Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp242017pxb; Wed, 20 Jan 2021 06:06:15 -0800 (PST) X-Google-Smtp-Source: ABdhPJyTCRBJp3DqunUdrJUHOvHsWsmKw91YlURvqaNEMtV2mNGJKXHVyCxDLpLjG0BgJ/JPX6be X-Received: by 2002:a05:6402:1c0b:: with SMTP id ck11mr7541657edb.35.1611151574828; Wed, 20 Jan 2021 06:06:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611151574; cv=none; d=google.com; s=arc-20160816; b=kGb1o3xay87awx3tKXhGIUuQrFX8uKT11MNXe4PA3ysCviP9KaJFECLE4ssjGQBXH9 FRjbwxiOUyUGX/UQQdV9jdAixAaL4Xx+imxf4e0ybnFglKp8WvhyG6DhuF6D+fN41VZz 3jZ5A1c6Bwk0PX9lvGmtwUJRdigDo/KhYYTIQMIie3taW7b6UmrvEe3DlPbPozyCaVWk y0I4fYfVJx4+3uGKp0jDCb6Tj5z5OSSVp0wql1de3fHAwaK2DSjFKQ8tTMTz/Fi7Uaw+ dZE7Ay3OtOmhKN8L1Aqt/ltXzKn/LeRdTDtXDEZmeK4JnYNH4OLGuVcEui2IOr/pj2im 6EbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:message-id:in-reply-to :date:references:subject:cc:to:from:dkim-signature:dkim-filter; bh=bv7PaNepIAqsHGLXc3KL8k0ooghHvqZjcnHCD1y87As=; b=1ClM1tu9qq8qpSuNLcRNt7BuKnbDOr4dVRy06eO31gDsx1cRFT9r9vjGerifJgdZaN ssyi/JvSF9F3GXcCIyK+Wqhq9r1e4bcZYjSOkHv8qdQSS76LbipxxtL9c3t5J2YMUGjT IZGh/oVsp7q9khPLwP1v3kGpneNBF1dxkYwZGjYzy+zNFoBFnNnqW0JtFDwkdLJdsoHL wWynnN/haA9aJTYwLXH11ecWuQI57DvCKFsrstc/uivf5CtCnJBjRp9wlYvdNf+nUz8Q 2xRhmWpbUlxuMSurB8AKHV4xYIR26n43IBCf/VeouVE5vi4KBspbzkyGzoNde2WinXek q87A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=k3GdabUE; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r26si683507eju.191.2021.01.20.06.06.10; Wed, 20 Jan 2021 06:06:14 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=k3GdabUE; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725779AbhATN7D (ORCPT + 16 others); Wed, 20 Jan 2021 08:59:03 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38876 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732460AbhATNYP (ORCPT ); Wed, 20 Jan 2021 08:24:15 -0500 Received: from agnus.defensec.nl (agnus.defensec.nl [IPv6:2001:985:d55d::711]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id C7F40C0613CF for ; Wed, 20 Jan 2021 05:23:34 -0800 (PST) Received: from brutus (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id EF9772A0D7E; Wed, 20 Jan 2021 14:23:31 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl EF9772A0D7E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1611149012; bh=bv7PaNepIAqsHGLXc3KL8k0ooghHvqZjcnHCD1y87As=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=k3GdabUEZODP3yiQ2kIko6sb2tUdOCJqvyLHgti2UoDC0jFQ4JHXgsbjGmA1jAN/v RB7siwDlp6/Xan4TKplE8UrUkLTYm5rSgZ1oZ2zEN0W/sCs92NYL/tnDibgKgYc2n/ aL4mWwONJ4wMIAqO7HogDNHL2qEFDFnRqIlCLQGQ= From: Dominick Grift To: Russell Coker Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] misc network patches References: Date: Wed, 20 Jan 2021 14:23:29 +0100 In-Reply-To: (Russell Coker's message of "Wed, 20 Jan 2021 20:42:21 +1100") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Russell Coker writes: > Collection of net related patches, ready for inclusion. > > Signed-off-by: Russell Coker > > Index: refpolicy-2.20210120/policy/modules/admin/netutils.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/admin/netutils.te > +++ refpolicy-2.20210120/policy/modules/admin/netutils.te > @@ -109,6 +109,7 @@ allow ping_t self:tcp_socket create_sock > allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr }; > allow ping_t self:packet_socket { create ioctl read write bind getopt setopt }; > allow ping_t self:netlink_route_socket create_netlink_socket_perms; > +allow ping_t self:icmp_socket create; > > corenet_all_recvfrom_netlabel(ping_t) > corenet_sendrecv_icmp_packets(ping_t) > @@ -164,13 +165,14 @@ allow traceroute_t self:capability { net > allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms; > allow traceroute_t self:process signal; > allow traceroute_t self:rawip_socket create_socket_perms; > -allow traceroute_t self:packet_socket create_socket_perms; > +allow traceroute_t self:packet_socket { map create_socket_perms }; > allow traceroute_t self:udp_socket create_socket_perms; > > can_exec(traceroute_t, traceroute_exec_t) > > kernel_read_system_state(traceroute_t) > kernel_read_network_state(traceroute_t) > +kernel_search_fs_sysctls(traceroute_t) > > corecmd_search_bin(traceroute_t) > > @@ -205,6 +207,7 @@ auth_use_nsswitch(traceroute_t) > > logging_send_syslog_msg(traceroute_t) > > +miscfiles_read_generic_certs(traceroute_t) > miscfiles_read_localization(traceroute_t) > > userdom_use_inherited_user_terminals(traceroute_t) > Index: refpolicy-2.20210120/policy/modules/system/sysnetwork.fc > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/system/sysnetwork.fc > +++ refpolicy-2.20210120/policy/modules/system/sysnetwork.fc > @@ -27,6 +27,7 @@ ifdef(`distro_debian',` > /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) > > /etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) > +/etc/tor/torsocks.conf -- gen_context(system_u:object_r:net_conf_t,s0) > > ifdef(`distro_redhat',` > /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) > Index: refpolicy-2.20210120/policy/modules/system/sysnetwork.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/system/sysnetwork.te > +++ refpolicy-2.20210120/policy/modules/system/sysnetwork.te > @@ -5,6 +5,14 @@ policy_module(sysnetwork, 1.26.3) > # Declarations > # > > +## > +##

> +## Determine whether DHCP client > +## can manage samba > +##

> +## > +gen_tunable(dhcpc_manage_samba, false) > + > attribute_role dhcpc_roles; > roleattribute system_r dhcpc_roles; > > @@ -175,6 +183,15 @@ ifdef(`init_systemd',` > ') > > optional_policy(` > + tunable_policy(`dhcpc_manage_samba',` > + samba_manage_var_files(dhcpc_t) > + init_exec_script_files(dhcpc_t) > + init_get_system_status(dhcpc_t) > + samba_restart(dhcpc_t) > + ') > +') > + > +optional_policy(` > avahi_domtrans(dhcpc_t) > ') > > Index: refpolicy-2.20210120/policy/modules/roles/staff.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/roles/staff.te > +++ refpolicy-2.20210120/policy/modules/roles/staff.te > @@ -15,6 +15,10 @@ userdom_unpriv_user_template(staff) > # > corenet_ib_access_unlabeled_pkeys(staff_t) > > +corenet_tcp_bind_all_unreserved_ports(staff_t) > +corenet_udp_bind_all_unreserved_ports(staff_t) > +corenet_tcp_bind_generic_node(staff_t) staff_t is a "unpriv user" and so "userdom_unpriv_user_template()" applies to staff_t. this template has two booleans: user_tcp_server and user_udp_server these booleans currently allow unpriv users to bind tcp and udp sockets to generic ports respectively. This is old, inaccurate and outdated. Instead those booleans should probably be modernized: tunable_policy(`user_tcp_server',` corenet_tcp_bind_generic_node($1_t) corenet_tcp_bind_all_unreserved_ports($1_t) ') tunable_policy(`user_udp_server',` corenet_udp_bind_generic_node($1_t) corenet_udp_bind_all_unreserved_ports($1_t) ') > + > optional_policy(` > apache_role(staff_r, staff_t) > ') > @@ -36,6 +40,10 @@ optional_policy(` > ') > > optional_policy(` > + netutils_domtrans_ping(staff_t) > +') > + This is already (conditionlly) allowed in the userdom_unpriv_user_template() To make it work requires a boolean to be set to true (i believe) > +optional_policy(` > postgresql_role(staff_r, staff_t) > ') > > @@ -65,6 +73,11 @@ optional_policy(` > ') > > optional_policy(` > + # for torbrowser-launcher > + xdg_exec_data(staff_t) What location is this exactly? ~/.local/bin? I would associate a "bin_home_t" with ~/.local/bin and only allow that to be executed, rather than all of ~/.local But regardless this, or similar rule should apply to userdom_unpriv_user_template() instead. Use the templates. > +') > + > +optional_policy(` > xscreensaver_role(staff_r, staff_t) > ') > > Index: refpolicy-2.20210120/policy/modules/roles/unprivuser.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/roles/unprivuser.te > +++ refpolicy-2.20210120/policy/modules/roles/unprivuser.te > @@ -7,11 +7,23 @@ policy_module(unprivuser, 2.10.0) > # > # Declarations > # > +## > +##

> +## Allow user to bind all unreserved ports > +##

> +## > +gen_tunable(user_bind_unreserved, false) Modernize and use the existing user_tcp_server and user_udp_server booleans in userdom_unpriv_user_template() instead? See above comment. > > #role user_r; > > userdom_unpriv_user_template(user) > > +tunable_policy(`user_bind_unreserved', ` > + corenet_tcp_bind_all_unreserved_ports(user_t) > + corenet_udp_bind_all_unreserved_ports(user_t) > + corenet_tcp_bind_generic_node(user_t) > +') See above comment about user_tcp_server and user_udp_server booleans in userdom_unpriv_user_template() > + > optional_policy(` > apache_role(user_r, user_t) > ') > @@ -25,6 +37,10 @@ optional_policy(` > ') > > optional_policy(` > + netutils_domtrans_ping(user_t) > +') > + This is already allowed conditionally in userdom_unpriv_user_template() requires a boolean to be set to true to work. Adding this rule would break that existing model. > +optional_policy(` > screen_role_template(user, user_r, user_t) > ') > > @@ -33,6 +49,11 @@ optional_policy(` > ') > > optional_policy(` > + # for torbrowser-launcher > + xdg_exec_data(user_t) > +') > + What location is this exactly? ~/.local/bin? I would associate a "bin_home_t" with ~/.local/bin and only allow that to be executed, rather than all of ~/.local But regardless this, or similar rule should apply to userdom_unpriv_user_template() instead. Use the templates. > +optional_policy(` > xscreensaver_role(user_r, user_t) > ') > > Index: refpolicy-2.20210120/policy/modules/services/samba.if > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/samba.if > +++ refpolicy-2.20210120/policy/modules/services/samba.if > @@ -729,3 +729,22 @@ interface(`samba_admin',` > files_list_tmp($1) > admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t }) > ') > + > +######################################## > +## > +## Restart and get status of samba daemon > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`samba_restart',` > + gen_require(` > + type samba_unit_t; > + ') > + > + allow $1 samba_unit_t:file getattr; > + allow $1 samba_unit_t:service { start stop status reload }; This interface seems a bit broad > +') > Index: refpolicy-2.20210120/policy/modules/system/xdg.if > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/system/xdg.if > +++ refpolicy-2.20210120/policy/modules/system/xdg.if > @@ -921,6 +921,24 @@ interface(`xdg_watch_documents_dirs',` > > ######################################## > ## > +## Allow executing the xdg data home files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdg_exec_data',` > + gen_require(` > + type xdg_data_t; > + ') > + > + can_exec($1, xdg_data_t) > +') It's not very common. Did you add this for ~/.local/bin? I would probably associate a private "bin_home_t" type with ~/.local/bin > + > +######################################## > +## > ## Create objects in the user home dir with an automatic type transition to > ## the xdg_documents_t type. > ## > Index: refpolicy-2.20210120/policy/modules/services/mon.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/mon.te > +++ refpolicy-2.20210120/policy/modules/services/mon.te > @@ -58,6 +58,9 @@ manage_files_pattern(mon_t, mon_var_log_ > manage_files_pattern(mon_t, mon_runtime_t, mon_runtime_t) > files_runtime_filetrans(mon_t, mon_runtime_t, file) > > +# to read fips_enabled > +kernel_read_crypto_sysctls(mon_t) > + > kernel_read_kernel_sysctls(mon_t) > kernel_read_network_state(mon_t) > kernel_read_system_state(mon_t) > Index: refpolicy-2.20210120/policy/modules/services/mailman.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/mailman.te > +++ refpolicy-2.20210120/policy/modules/services/mailman.te > @@ -112,6 +112,7 @@ corecmd_exec_bin(mailman_cgi_t) > dev_read_urand(mailman_cgi_t) > > files_search_locks(mailman_cgi_t) > +files_read_usr_files(mailman_cgi_t) > > term_use_controlling_term(mailman_cgi_t) > > Index: refpolicy-2.20210120/policy/modules/services/dkim.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/dkim.te > +++ refpolicy-2.20210120/policy/modules/services/dkim.te > @@ -35,6 +35,7 @@ kernel_read_vm_overcommit_sysctl(dkim_mi > > corenet_udp_bind_generic_node(dkim_milter_t) > corenet_udp_bind_all_unreserved_ports(dkim_milter_t) > +corenet_udp_bind_generic_port(dkim_milter_t) > > dev_read_urand(dkim_milter_t) > # for cpu/online > -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift