Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp223493pxb;
        Thu, 21 Jan 2021 05:46:23 -0800 (PST)
X-Google-Smtp-Source: ABdhPJy5diqhi89nwovw1aIm8C8Dqp5qlPqXkmncFRwUm34U3SkRpGxKImhH/ycTlOB7GPqjh1aH
X-Received: by 2002:aa7:ca55:: with SMTP id j21mr11003834edt.172.1611236782915;
        Thu, 21 Jan 2021 05:46:22 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1611236782; cv=none;
        d=google.com; s=arc-20160816;
        b=gvwAZpULUO3eqw7tvxAjUZ0axyjcMGg7qTR+wNefuPVPGq66P3ohrSlpGC7TauUah2
         Mw3Fq+00G8fiFfk7U59stPcO3cN9qnOC1HCTlIK0/T/EBy/euRYx1Ef2viwgU3LrBwjO
         uxMFnUYjxYN98p9vBJrTov51fdUMcrAnlDYNHAXo/Rmu3+oeBlzFYTU7W0p3WsgfjThN
         UCQrSiUygXcu5Jj5Wa1HMZw2nhZXf09I+rfvcwwsZRFMckizkQhmEaALlGlEnOVLNoOD
         U1fauQnya/wU5324UA62Ux1t4greENMJVBY8I4Oe/rEagw+LoW2dibryiI+tLhUUDiSc
         ZVTw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:references:cc
         :to:from:subject:dkim-signature:dkim-filter;
        bh=1S5j67y7szJeeqQ9cEEdvTM5Sx0T7j51f7mdoDBMVCM=;
        b=ggjKQJwioXGtx1aHs3ZtKQPQv6TPhPIrN0BLEOo4X9Cr4luJN5Midxlf0JP0Zfqk/t
         epkIoqmsvfwujhTJSKKRU5wHFIHIcf+PcqQtkm3rS9plPPni1M4mkJybIfF1auH/Yhdq
         mM472HY1hUTPuoOOMnsn9+CwBXSU2WNydaSz4DqLdIzvF6xeYqXi1/QL2kpwuMTZYdnU
         ciAAGJkyckGcPeU2w5P/MTXVvT0AKS4Ggxhbr7DE7JcSQcoeX6+YKZdGue7khsr+RyzQ
         rzM3rbkiX0vEdQGCgjYmvtfSQmW78VPDN5FkJNJeW6y0u2OdGwBIolYIzHcp1Iwhrx9Y
         eq3g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@defensec.nl header.s=default header.b=EdV5ADwf;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id d2si2089421edd.145.2021.01.21.05.46.18;
        Thu, 21 Jan 2021 05:46:22 -0800 (PST)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@defensec.nl header.s=default header.b=EdV5ADwf;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729084AbhAUNpS (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 16 others); Thu, 21 Jan 2021 08:45:18 -0500
Received: from agnus.defensec.nl ([80.100.19.56]:35394 "EHLO agnus.defensec.nl"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726793AbhAUNkw (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Thu, 21 Jan 2021 08:40:52 -0500
Received: from [IPv6:2001:985:d55d::438] (brutus.lan [IPv6:2001:985:d55d::438])
        by agnus.defensec.nl (Postfix) with ESMTPSA id 9CFC42A0D7E;
        Thu, 21 Jan 2021 14:40:04 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl 9CFC42A0D7E
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl;
        s=default; t=1611236404;
        bh=1S5j67y7szJeeqQ9cEEdvTM5Sx0T7j51f7mdoDBMVCM=;
        h=Subject:From:To:Cc:References:Date:In-Reply-To:From;
        b=EdV5ADwfiPdH5F6LuqI7xnxdOrOWj65gN/NUA2LwGpTRBiircYPgmfMG+CZ3C8jVf
         l73dniNxgN3RIpHfjV1TRDFEPr9nuNhoRv2rzOjjtlyAnTZRKoAsM2VtoaYQzE4NVv
         7Ap+gpGkunMsVrdIa1elETVmMohPzh+PzNiph0ls=
Subject: Re: [PATCH] misc services patches
From:   Dominick Grift <dominick.grift@defensec.nl>
To:     Russell Coker <russell@coker.com.au>
Cc:     selinux-refpolicy@vger.kernel.org
References: <YAgBKwxkaxUV4H99@xev> <ypjlpn1zlkw7.fsf@defensec.nl>
 <1730727.gRP4Mpsj7r@liv> <60db511b-f9a3-5489-182b-88a0b727b9c2@defensec.nl>
Message-ID: <de99aa23-42d3-b45a-ccf3-3640f6e13e01@defensec.nl>
Date:   Thu, 21 Jan 2021 14:40:01 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <60db511b-f9a3-5489-182b-88a0b727b9c2@defensec.nl>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org



On 1/21/21 2:35 PM, Dominick Grift wrote:
> 
> 
> On 1/21/21 2:25 PM, Russell Coker wrote:
>> On Thursday, 21 January 2021 1:53:44 AM AEDT Dominick Grift wrote:
>>>>  /usr/sbin/suexec					--	
>> gen_context(system_u:object_r:httpd_suexec_exec_
>>>>  t,s0)
>>>>  /usr/sbin/wigwam					--	
>> gen_context(system_u:object_r:httpd_exec_t,s0)> 
>>>> +/usr/sbin/php7..-fpm					--	
>> gen_context(system_u:object_r:httpd_exec_t,s0
>>>> )
>>>
>>> that seems fragile. would probably have used "/usr/sbin/php.*-fpm"
>>
>> OK, I'll change that.
>>
>>>> +interface(`apache_delete_squirrelmail_spool',`
>>>> +	gen_require(`
>>>> +		type squirrelmail_spool_t;
>>>> +	')
>>>> +
>>>> +	allow $1 squirrelmail_spool_t:dir rw_dir_perms;
>>>> +	allow $1 squirrelmail_spool_t:file delete_file_perms;
>>>
>>> delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t)
>>
>> OK.
>>  
>>>>  tunable_policy(`httpd_enable_homedirs',`
>>>>
>>>> -	userdom_search_user_home_dirs(httpd_t)
>>>> +	userdom_list_user_home_content(httpd_t)
>>>
>>> this is not how it was designed. If you want that functionality then set
>>> httpd_read_user_content boolean to true instead
>>
>> OK, I'll delete that patch and do it a better way next time I see a case for 
>> it.
>>
>>>>  allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
>>>>  allow cupsd_t self:fifo_file rw_fifo_file_perms;
>>>>  allow cupsd_t self:unix_stream_socket { accept connectto listen };
>>>>  allow cupsd_t self:netlink_selinux_socket create_socket_perms;
>>>>
>>>> +allow cupsd_t self:netlink_kobject_uevent_socket { bind create
>>>>
>>>>  getattr read setopt };
>>>
>>> create_socket_perms, use the permission sets and patterns where appropriate
>>
>> ok
>>
>>>> Index: refpolicy-2.20210120/policy/modules/services/l2tp.te
>>>> ===================================================================
>>>> --- refpolicy-2.20210120.orig/policy/modules/services/l2tp.te
>>>> +++ refpolicy-2.20210120/policy/modules/services/l2tp.te
>>>> @@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_
>>>>
>>>>  allow l2tpd_t self:tcp_socket { accept listen };
>>>>  allow l2tpd_t self:unix_dgram_socket sendto;
>>>>  allow l2tpd_t self:unix_stream_socket { accept listen };
>>>>
>>>> +allow l2tpd_t self:pppox_socket create;
>>>
>>> create_socket_perms probably eventually
>>
>> Maybe, but for the moment I think it's best to leave them like that.  I had it 
>> working fully only needing those accesses.
>>
>>>> @@ -59,7 +59,7 @@ interface(`mysql_signal',`
>>>>
>>>>  		type mysqld_t;
>>>>  	
>>>>  	')
>>>>
>>>> -	allow $1 mysqld_t:process signal;
>>>> +	allow $1 mysqld_t:process { signull signal };
>>>
>>> create a new mysql_signull()
>>>
>>> by generalizing interfaces and putting them out of context youre
>>> shutting down doors for fine grained access control.
>>
>> OK, I'll drop that patch and add a mysql_signull() next time I see the need 
>> for it (probably a week or two).
>>
>>>>  optional_policy(`
>>>>
>>>> +	dbus_send_system_bus(smbd_t)
>>>> +	dbus_system_bus_client(smbd_t)
>>>
>>> dbus_send_system_bus(smbd_t) is redundant (already implied with
>>> dbus_system_bus_client(smbd_t)
>>
>> ok
>>
>>>> Index: refpolicy-2.20210120/policy/modules/services/squid.te
>>>> ===================================================================
>>>> --- refpolicy-2.20210120.orig/policy/modules/services/squid.te
>>>> +++ refpolicy-2.20210120/policy/modules/services/squid.te
>>>> @@ -71,6 +71,7 @@ allow squid_t self:msg { send receive };
>>>>
>>>>  allow squid_t self:unix_dgram_socket sendto;
>>>>  allow squid_t self:unix_stream_socket { accept connectto listen };
>>>>  allow squid_t self:tcp_socket { accept listen };
>>>>
>>>> +allow squid_t self:netlink_netfilter_socket
>>>> all_netlink_netfilter_socket_perms;
>>>
>>> probably just create_socket_perms?
>>
>> OK.
>>
>>>> Index: refpolicy-2.20210120/policy/modules/services/ssh.te
>>>> ===================================================================
>>>> --- refpolicy-2.20210120.orig/policy/modules/services/ssh.te
>>>> +++ refpolicy-2.20210120/policy/modules/services/ssh.te
>>>> @@ -268,6 +268,7 @@ ifdef(`init_systemd',`
>>>>
>>>>  	init_dbus_chat(sshd_t)
>>>>  	systemd_dbus_chat_logind(sshd_t)
>>>>  	init_rw_stream_soconnectivitycheck.cbg-app.huawei.comckets(sshd_t)
>>>>
>>>> +	systemd_read_logind_sessions_files(sshd_t)
>>>
>>> This should probably be addressed on the lower authlogin level instead
>>
>> auth_login_pgm_domain()?
> 
> I would consider adding it to auth_use_pam(). but its a good question.
> 
>>
>> In another patch I have systemd_connect_machined(sshd_t) which I guess should 
>> go in the same one too.
> 
> Which patch was that? That does not look right if only that the name of
> the interface isnt very descriptive (there is no way unix stream connect
> or unix dgram sendto machined.
> 
> So this is either about systemd's nss mymachines (in which case it
> belongs in auth_use_nsswitch() or about reading systemd
> /var/run/machines in which case the interface name is wrong.

I meant /var/run/systemd/machines


> 
>>
>>
>> Thanks for all the suggestions.  I'll send an updated version shortly.
>>