Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp221384pxb; Thu, 21 Jan 2021 05:42:58 -0800 (PST) X-Google-Smtp-Source: ABdhPJxM7NmAbB+ybwzN8MOnhyI45/47HvdK7ch4rmeBJusWWgFVIvpb//vqPIEokjvIuPOiHJ+R X-Received: by 2002:a05:6402:4252:: with SMTP id g18mr11538652edb.231.1611236578149; Thu, 21 Jan 2021 05:42:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611236578; cv=none; d=google.com; s=arc-20160816; b=LPtDoVplZL4vFIgulU4QLqM0iuPZKeynBiQYHsozHQKGoiPaZBlI1RN4u/pM9Jxkke whl0B642z6efEBUYRVHRU320Ap9lcTyeT0esny8HhS3dolIXrkjj6ZvFKKiQOugXeRVl oc0K6W/sFHTbv3+ee4wVn1oPhsG5xaJsz8YWebt1HHW+8aw2hS0jGiQjUwDKDSjvzrD9 zt13mXDRmYTqsWu1SbP3Y++qbOfUb1Sb9uR3Svtk+l81IARUOW0yGf//vkaqPFXctBKP JbZ+g963DcLO08X2OjCv+mkK+5mRxyDM7ebnrHFLUaKD5GFGGYe8AAl5e4S5Fxo/Dkbk 1gvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:subject:from :references:cc:to:dkim-signature:dkim-filter; bh=CFlg6U+KGIORGpP7JkNTx41F6t2zEcyvFY7jmXkvl+o=; b=tiKWj8tz0uyXqyh5kgdW0mP5KPB6VKqrmYs0ibPd4poS6TBi64HgzKEO3qNIwQWFXp EdwNqa2/bXOX4b6Zkd6STvLo56KgU0j4tv6Ac02WqQut1kFR3vU1gYsEEH49BlqlRmUB 2RwzqSxD741V1/VXn5+ZQzDNB2abBGepMxkYSnSynqtH2iWm8YZixa7Wqxs2unDLEaMe 9ZOLUgJK76fxjhDCiuha0Ljyw8fpCwCBP+Fg0J+vrGxyG5HrmH4InlSqe2NG5kJBm3sP hV96rmGnui/mOjm5W+OwubpUFdCaKNiA2nxIlfjj7FA35TwC6UC2pXvCnl0K2OHVGZpH BTpA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=lBw960hF; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f26si2144991edq.200.2021.01.21.05.42.52; Thu, 21 Jan 2021 05:42:58 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=lBw960hF; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726375AbhAUNhz (ORCPT + 16 others); Thu, 21 Jan 2021 08:37:55 -0500 Received: from agnus.defensec.nl ([80.100.19.56]:35386 "EHLO agnus.defensec.nl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732326AbhAUNg4 (ORCPT ); Thu, 21 Jan 2021 08:36:56 -0500 Received: from [IPv6:2001:985:d55d::438] (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id 6B5AB2A0D7E; Thu, 21 Jan 2021 14:35:45 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl 6B5AB2A0D7E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1611236146; bh=CFlg6U+KGIORGpP7JkNTx41F6t2zEcyvFY7jmXkvl+o=; h=To:Cc:References:From:Subject:Date:In-Reply-To:From; b=lBw960hFS7vBNAYW8gEFHsVtWt185rbZ3MkDbbg8gvbPXU3je8yE4yhNI8I9SeN0p wp6vltwCWn5JefUrB/5B4AFfFUZ/Q4tB6jYUsMAeCpkRbocCp/3j7yPs+LkA62BroH UwAOoVPG4jJiK+rMx8HmcDjGc2kDdgVki+8gJg7c= To: Russell Coker Cc: selinux-refpolicy@vger.kernel.org References: <1730727.gRP4Mpsj7r@liv> From: Dominick Grift Subject: Re: [PATCH] misc services patches Message-ID: <60db511b-f9a3-5489-182b-88a0b727b9c2@defensec.nl> Date: Thu, 21 Jan 2021 14:35:42 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: <1730727.gRP4Mpsj7r@liv> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/21/21 2:25 PM, Russell Coker wrote: > On Thursday, 21 January 2021 1:53:44 AM AEDT Dominick Grift wrote: >>> /usr/sbin/suexec -- > gen_context(system_u:object_r:httpd_suexec_exec_ >>> t,s0) >>> /usr/sbin/wigwam -- > gen_context(system_u:object_r:httpd_exec_t,s0)> >>> +/usr/sbin/php7..-fpm -- > gen_context(system_u:object_r:httpd_exec_t,s0 >>> ) >> >> that seems fragile. would probably have used "/usr/sbin/php.*-fpm" > > OK, I'll change that. > >>> +interface(`apache_delete_squirrelmail_spool',` >>> + gen_require(` >>> + type squirrelmail_spool_t; >>> + ') >>> + >>> + allow $1 squirrelmail_spool_t:dir rw_dir_perms; >>> + allow $1 squirrelmail_spool_t:file delete_file_perms; >> >> delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t) > > OK. > >>> tunable_policy(`httpd_enable_homedirs',` >>> >>> - userdom_search_user_home_dirs(httpd_t) >>> + userdom_list_user_home_content(httpd_t) >> >> this is not how it was designed. If you want that functionality then set >> httpd_read_user_content boolean to true instead > > OK, I'll delete that patch and do it a better way next time I see a case for > it. > >>> allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; >>> allow cupsd_t self:fifo_file rw_fifo_file_perms; >>> allow cupsd_t self:unix_stream_socket { accept connectto listen }; >>> allow cupsd_t self:netlink_selinux_socket create_socket_perms; >>> >>> +allow cupsd_t self:netlink_kobject_uevent_socket { bind create >>> >>> getattr read setopt }; >> >> create_socket_perms, use the permission sets and patterns where appropriate > > ok > >>> Index: refpolicy-2.20210120/policy/modules/services/l2tp.te >>> =================================================================== >>> --- refpolicy-2.20210120.orig/policy/modules/services/l2tp.te >>> +++ refpolicy-2.20210120/policy/modules/services/l2tp.te >>> @@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_ >>> >>> allow l2tpd_t self:tcp_socket { accept listen }; >>> allow l2tpd_t self:unix_dgram_socket sendto; >>> allow l2tpd_t self:unix_stream_socket { accept listen }; >>> >>> +allow l2tpd_t self:pppox_socket create; >> >> create_socket_perms probably eventually > > Maybe, but for the moment I think it's best to leave them like that. I had it > working fully only needing those accesses. > >>> @@ -59,7 +59,7 @@ interface(`mysql_signal',` >>> >>> type mysqld_t; >>> >>> ') >>> >>> - allow $1 mysqld_t:process signal; >>> + allow $1 mysqld_t:process { signull signal }; >> >> create a new mysql_signull() >> >> by generalizing interfaces and putting them out of context youre >> shutting down doors for fine grained access control. > > OK, I'll drop that patch and add a mysql_signull() next time I see the need > for it (probably a week or two). > >>> optional_policy(` >>> >>> + dbus_send_system_bus(smbd_t) >>> + dbus_system_bus_client(smbd_t) >> >> dbus_send_system_bus(smbd_t) is redundant (already implied with >> dbus_system_bus_client(smbd_t) > > ok > >>> Index: refpolicy-2.20210120/policy/modules/services/squid.te >>> =================================================================== >>> --- refpolicy-2.20210120.orig/policy/modules/services/squid.te >>> +++ refpolicy-2.20210120/policy/modules/services/squid.te >>> @@ -71,6 +71,7 @@ allow squid_t self:msg { send receive }; >>> >>> allow squid_t self:unix_dgram_socket sendto; >>> allow squid_t self:unix_stream_socket { accept connectto listen }; >>> allow squid_t self:tcp_socket { accept listen }; >>> >>> +allow squid_t self:netlink_netfilter_socket >>> all_netlink_netfilter_socket_perms; >> >> probably just create_socket_perms? > > OK. > >>> Index: refpolicy-2.20210120/policy/modules/services/ssh.te >>> =================================================================== >>> --- refpolicy-2.20210120.orig/policy/modules/services/ssh.te >>> +++ refpolicy-2.20210120/policy/modules/services/ssh.te >>> @@ -268,6 +268,7 @@ ifdef(`init_systemd',` >>> >>> init_dbus_chat(sshd_t) >>> systemd_dbus_chat_logind(sshd_t) >>> init_rw_stream_soconnectivitycheck.cbg-app.huawei.comckets(sshd_t) >>> >>> + systemd_read_logind_sessions_files(sshd_t) >> >> This should probably be addressed on the lower authlogin level instead > > auth_login_pgm_domain()? I would consider adding it to auth_use_pam(). but its a good question. > > In another patch I have systemd_connect_machined(sshd_t) which I guess should > go in the same one too. Which patch was that? That does not look right if only that the name of the interface isnt very descriptive (there is no way unix stream connect or unix dgram sendto machined. So this is either about systemd's nss mymachines (in which case it belongs in auth_use_nsswitch() or about reading systemd /var/run/machines in which case the interface name is wrong. > > > Thanks for all the suggestions. I'll send an updated version shortly. >