Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2184820pxb;
        Mon, 18 Jan 2021 10:23:24 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxZL4GeNK78huLf234k73sxz7StNYGaRAU17dA41MBsP5ovClDxRd9vHkLwbftcvmZIIYoK
X-Received: by 2002:a17:906:3b16:: with SMTP id g22mr602994ejf.504.1610994204002;
        Mon, 18 Jan 2021 10:23:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1610994203; cv=none;
        d=google.com; s=arc-20160816;
        b=ABJjaILLDzC1Ruxlvcals4YC5PyjQ+lRGA8WzujVxs8XxdHf0dy9zrdOQQSBia6Ibx
         7E9bZwSRGfi5hamS/c5P4tCxpWW1WmLk2BnnSydmIKHhsgg1Z8x6w7CXmLoIuHR56B3I
         bsK3K6S5qVvW9Bth0v7ebKWDRX8AUHPS7nWxQclUQjImaLVwVX3yBcnm0pm1uDeausfA
         Li3vaszWlM1qSXWvN+RvW19hDrdyORde4JXNovRmqvA4TeFJFrBQByjmtucu4uXGM7gt
         Je9NPZTWx0IhfCeqPkCt1khZKKdbvqomKftbEdTxoif2BV6E8k3X8ZXVSdN90kB0Ylq4
         nPfw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:user-agent:message-id:in-reply-to
         :date:references:subject:cc:to:from:dkim-signature:dkim-filter;
        bh=bUpAwKpG3B9q8O0nXN9kv/6bEZlyY4B6yDnga58eV10=;
        b=ETr5b6F5roQu3ZWOj20U+44CcuCT+Mf2ATqTbBlMiwT9ZzJAT11u3XS32asbj42YDu
         w+3dP7swwxmGI8fd2tcMtiyJTgh4b5xq4oL0DTb1pUL+0WutdBI+ihJ/n2tZ1IjKj3QB
         BpGlvjFTEUv2koCjNwJ7ipMwrWA36kIfjN6mmZZd3u9C7YI1hNmkLVKRDkDoq11ZdlmE
         /zdKoJ7eLWVZHO9Vw4mb86Pq1WMrBf+HNG719OP9qY7J6Ngx7BJIQEMavm73Jt0Z+pgI
         p2K8VGwp+PY1aFLGqSVgW3YwD8/googSFx4RibAitCzPz9kD/JATWLNm1kzxIf67SAnG
         ePSQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@defensec.nl header.s=default header.b=GhmvuhSK;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id r7si6499224edv.345.2021.01.18.10.23.17;
        Mon, 18 Jan 2021 10:23:23 -0800 (PST)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@defensec.nl header.s=default header.b=GhmvuhSK;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2407251AbhARSUk (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 18 others); Mon, 18 Jan 2021 13:20:40 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34098 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2393200AbhARPIm (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Mon, 18 Jan 2021 10:08:42 -0500
Received: from agnus.defensec.nl (agnus.defensec.nl [IPv6:2001:985:d55d::711])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id A5970C061786
        for <selinux-refpolicy@vger.kernel.org>; Mon, 18 Jan 2021 07:07:12 -0800 (PST)
Received: from brutus (brutus.lan [IPv6:2001:985:d55d::438])
        by agnus.defensec.nl (Postfix) with ESMTPSA id 9E8E92A12B5;
        Mon, 18 Jan 2021 16:07:09 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl 9E8E92A12B5
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl;
        s=default; t=1610982430;
        bh=bUpAwKpG3B9q8O0nXN9kv/6bEZlyY4B6yDnga58eV10=;
        h=From:To:Cc:Subject:References:Date:In-Reply-To:From;
        b=GhmvuhSKDE42kUavPlCHo0GHm+szVt4q8bbnRQaSxnKzcAJNTC6gxRV6HCKya2KUq
         6QyTwcr8DH2RMsDU7zpd4tefMP1JWQZsDXeYDxRxYBI94TkST2kwYlLVXN1/ab1yEF
         F/CKmv27IK0zK+wQgIc4fwATyUMxtz70QHupIBdo=
From:   Dominick Grift <dominick.grift@defensec.nl>
To:     Russell Coker <russell@coker.com.au>
Cc:     selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] matrixd (synapse) policy
References: <YAWfkswaGfWW5lWe@xev>
Date:   Mon, 18 Jan 2021 16:07:06 +0100
In-Reply-To: <YAWfkswaGfWW5lWe@xev> (Russell Coker's message of "Tue, 19 Jan
        2021 01:47:46 +1100")
Message-ID: <ypjlim7umgh1.fsf@defensec.nl>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Russell Coker <russell@coker.com.au> writes:

> This is the policy for a Matrix daemon, it was written for Synapse but should
> be OK with minimal modifications for other Matrix daemons.  Thanks to
> 0xC0ncord for writing a policy which gave me the idea for a tunable for
> federation.
>
> I am happy for this to be included in git now, but no doubt Chris will
> suggest some changes.
>
> Signed-off-by: Russell Coker <russell@coker.com.au>

Added some inline comments for what i think are the most interesting
aspects.

Aside there is more room for improvement

>
> Index: refpolicy-2.20210115/policy/modules/kernel/corenetwork.te.in
> ===================================================================
> --- refpolicy-2.20210115.orig/policy/modules/kernel/corenetwork.te.in
> +++ refpolicy-2.20210115/policy/modules/kernel/corenetwork.te.in
> @@ -149,7 +149,7 @@ network_port(hadoop_namenode, tcp,8020,s
>  network_port(hddtemp, tcp,7634,s0)
>  network_port(howl, tcp,5335,s0, udp,5353,s0)
>  network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
> -network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
> +network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0, tcp,8448,s0) #8443 is mod_nss default port
>  network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
>  network_port(i18n_input, tcp,9010,s0)
>  network_port(imaze, tcp,5323,s0, udp,5323,s0)
> Index: refpolicy-2.20210115/policy/modules/services/matrixd.fc
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20210115/policy/modules/services/matrixd.fc
> @@ -0,0 +1,4 @@
> +/var/lib/matrix-synapse(/.*)?		gen_context(system_u:object_r:matrixd_var_t,s0)
> +/var/log/matrix-synapse(/.*)?		gen_context(system_u:object_r:matrixd_log_t,s0)
> +/etc/matrix-synapse(/.*)?		gen_context(system_u:object_r:matrixd_conf_t,s0)
> +/usr/bin/synctl			--	gen_context(system_u:object_r:matrixd_exec_t,s0)
> Index: refpolicy-2.20210115/policy/modules/services/matrixd.if
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20210115/policy/modules/services/matrixd.if
> @@ -0,0 +1 @@
> +## <summary>Matrixd</summary>
> Index: refpolicy-2.20210115/policy/modules/services/matrixd.te
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20210115/policy/modules/services/matrixd.te
> @@ -0,0 +1,124 @@
> +policy_module(matrixd, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +## <desc>
> +##  <p>
> +##  Determine whether Matrixd is allowed to federate
> +##  (bind all UDP ports and connect to all TCP ports).
> +##  </p>
> +## </desc>
> +gen_tunable(matrix_allow_federation, true)
> +
> +## <desc>
> +##  <p>
> +##  Determine whether Matrixd can connect to the Postgres database.
> +##  </p>
> +## </desc>
> +gen_tunable(matrix_postgresql_connect, false)
> +
> +
> +type matrixd_t;
> +type matrixd_exec_t;
> +init_daemon_domain(matrixd_t, matrixd_exec_t)
> +
> +type matrixd_var_t;
> +files_type(matrixd_var_t)
> +manage_files_pattern(matrixd_t, matrixd_var_t, matrixd_var_t)
> +files_search_var_lib(matrixd_t)
> +allow matrixd_t matrixd_var_t:file map;
> +allow matrixd_t matrixd_var_t:dir manage_dir_perms;
> +
> +type matrixd_log_t;
> +logging_log_file(matrixd_log_t)
> +logging_search_logs(matrixd_t)
> +manage_files_pattern(matrixd_t, matrixd_log_t, matrixd_log_t)
> +
> +type matrixd_conf_t;
> +files_config_file(matrixd_conf_t)
> +read_files_pattern(matrixd_t, matrixd_conf_t, matrixd_conf_t)
> +allow matrixd_t matrixd_conf_t:dir list_dir_perms;
> +
> +type matrixd_tmp_t;
> +files_tmp_file(matrixd_tmp_t)
> +allow matrixd_t matrixd_tmp_t:file { manage_file_perms map };
> +files_tmp_filetrans(matrixd_t, matrixd_tmp_t, file)
> +fs_tmpfs_filetrans(matrixd_t, matrixd_tmp_t, file)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow matrixd_t self:fifo_file rw_file_perms;
> +allow matrixd_t self:tcp_socket create_stream_socket_perms;
> +allow matrixd_t self:netlink_route_socket rw_netlink_socket_perms;

r_netlink_route_socket_perms probably

> +
> +corenet_tcp_connect_http_port(matrixd_t)
> +corenet_tcp_connect_http_cache_port(matrixd_t)
> +corenet_udp_bind_generic_port(matrixd_t)
> +corenet_tcp_bind_http_port(matrixd_t)
> +corenet_udp_bind_reserved_port(matrixd_t)
> +
> +allow matrixd_t self:udp_socket create_socket_perms;
> +allow matrixd_t self:unix_dgram_socket { create getopt setopt write };

create_socket_perms

> +# https://cffi.readthedocs.io/en/latest/using.html#callbacks
> +allow matrixd_t self:process execmem;
> +
> +can_exec(matrixd_t, { matrixd_tmp_t matrixd_var_t })

Are you sure that it requires "execute_no_trans" here and not just "map
execute"? Can you show the avc denials that prompted this rule to be added?

> +
> +kernel_read_system_state(matrixd_t)
> +kernel_search_fs_sysctls(matrixd_t)
> +kernel_read_vm_overcommit_sysctl(matrixd_t)
> +kernel_search_vm_sysctl(matrixd_t)
> +
> +corecmd_exec_bin(matrixd_t)
> +corecmd_shell_entry_type(matrixd_t)

Why would the matrixd_t domain be entered via shell_exec_t? Can you show
the avc denials that prompted this rule to be added?

> +corecmd_exec_shell(matrixd_t)
> +
> +corenet_tcp_bind_generic_node(matrixd_t)
> +corenet_udp_bind_generic_node(matrixd_t)
> +
> +dev_read_urand(matrixd_t)
> +
> +files_read_etc_files(matrixd_t)
> +files_read_etc_runtime_files(matrixd_t)
> +files_read_etc_symlinks(matrixd_t)
> +
> +# for /usr/share/ca-certificates
> +files_read_usr_files(matrixd_t)
> +
> +init_search_runtime(matrixd_t)
> +libs_exec_ldconfig(matrixd_t)
> +libs_exec_lib_files(matrixd_t)
> +logging_send_syslog_msg(matrixd_t)
> +
> +miscfiles_read_generic_tls_privkey(matrixd_t)
> +miscfiles_read_generic_certs(matrixd_t)
> +miscfiles_read_localization(matrixd_t)
> +
> +sysnet_read_config(matrixd_t)
> +
> +userdom_search_user_runtime_root(matrixd_t)
> +
> +optional_policy(`
> +	apache_search_config(matrixd_t)
> +')
> +
> +tunable_policy(`matrix_allow_federation',`
> +	corenet_tcp_connect_all_unreserved_ports(matrixd_t)
> +	corenet_tcp_connect_generic_port(matrixd_t)
> +	corenet_udp_bind_all_ports(matrixd_t)
> +', `
> +	corenet_dontaudit_tcp_connect_all_ports(matrixd_t)
> +	corenet_dontaudit_udp_bind_all_ports(matrixd_t)
> +')
> +
> +tunable_policy(`matrix_postgresql_connect',`
> +	postgresql_stream_connect(matrixd_t)
> +	postgresql_tcp_connect(matrixd_t)
> +')
> +
>

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift