te | 121 ++++++++++++++++++++++++++++++++ policy/modules/system/init.te | 4 ++ 5 files changed, 249 insertions(+) create mode 100644 policy/modules/services/knot.fc create mode 100644 policy/modules/services/knot.if create mode 100644 policy/modules/services/knot.te diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 8f891c83865f..1f986432e2af 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -550,6 +550,11 @@ optional_policy(` keystone_admin(sysadm_t, sysadm_r) ') +optional_policy(` + knot_admin(sysadm_t, sysadm_r) + knot_run_client(sysadm_t, sysadm_r) +') + optional_policy(` kismet_admin(sysadm_t, sysadm_r) ') diff --git a/policy/modules/services/knot.fc b/policy/modules/services/knot.fc new file mode 100644 index 000000000000..bbf8a3526aeb --- /dev/null +++ b/policy/modules/services/knot.fc @@ -0,0 +1,11 @@ +/etc/rc\.d/init\.d/knot -- gen_context(system_u:object_r:knot_initrc_exec_t,s0) + +/etc/knot(/.*)? gen_context(system_u:object_r:knot_conf_t,s0) + +/usr/sbin/knotd -- gen_context(system_u:object_r:knotd_exec_t,s0) + +/usr/sbin/knotc -- gen_context(system_u:object_r:knotc_exec_t,s0) + +/var/lib/knot(/.*)? gen_context(system_u:object_r:knot_var_lib_t,s0) + +/run/knot(/.*)? gen_context(system_u:object_r:knot_runtime_t,s0) diff --git a/policy/modules/services/knot.if b/policy/modules/services/knot.if new file mode 100644 index 000000000000..a3792c3d15d0 --- /dev/null +++ b/policy/modules/services/knot.if @@ -0,0 +1,108 @@ +## high-performance authoritative-only DNS server. + +######################################## +## +## Execute knotc in the knotc domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`knot_domtrans_client',` + gen_require(` + type knotc_t, knotc_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, knotc_exec_t, knotc_t) +') + +######################################## +## +## Execute knotc in the knotc domain, and +## allow the specified role the knotc domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`knot_run_client',` + gen_require(` + attribute_role knot_roles; + ') + + knot_domtrans_client($1) + roleattribute $2 knot_roles; +') + +######################################## +## +## Read knot config files. +## +## +## +## Domain allowed access. +## +## +# +interface(`knot_read_config_files',` + gen_require(` + type knot_conf_t; + ') + + read_files_pattern($1, knot_conf_t, knot_conf_t) + files_search_etc($1) +') + +######################################## +## +## All of the rules required to +## administrate an knot environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`knot_admin',` + gen_require(` + type knotc_t, knotd_t, knot_conf_t, knot_initrc_exec_t; + type knot_runtime_t, knot_tmp_t, knot_var_lib_t; + ') + + allow $1 knotc_t:process signal_perms; + allow $1 knotd_t:process { ptrace signal_perms }; + ps_process_pattern($1, knotc_t) + ps_process_pattern($1, knotd_t) + + init_startstop_service($1, $2, knotd_t, knot_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, knot_conf_t) + + files_search_pids($1) + admin_pattern($1, knot_runtime_t) + + files_search_tmp($1) + admin_pattern($1, knot_tmp_t) + + files_search_var_lib($1) + admin_pattern($1, knot_var_lib_t) +') diff --git a/policy/modules/services/knot.te b/policy/modules/services/knot.te new file mode 100644 index 000000000000..04a9aff00be6 --- /dev/null +++ b/policy/modules/services/knot.te @@ -0,0 +1,121 @@ +policy_module(knot, 1.0.0) + +######################################## +# +# Declarations +# + +attribute_role knot_roles; + +type knotd_t; +type knotd_exec_t; +init_daemon_domain(knotd_t, knotd_exec_t) + +type knotc_t; +type knotc_exec_t; +application_domain(knotc_t, knotc_exec_t) +init_system_domain(knotc_t, knotc_exec_t) +role knot_roles types knotc_t; + +type knot_conf_t; +files_config_file(knot_conf_t) + +type knot_initrc_exec_t; +init_script_file(knot_initrc_exec_t) + +type knot_runtime_t; +files_pid_file(knot_runtime_t) + +type knot_var_lib_t; +files_type(knot_var_lib_t) + +type knot_tmp_t; +files_tmp_file(knot_tmp_t) + +######################################## +# +# knotd local policy +# +allow knotd_t self:capability { dac_override dac_read_search setgid setpcap setuid }; +allow knotd_t self:process { signal_perms getcap getsched setsched }; +allow knotd_t self:tcp_socket create_stream_socket_perms; +allow knotd_t self:udp_socket create_socket_perms; +allow knotd_t self:unix_stream_socket create_stream_socket_perms; + +corenet_tcp_bind_generic_node(knotd_t) +corenet_udp_bind_generic_node(knotd_t) + +corenet_sendrecv_dns_server_packets(knotd_t) +corenet_tcp_bind_dns_port(knotd_t) +corenet_udp_bind_dns_port(knotd_t) +# Slave replication +corenet_tcp_connect_dns_port(knotd_t) + +kernel_read_kernel_sysctls(knotd_t) + +allow knotd_t knot_conf_t:file map; +knot_read_config_files(knotd_t) + +manage_dirs_pattern(knotd_t, knot_runtime_t, knot_runtime_t) +manage_files_pattern(knotd_t, knot_runtime_t, knot_runtime_t) +manage_lnk_files_pattern(knotd_t, knot_runtime_t, knot_runtime_t) +manage_sock_files_pattern(knotd_t, knot_runtime_t, knot_runtime_t) +files_pid_filetrans(knotd_t, knot_runtime_t, dir) + +allow knotd_t knot_tmp_t:file map; +allow knotd_t knot_tmp_t:file manage_file_perms; +allow knotd_t knot_tmp_t:dir manage_dir_perms; +files_tmp_filetrans(knotd_t, knot_tmp_t, { file dir }) + +allow knotd_t knot_var_lib_t:file map; +manage_dirs_pattern(knotd_t, knot_var_lib_t, knot_var_lib_t) +manage_files_pattern(knotd_t, knot_var_lib_t, knot_var_lib_t) +manage_lnk_files_pattern(knotd_t, knot_var_lib_t, knot_var_lib_t) +files_var_lib_filetrans(knotd_t, knot_var_lib_t, dir) + +files_map_etc_files(knotd_t) +files_search_var_lib(knotd_t) + +fs_getattr_xattr_fs(knotd_t) + +fs_getattr_tmpfs(knotd_t) + +auth_use_nsswitch(knotd_t) + +logging_send_syslog_msg(knotd_t) + +miscfiles_read_localization(knotd_t) + +######################################## +# +# knotc local policy +# +allow knotc_t self:capability { dac_override dac_read_search }; +allow knotc_t self:process signal; + +stream_connect_pattern(knotc_t, knot_runtime_t, knot_runtime_t, knotd_t) + +allow knotc_t knot_conf_t:file map; +knot_read_config_files(knotc_t) + +allow knotc_t knot_tmp_t:file map; +allow knotc_t knot_tmp_t:file manage_file_perms; +allow knotc_t knot_tmp_t:dir manage_dir_perms; +files_tmp_filetrans(knotc_t, knot_tmp_t, { file dir }) + +allow knotc_t knot_var_lib_t:file map; +manage_dirs_pattern(knotc_t, knot_var_lib_t, knot_var_lib_t) +manage_files_pattern(knotc_t, knot_var_lib_t, knot_var_lib_t) +manage_lnk_files_pattern(knotc_t, knot_var_lib_t, knot_var_lib_t) + +files_read_etc_files(knotc_t) +files_search_pids(knotc_t) +files_search_var_lib(knotc_t) + +fs_getattr_tmpfs(knotc_t) + +domain_use_interactive_fds(knotc_t) + +miscfiles_read_localization(knotc_t) + +userdom_use_user_ptys(knotc_t) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index f4d27bff3ea2..d118290e6c19 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1158,6 +1158,10 @@ optional_policy(` kerberos_use(initrc_t) ') +optional_policy(` + knot_read_config_files(initrc_t) +') + optional_policy(` ldap_read_config(initrc_t) ldap_list_db(initrc_t) -- 2.21.0