Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp223493pxb; Thu, 21 Jan 2021 05:46:23 -0800 (PST) X-Google-Smtp-Source: ABdhPJy5diqhi89nwovw1aIm8C8Dqp5qlPqXkmncFRwUm34U3SkRpGxKImhH/ycTlOB7GPqjh1aH X-Received: by 2002:aa7:ca55:: with SMTP id j21mr11003834edt.172.1611236782915; Thu, 21 Jan 2021 05:46:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611236782; cv=none; d=google.com; s=arc-20160816; b=gvwAZpULUO3eqw7tvxAjUZ0axyjcMGg7qTR+wNefuPVPGq66P3ohrSlpGC7TauUah2 Mw3Fq+00G8fiFfk7U59stPcO3cN9qnOC1HCTlIK0/T/EBy/euRYx1Ef2viwgU3LrBwjO uxMFnUYjxYN98p9vBJrTov51fdUMcrAnlDYNHAXo/Rmu3+oeBlzFYTU7W0p3WsgfjThN UCQrSiUygXcu5Jj5Wa1HMZw2nhZXf09I+rfvcwwsZRFMckizkQhmEaALlGlEnOVLNoOD U1fauQnya/wU5324UA62Ux1t4greENMJVBY8I4Oe/rEagw+LoW2dibryiI+tLhUUDiSc ZVTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:references:cc :to:from:subject:dkim-signature:dkim-filter; bh=1S5j67y7szJeeqQ9cEEdvTM5Sx0T7j51f7mdoDBMVCM=; b=ggjKQJwioXGtx1aHs3ZtKQPQv6TPhPIrN0BLEOo4X9Cr4luJN5Midxlf0JP0Zfqk/t epkIoqmsvfwujhTJSKKRU5wHFIHIcf+PcqQtkm3rS9plPPni1M4mkJybIfF1auH/Yhdq mM472HY1hUTPuoOOMnsn9+CwBXSU2WNydaSz4DqLdIzvF6xeYqXi1/QL2kpwuMTZYdnU ciAAGJkyckGcPeU2w5P/MTXVvT0AKS4Ggxhbr7DE7JcSQcoeX6+YKZdGue7khsr+RyzQ rzM3rbkiX0vEdQGCgjYmvtfSQmW78VPDN5FkJNJeW6y0u2OdGwBIolYIzHcp1Iwhrx9Y eq3g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=EdV5ADwf; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d2si2089421edd.145.2021.01.21.05.46.18; Thu, 21 Jan 2021 05:46:22 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=EdV5ADwf; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729084AbhAUNpS (ORCPT + 16 others); Thu, 21 Jan 2021 08:45:18 -0500 Received: from agnus.defensec.nl ([80.100.19.56]:35394 "EHLO agnus.defensec.nl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726793AbhAUNkw (ORCPT ); Thu, 21 Jan 2021 08:40:52 -0500 Received: from [IPv6:2001:985:d55d::438] (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id 9CFC42A0D7E; Thu, 21 Jan 2021 14:40:04 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl 9CFC42A0D7E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1611236404; bh=1S5j67y7szJeeqQ9cEEdvTM5Sx0T7j51f7mdoDBMVCM=; h=Subject:From:To:Cc:References:Date:In-Reply-To:From; b=EdV5ADwfiPdH5F6LuqI7xnxdOrOWj65gN/NUA2LwGpTRBiircYPgmfMG+CZ3C8jVf l73dniNxgN3RIpHfjV1TRDFEPr9nuNhoRv2rzOjjtlyAnTZRKoAsM2VtoaYQzE4NVv 7Ap+gpGkunMsVrdIa1elETVmMohPzh+PzNiph0ls= Subject: Re: [PATCH] misc services patches From: Dominick Grift To: Russell Coker Cc: selinux-refpolicy@vger.kernel.org References: <1730727.gRP4Mpsj7r@liv> <60db511b-f9a3-5489-182b-88a0b727b9c2@defensec.nl> Message-ID: Date: Thu, 21 Jan 2021 14:40:01 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: <60db511b-f9a3-5489-182b-88a0b727b9c2@defensec.nl> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/21/21 2:35 PM, Dominick Grift wrote: > > > On 1/21/21 2:25 PM, Russell Coker wrote: >> On Thursday, 21 January 2021 1:53:44 AM AEDT Dominick Grift wrote: >>>> /usr/sbin/suexec -- >> gen_context(system_u:object_r:httpd_suexec_exec_ >>>> t,s0) >>>> /usr/sbin/wigwam -- >> gen_context(system_u:object_r:httpd_exec_t,s0)> >>>> +/usr/sbin/php7..-fpm -- >> gen_context(system_u:object_r:httpd_exec_t,s0 >>>> ) >>> >>> that seems fragile. would probably have used "/usr/sbin/php.*-fpm" >> >> OK, I'll change that. >> >>>> +interface(`apache_delete_squirrelmail_spool',` >>>> + gen_require(` >>>> + type squirrelmail_spool_t; >>>> + ') >>>> + >>>> + allow $1 squirrelmail_spool_t:dir rw_dir_perms; >>>> + allow $1 squirrelmail_spool_t:file delete_file_perms; >>> >>> delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t) >> >> OK. >> >>>> tunable_policy(`httpd_enable_homedirs',` >>>> >>>> - userdom_search_user_home_dirs(httpd_t) >>>> + userdom_list_user_home_content(httpd_t) >>> >>> this is not how it was designed. If you want that functionality then set >>> httpd_read_user_content boolean to true instead >> >> OK, I'll delete that patch and do it a better way next time I see a case for >> it. >> >>>> allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; >>>> allow cupsd_t self:fifo_file rw_fifo_file_perms; >>>> allow cupsd_t self:unix_stream_socket { accept connectto listen }; >>>> allow cupsd_t self:netlink_selinux_socket create_socket_perms; >>>> >>>> +allow cupsd_t self:netlink_kobject_uevent_socket { bind create >>>> >>>> getattr read setopt }; >>> >>> create_socket_perms, use the permission sets and patterns where appropriate >> >> ok >> >>>> Index: refpolicy-2.20210120/policy/modules/services/l2tp.te >>>> =================================================================== >>>> --- refpolicy-2.20210120.orig/policy/modules/services/l2tp.te >>>> +++ refpolicy-2.20210120/policy/modules/services/l2tp.te >>>> @@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_ >>>> >>>> allow l2tpd_t self:tcp_socket { accept listen }; >>>> allow l2tpd_t self:unix_dgram_socket sendto; >>>> allow l2tpd_t self:unix_stream_socket { accept listen }; >>>> >>>> +allow l2tpd_t self:pppox_socket create; >>> >>> create_socket_perms probably eventually >> >> Maybe, but for the moment I think it's best to leave them like that. I had it >> working fully only needing those accesses. >> >>>> @@ -59,7 +59,7 @@ interface(`mysql_signal',` >>>> >>>> type mysqld_t; >>>> >>>> ') >>>> >>>> - allow $1 mysqld_t:process signal; >>>> + allow $1 mysqld_t:process { signull signal }; >>> >>> create a new mysql_signull() >>> >>> by generalizing interfaces and putting them out of context youre >>> shutting down doors for fine grained access control. >> >> OK, I'll drop that patch and add a mysql_signull() next time I see the need >> for it (probably a week or two). >> >>>> optional_policy(` >>>> >>>> + dbus_send_system_bus(smbd_t) >>>> + dbus_system_bus_client(smbd_t) >>> >>> dbus_send_system_bus(smbd_t) is redundant (already implied with >>> dbus_system_bus_client(smbd_t) >> >> ok >> >>>> Index: refpolicy-2.20210120/policy/modules/services/squid.te >>>> =================================================================== >>>> --- refpolicy-2.20210120.orig/policy/modules/services/squid.te >>>> +++ refpolicy-2.20210120/policy/modules/services/squid.te >>>> @@ -71,6 +71,7 @@ allow squid_t self:msg { send receive }; >>>> >>>> allow squid_t self:unix_dgram_socket sendto; >>>> allow squid_t self:unix_stream_socket { accept connectto listen }; >>>> allow squid_t self:tcp_socket { accept listen }; >>>> >>>> +allow squid_t self:netlink_netfilter_socket >>>> all_netlink_netfilter_socket_perms; >>> >>> probably just create_socket_perms? >> >> OK. >> >>>> Index: refpolicy-2.20210120/policy/modules/services/ssh.te >>>> =================================================================== >>>> --- refpolicy-2.20210120.orig/policy/modules/services/ssh.te >>>> +++ refpolicy-2.20210120/policy/modules/services/ssh.te >>>> @@ -268,6 +268,7 @@ ifdef(`init_systemd',` >>>> >>>> init_dbus_chat(sshd_t) >>>> systemd_dbus_chat_logind(sshd_t) >>>> init_rw_stream_soconnectivitycheck.cbg-app.huawei.comckets(sshd_t) >>>> >>>> + systemd_read_logind_sessions_files(sshd_t) >>> >>> This should probably be addressed on the lower authlogin level instead >> >> auth_login_pgm_domain()? > > I would consider adding it to auth_use_pam(). but its a good question. > >> >> In another patch I have systemd_connect_machined(sshd_t) which I guess should >> go in the same one too. > > Which patch was that? That does not look right if only that the name of > the interface isnt very descriptive (there is no way unix stream connect > or unix dgram sendto machined. > > So this is either about systemd's nss mymachines (in which case it > belongs in auth_use_nsswitch() or about reading systemd > /var/run/machines in which case the interface name is wrong. I meant /var/run/systemd/machines > >> >> >> Thanks for all the suggestions. I'll send an updated version shortly. >>