Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp5582240ybv; Tue, 11 Feb 2020 19:11:12 -0800 (PST) X-Google-Smtp-Source: APXvYqzGL0sKDRQ6LhXNPc8/+SrbvlkZzsB7lQBbKIxKoekvNxrdbltkGTV5MPfzigq3gE6onHCB X-Received: by 2002:aca:2210:: with SMTP id b16mr4729900oic.32.1581477071931; Tue, 11 Feb 2020 19:11:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581477071; cv=none; d=google.com; s=arc-20160816; b=tmvuRhU7F/lgCY/NFppZnje8wk/GnHdNH+awPJHhtepq4V0tp0/7/Embl3Nv3+CjZk iFHuBusfjbNUdBFGZLoIvdxP/3fWU6e8O0vpMTWNn2SuXucXJF6Iwi2PQ4ZB8SwX1HN+ Lk9fJDqVOlp04QdisrYTYW5xPn9+dzPIMoWSK04DcMg4AWKAYH0Tlmw34chTzoF3BTod UWfiGBTaW8F6f4jCo7PYvI4zkNgEb5DCwzioEkN1nealyUuzEXWb4xYUnbNw0KwanK8u EGNB5eSNMmcUp4yQ+F8DdplmBOzVvD0ZLRFr2VRw8QIoqoKxhtxSaFzdi7chXcu9E78x KDfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:reply-to:to:from:dkim-signature; bh=8KfPXzZZ2B78gfCAy82QBPNUiTJoBEPZs/KY6vCKGjQ=; b=CXZsmP5nlKYa2/f+Rg2g/7Utu6KfTf14sTrEJiB+XRs7+gF++5UGXfEDOcFOKLNqno lqrqLbMeBXWb/MS2g/QRxdx6Vd9xgSZ6TdXin7jsMsfZRlSf9VzsxpmUPreaua3NSLbZ guzm8Kk294qvRExf36/PFnuaFLF4sSY/EXhfiOvXOn0iKzKn3H2kumrGOfv9KNX9l6KQ qB8x6oDHMq7gzpMJLZHk+pi1Rea/twG3PZd5kvX+6SPP6pM0lotSORLkRY6yXIiNvQPc QuP5z/fAVhuZgK5DYsY3pc513powgpZ+h7kjdWUY2shmTF3dFiRQxyDjVp/nXlJYPSB4 6h5Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=IyRu3vgB; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f23si2810209oto.205.2020.02.11.19.11.09; Tue, 11 Feb 2020 19:11:11 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=IyRu3vgB; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727683AbgBLDLJ (ORCPT + 13 others); Tue, 11 Feb 2020 22:11:09 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:44848 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727641AbgBLDLJ (ORCPT ); Tue, 11 Feb 2020 22:11:09 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id B7124EC4E for ; Wed, 12 Feb 2020 14:11:06 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1581477067; bh=8KfPXzZZ2B78gfCAy82QBPNUiTJoBEPZs/KY6vCKGjQ=; l=6454; h=From:To:Reply-To:Subject:Date:From; b=IyRu3vgB58czc+wK6kmkqU9xddC0SkyyYDPMiXACQUh+vdfoQlubB2CSGTcKHT9En cur9uLvzD6Uhki69UEoH+z81Dv5FEUu28p++K1+yW3T6GxqCtqWtX1/POOtJX3r8YK hltllGYYS9l8/BZrLRk364gobPggXuMUY4cQ9U1U= Received: by xev.coker.com.au (Postfix, from userid 1001) id 64B9AF2C8B4; Wed, 12 Feb 2020 14:11:01 +1100 (AEDT) From: Russell Coker To: "selinux-refpolicy@vger.kernel.org" Reply-To: russell@coker.com.au Subject: small net patch Date: Wed, 12 Feb 2020 14:11:01 +1100 Message-ID: <10271002.VOa6tZZ1Ku@xev> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="nextPart1643910.SjqnUqvdB2" Content-Transfer-Encoding: 7Bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org This is a multi-part message in MIME format. --nextPart1643910.SjqnUqvdB2 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" This patch against git refpolicy adds a few small network related policy changes. I think it's ready to be included. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ --nextPart1643910.SjqnUqvdB2 Content-Disposition: attachment; filename="net.diff" Content-Transfer-Encoding: 7Bit Content-Type: text/x-patch; charset="UTF-8"; name="net.diff" Index: refpolicy-2.20200209/policy/modules/admin/netutils.te =================================================================== --- refpolicy-2.20200209.orig/policy/modules/admin/netutils.te +++ refpolicy-2.20200209/policy/modules/admin/netutils.te @@ -110,6 +110,7 @@ allow ping_t self:tcp_socket create_sock allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr }; allow ping_t self:packet_socket { create ioctl read write bind getopt setopt }; allow ping_t self:netlink_route_socket create_netlink_socket_perms; +allow ping_t self:icmp_socket create; corenet_all_recvfrom_unlabeled(ping_t) corenet_all_recvfrom_netlabel(ping_t) Index: refpolicy-2.20200209/policy/modules/system/sysnetwork.fc =================================================================== --- refpolicy-2.20200209.orig/policy/modules/system/sysnetwork.fc +++ refpolicy-2.20200209/policy/modules/system/sysnetwork.fc @@ -27,6 +27,7 @@ ifdef(`distro_debian',` /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) +/etc/tor/torsocks.conf -- gen_context(system_u:object_r:net_conf_t,s0) ifdef(`distro_redhat',` /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) Index: refpolicy-2.20200209/policy/modules/system/sysnetwork.te =================================================================== --- refpolicy-2.20200209.orig/policy/modules/system/sysnetwork.te +++ refpolicy-2.20200209/policy/modules/system/sysnetwork.te @@ -5,6 +5,14 @@ policy_module(sysnetwork, 1.24.2) # Declarations # +## +##

+## Determine whether DHCP client +## can manage samba +##

+## +gen_tunable(dhcpc_manage_samba, false) + attribute_role dhcpc_roles; roleattribute system_r dhcpc_roles; @@ -171,6 +179,15 @@ ifdef(`init_systemd',` ') optional_policy(` + tunable_policy(`dhcpc_manage_samba',` + samba_manage_var_files(dhcpc_t) + init_exec_script_files(dhcpc_t) + init_get_system_status(dhcpc_t) + samba_restart(dhcpc_t) + ') +') + +optional_policy(` avahi_domtrans(dhcpc_t) ') Index: refpolicy-2.20200209/policy/modules/roles/staff.te =================================================================== --- refpolicy-2.20200209.orig/policy/modules/roles/staff.te +++ refpolicy-2.20200209/policy/modules/roles/staff.te @@ -15,6 +15,10 @@ userdom_unpriv_user_template(staff) # corenet_ib_access_unlabeled_pkeys(staff_t) +corenet_tcp_bind_all_unreserved_ports(staff_t) +corenet_udp_bind_all_unreserved_ports(staff_t) +corenet_tcp_bind_generic_node(staff_t) + optional_policy(` apache_role(staff_r, staff_t) ') @@ -36,6 +40,10 @@ optional_policy(` ') optional_policy(` + netutils_domtrans_ping(staff_t) +') + +optional_policy(` postgresql_role(staff_r, staff_t) ') @@ -65,6 +73,11 @@ optional_policy(` ') optional_policy(` + # for torbrowser-launcher + xdg_exec_data(staff_t) +') + +optional_policy(` xscreensaver_role(staff_r, staff_t) ') Index: refpolicy-2.20200209/policy/modules/roles/unprivuser.te =================================================================== --- refpolicy-2.20200209.orig/policy/modules/roles/unprivuser.te +++ refpolicy-2.20200209/policy/modules/roles/unprivuser.te @@ -7,11 +7,23 @@ policy_module(unprivuser, 2.10.0) # # Declarations # +## +##

+## Allow user to bind all unreserved ports +##

+## +gen_tunable(user_bind_unreserved, false) #role user_r; userdom_unpriv_user_template(user) +tunable_policy(`user_bind_unreserved', ` + corenet_tcp_bind_all_unreserved_ports(user_t) + corenet_udp_bind_all_unreserved_ports(user_t) + corenet_tcp_bind_generic_node(user_t) +') + optional_policy(` apache_role(user_r, user_t) ') @@ -25,6 +37,10 @@ optional_policy(` ') optional_policy(` + netutils_domtrans_ping(user_t) +') + +optional_policy(` screen_role_template(user, user_r, user_t) ') @@ -33,6 +49,11 @@ optional_policy(` ') optional_policy(` + # for torbrowser-launcher + xdg_exec_data(user_t) +') + +optional_policy(` xscreensaver_role(user_r, user_t) ') Index: refpolicy-2.20200209/policy/modules/services/samba.if =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/samba.if +++ refpolicy-2.20200209/policy/modules/services/samba.if @@ -714,3 +714,22 @@ interface(`samba_admin',` files_list_tmp($1) admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t }) ') + +######################################## +## +## Restart and get status of samba daemon +## +## +## +## Domain allowed access. +## +## +# +interface(`samba_restart',` + gen_require(` + type samba_unit_t; + ') + + allow $1 samba_unit_t:file getattr; + allow $1 samba_unit_t:service { start stop status reload }; +') Index: refpolicy-2.20200209/policy/modules/system/xdg.if =================================================================== --- refpolicy-2.20200209.orig/policy/modules/system/xdg.if +++ refpolicy-2.20200209/policy/modules/system/xdg.if @@ -795,6 +795,24 @@ interface(`xdg_relabel_all_data',` ######################################## ## +## Allow executing the xdg data home files +## +## +## +## Domain allowed access. +## +## +# +interface(`xdg_exec_data',` + gen_require(` + type xdg_data_t; + ') + + can_exec($1, xdg_data_t) +') + +######################################## +## ## Create objects in the user home dir with an automatic type transition to ## the xdg_documents_t type. ## --nextPart1643910.SjqnUqvdB2--