Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp3863579ybv; Sun, 16 Feb 2020 07:34:54 -0800 (PST) X-Google-Smtp-Source: APXvYqwgCKvIkKWNBn/tgmDAn3NcvEJ+Mi4zrTD/QMIu/SCSSYNboljB1uBhTCPs599PnFqmmr+M X-Received: by 2002:a05:6830:1e76:: with SMTP id m22mr3799643otr.295.1581867293975; Sun, 16 Feb 2020 07:34:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581867293; cv=none; d=google.com; s=arc-20160816; b=HAZvEBUTUCzZTbFkvaaSdDb0HeG6o9NQWot4dEWErxnk/Dec91H2xUXFmQsplOCy+V DmCD4iSwaMaIoF4UqTQ8L/esrObu8Z11CDWU3K+LiE5HxEfzf51FYi7ej/O5zn8SPf0K AJlTJrwdNGj6NjE09JAx/N97dP5ajYD/yFlJdr8zmsMR2+4otM6fUh82QRy3mVxrDqCT ecNK4FkzBcjMSDYBdJnTAgMGnhFb2rg5GM3Fjf9386weHfWdNM0JFgvxSExD0FhsrmCd KnomYuMAuzH1HpgwmADgOZf8kAI96oFet8e84au1KUjC1HLPo/U7c7c9ab6RPbwGgcBO 8zNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:dkim-signature; bh=3Fb3ydAQ5F9IrSV1TuvPbWdy8+0hBagZxQorQitCxv8=; b=mKmAERX+VALCYwR7AwpY73ahX8KvYobK9tJTtcxCM2XgMMf1n8ggQnTmodl4HH1ThG xsmM1MeXwucV5MSxHvZAYND+arw5xb07IqhDC46kzJZTshNhioVvb+MgtrQLy9qOHcE9 M+nUY1k7MQytbAqqHRSFEdpiDEuKoRjzHYjdOe6UV1gfqIuBUaP/n1EIrOQVXAGSAmAY 6+aTawHtV4CRuFdn+dFEFYH77AjpaJCzasw+tOYZz0BXGc72PJ1+y2Pz5UHOPGCV+0dT DybxjI9T9Qw3liHAQaktgT7xcX+cEqVNHNiwnvui1zBulmF+37djI7oyrDK2FJy8/ugS LMtg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=bmwglDQw; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z20si4925218oib.26.2020.02.16.07.34.51; Sun, 16 Feb 2020 07:34:53 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=bmwglDQw; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728273AbgBPPeq (ORCPT + 13 others); Sun, 16 Feb 2020 10:34:46 -0500 Received: from mail-qt1-f195.google.com ([209.85.160.195]:36500 "EHLO mail-qt1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726171AbgBPPeq (ORCPT ); Sun, 16 Feb 2020 10:34:46 -0500 Received: by mail-qt1-f195.google.com with SMTP id t13so10422805qto.3 for ; Sun, 16 Feb 2020 07:34:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=3Fb3ydAQ5F9IrSV1TuvPbWdy8+0hBagZxQorQitCxv8=; b=bmwglDQwwULnaLr5VISdN3Z2dENFIF/OhCS31lXCxWIwLzEp4ngY44zpdXtg+EQHCT iSxoiUj9frPoQMJhcu65WD6krgS0dt7W514mUjN0Xsga89cKEZOEfnwteFudirByljgc sQg+5nUmKaGblBZbThWYfRXa9jlki/kGxJuBk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=3Fb3ydAQ5F9IrSV1TuvPbWdy8+0hBagZxQorQitCxv8=; b=rS3HINt0RLyxNkFNRwgIo8mSFZEHFF+wxT2blQ0kCzpmbR1yUR2P+qWSxHwqHTyZ8e leLcSz2oUTvk29fNhWXCY+XVYG9nZDMHGFfQizuV6/zrzxYrMqt5/iQvTn7/7UkucGAK tKiU4Ywe1hygap14tdna+mkHbio+MTmyfDTjIaHN0IOH9upMRU95GAX/AqkdJ7rAJXB1 qXPheFTJtR8VuiB7GfvuOMd69z08NkGVhXUX+DjpCX74AVgUWXLC1ozgpRK1uBf0KqSG +iPrysBazenjzXgnYE+bz33Xhlp1tUcOrBNsNNU2mzmqv9826nKC2cgE3uGy5cEw5uwM YGyw== X-Gm-Message-State: APjAAAUIQYB5mzjoIC0FjtjK13DYhUAEQ6QHehwE1TpApsaBB1hhlDg0 JHZr2N14wtsrmoGiyGfb2OLtUgZnEQs= X-Received: by 2002:aed:31e2:: with SMTP id 89mr10232004qth.35.1581867284552; Sun, 16 Feb 2020 07:34:44 -0800 (PST) Received: from fedora.pebenito.net (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id m23sm7195110qtp.6.2020.02.16.07.34.44 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 16 Feb 2020 07:34:44 -0800 (PST) Subject: Re: small net patch To: russell@coker.com.au, "selinux-refpolicy@vger.kernel.org" References: <10271002.VOa6tZZ1Ku@xev> From: Chris PeBenito Message-ID: Date: Sun, 16 Feb 2020 10:16:22 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.3.1 MIME-Version: 1.0 In-Reply-To: <10271002.VOa6tZZ1Ku@xev> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 2/11/20 10:11 PM, Russell Coker wrote: > This patch against git refpolicy adds a few small network related policy > changes. I think it's ready to be included. Please inline patch and add signed-off-by. > --- refpolicy-2.20200209.orig/policy/modules/admin/netutils.te > +++ refpolicy-2.20200209/policy/modules/admin/netutils.te > @@ -110,6 +110,7 @@ allow ping_t self:tcp_socket create_sock > allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr }; > allow ping_t self:packet_socket { create ioctl read write bind getopt setopt }; > allow ping_t self:netlink_route_socket create_netlink_socket_perms; > +allow ping_t self:icmp_socket create; > > corenet_all_recvfrom_unlabeled(ping_t) > corenet_all_recvfrom_netlabel(ping_t) > Index: refpolicy-2.20200209/policy/modules/system/sysnetwork.fc > =================================================================== > --- refpolicy-2.20200209.orig/policy/modules/system/sysnetwork.fc > +++ refpolicy-2.20200209/policy/modules/system/sysnetwork.fc > @@ -27,6 +27,7 @@ ifdef(`distro_debian',` > /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) > > /etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) > +/etc/tor/torsocks.conf -- gen_context(system_u:object_r:net_conf_t,s0) > > ifdef(`distro_redhat',` > /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) > Index: refpolicy-2.20200209/policy/modules/system/sysnetwork.te > =================================================================== > --- refpolicy-2.20200209.orig/policy/modules/system/sysnetwork.te > +++ refpolicy-2.20200209/policy/modules/system/sysnetwork.te > @@ -5,6 +5,14 @@ policy_module(sysnetwork, 1.24.2) > # Declarations > # > > +## > +##

> +## Determine whether DHCP client > +## can manage samba > +##

> +##
> +gen_tunable(dhcpc_manage_samba, false) > + > attribute_role dhcpc_roles; > roleattribute system_r dhcpc_roles; > > @@ -171,6 +179,15 @@ ifdef(`init_systemd',` > ') > > optional_policy(` > + tunable_policy(`dhcpc_manage_samba',` > + samba_manage_var_files(dhcpc_t) > + init_exec_script_files(dhcpc_t) > + init_get_system_status(dhcpc_t) > + samba_restart(dhcpc_t) Please elaborate here. Is this to set WINS servers? > + ') > +') > + > +optional_policy(` > avahi_domtrans(dhcpc_t) > ') > > Index: refpolicy-2.20200209/policy/modules/roles/staff.te > =================================================================== > --- refpolicy-2.20200209.orig/policy/modules/roles/staff.te > +++ refpolicy-2.20200209/policy/modules/roles/staff.te > @@ -15,6 +15,10 @@ userdom_unpriv_user_template(staff) > # > corenet_ib_access_unlabeled_pkeys(staff_t) > > +corenet_tcp_bind_all_unreserved_ports(staff_t) > +corenet_udp_bind_all_unreserved_ports(staff_t) > +corenet_tcp_bind_generic_node(staff_t) No, this may be staff, but still unprivileged. > optional_policy(` > apache_role(staff_r, staff_t) > ') > @@ -36,6 +40,10 @@ optional_policy(` > ') > > optional_policy(` > + netutils_domtrans_ping(staff_t) > +') > + > +optional_policy(` > postgresql_role(staff_r, staff_t) > ') > > @@ -65,6 +73,11 @@ optional_policy(` > ') > > optional_policy(` > + # for torbrowser-launcher > + xdg_exec_data(staff_t) > +') > + > +optional_policy(` > xscreensaver_role(staff_r, staff_t) > ') > > Index: refpolicy-2.20200209/policy/modules/roles/unprivuser.te > =================================================================== > --- refpolicy-2.20200209.orig/policy/modules/roles/unprivuser.te > +++ refpolicy-2.20200209/policy/modules/roles/unprivuser.te > @@ -7,11 +7,23 @@ policy_module(unprivuser, 2.10.0) > # > # Declarations > # > +## > +##

> +## Allow user to bind all unreserved ports > +##

> +##
> +gen_tunable(user_bind_unreserved, false) > > #role user_r; > > userdom_unpriv_user_template(user) > > +tunable_policy(`user_bind_unreserved', ` > + corenet_tcp_bind_all_unreserved_ports(user_t) > + corenet_udp_bind_all_unreserved_ports(user_t) > + corenet_tcp_bind_generic_node(user_t) > +') There's already a user_tcp_server tunable in userdom_unpriv_user_template() that should be used instead. > optional_policy(` > apache_role(user_r, user_t) > ') > @@ -25,6 +37,10 @@ optional_policy(` > ') > > optional_policy(` > + netutils_domtrans_ping(user_t) > +') This is already maanged in userdom_unpriv_user_template(). > +optional_policy(` > screen_role_template(user, user_r, user_t) > ') > > @@ -33,6 +49,11 @@ optional_policy(` > ') > > optional_policy(` > + # for torbrowser-launcher > + xdg_exec_data(user_t) > +') How about adding this to userdom_unpriv_user_template() or userdom_common_user_template() instead? > +optional_policy(` > xscreensaver_role(user_r, user_t) > ') > > Index: refpolicy-2.20200209/policy/modules/services/samba.if > =================================================================== > --- refpolicy-2.20200209.orig/policy/modules/services/samba.if > +++ refpolicy-2.20200209/policy/modules/services/samba.if > @@ -714,3 +714,22 @@ interface(`samba_admin',` > files_list_tmp($1) > admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t }) > ') > + > +######################################## > +## > +## Restart and get status of samba daemon > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`samba_restart',` > + gen_require(` > + type samba_unit_t; > + ') > + > + allow $1 samba_unit_t:file getattr; > + allow $1 samba_unit_t:service { start stop status reload }; > +') Break this up into at least 3 interfaces, samba_startstop, samba_status, samba_reload. > Index: refpolicy-2.20200209/policy/modules/system/xdg.if > =================================================================== > --- refpolicy-2.20200209.orig/policy/modules/system/xdg.if > +++ refpolicy-2.20200209/policy/modules/system/xdg.if > @@ -795,6 +795,24 @@ interface(`xdg_relabel_all_data',` > > ######################################## > ## > +## Allow executing the xdg data home files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_exec_data',` > + gen_require(` > + type xdg_data_t; > + ') > + > + can_exec($1, xdg_data_t) > +') > + > +######################################## > +## > ## Create objects in the user home dir with an automatic type transition to > ## the xdg_documents_t type. > ## -- Chris PeBenito