Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp21349pxb;
        Wed, 27 Jan 2021 00:35:58 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwA5+NxweRw4N638ZuPFEpchPB5V2pCGkK+oeu9LoOxk5giSTg7SGULQ5wbiLShZTEs7aYl
X-Received: by 2002:a17:906:3401:: with SMTP id c1mr6211901ejb.156.1611736558432;
        Wed, 27 Jan 2021 00:35:58 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1611736558; cv=none;
        d=google.com; s=arc-20160816;
        b=YIq6bjqIM4ZBmeDHZtQuqFX4ftw9fHAZcrh0bjmz+YuNh4+CZZV/ynpjrUhITmcbLs
         a2LyKsUr6Zr9Hf1w4zmJ/hoZHtorzDMXVFCV8La1Qw1y80yCOmvIKIbcvwngSO535Gk2
         pqXWTEr/XyFjHIsb+vrpi8KX1fZ9ZA1e4zStvhlnxmsFlPQ6YpanhkJUg07hVUxfFXeR
         txrUVQXr+vih1H0KIfS6m4abN0JmmFgNfxuveXcBmONdW5Q9SDZHhbj+KDY1tz5NGFJy
         jDsysSXu+42lXvG7n6mVSiCJt/5y9Ek1MFgfpGYnWOD/3pyqSp1qJDOFkEZntEjHayzZ
         1x7A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=W3uvnUzCdI8fbsnwrF6gRZqo0+PTvNos6RXgN1VjWz8=;
        b=zDFqrWMW5Bh6hWHsoedMMS27wnKWmd6HAw0/KMyPMTepM2I+nzGnm3yM3h6dUq++CV
         ZL6McIX9eRYLRMTxKtHRWCxV1gk0eh5aYlAlFy3bOHzDPI+wUUzDNx2aICnuHzzSaie7
         1JQKA3R64EVTqmGP+TsinQF1omX77BUBU1v4EchitSoWnShUzuvRsTLUK9fuzdDMEhK5
         bRmlWh39i8bB1ctPJ52zxLWjBoUHA3u678Tw0UTDn42gYujiq1CddVLNzU9p6XRIpkMd
         GU+UGnYiBaQE7ptELjmENuLd4Hfk8BOhz5+xjO9wQze6uQBStA/7zeXWVRkanqnJUX7a
         QE0Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=Y819z2Gy;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id du19si569251ejc.206.2021.01.27.00.35.52;
        Wed, 27 Jan 2021 00:35:58 -0800 (PST)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=Y819z2Gy;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232474AbhA0HDA (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 16 others); Wed, 27 Jan 2021 02:03:00 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60780 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232270AbhA0HBH (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Wed, 27 Jan 2021 02:01:07 -0500
Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:140:71f5::dada:cafe])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 28A25C06174A
        for <selinux-refpolicy@vger.kernel.org>; Tue, 26 Jan 2021 23:00:27 -0800 (PST)
Received: from liv.coker.com.au (unknown [103.75.204.226])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
        (No client certificate requested)
        (Authenticated sender: russell@coker.com.au)
        by smtp.sws.net.au (Postfix) with ESMTPSA id 0E855169E9;
        Wed, 27 Jan 2021 18:00:23 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
        s=2008; t=1611730825;
        bh=W3uvnUzCdI8fbsnwrF6gRZqo0+PTvNos6RXgN1VjWz8=; l=4609;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=Y819z2Gy7BlPTLMgneHM3Uu3CA5x9j5IW9BSLlD33c0ZPFMt2bqeV79FLnd6lNJdm
         WWrd3tBBhaB1Q/1uK4F3d6XEMcnvLtCq+NYqn6jcYxv6oA2j+8OXN4386J2h3Doqbi
         ESlAmnY+zCHlEuCNeCaTrc1WnIRmSpFHgfkAJLVE=
From:   Russell Coker <russell@coker.com.au>
To:     Dominick Grift <dominick.grift@defensec.nl>
Cc:     selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] misc network patches
Date:   Wed, 27 Jan 2021 18:00:20 +1100
Message-ID: <1818414.Kogm6ZmNZq@liv>
In-Reply-To: <ypjla6t3n3n2.fsf@defensec.nl>
References: <YAf6/c8XKLACDF9P@xev> <ypjla6t3n3n2.fsf@defensec.nl>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On Thursday, 21 January 2021 12:23:29 AM AEDT Dominick Grift wrote:
> > Index: refpolicy-2.20210120/policy/modules/roles/staff.te
> > ===================================================================
> > --- refpolicy-2.20210120.orig/policy/modules/roles/staff.te
> > +++ refpolicy-2.20210120/policy/modules/roles/staff.te
> > @@ -15,6 +15,10 @@ userdom_unpriv_user_template(staff)
> > 
> >  #
> >  corenet_ib_access_unlabeled_pkeys(staff_t)
> > 
> > +corenet_tcp_bind_all_unreserved_ports(staff_t)
> > +corenet_udp_bind_all_unreserved_ports(staff_t)
> > +corenet_tcp_bind_generic_node(staff_t)
> 
> staff_t is a "unpriv user" and so "userdom_unpriv_user_template()"
> applies to staff_t.

OK, I'll remove that.

> this template has two booleans: user_tcp_server and user_udp_server
> these booleans currently allow unpriv users to bind tcp and udp sockets
> to generic ports respectively.
> 
> This is old, inaccurate and outdated. Instead those booleans should
> probably be modernized:
> 
> 	tunable_policy(`user_tcp_server',`
> 		corenet_tcp_bind_generic_node($1_t)
> 		corenet_tcp_bind_all_unreserved_ports($1_t)
> 	')
> 
> 	tunable_policy(`user_udp_server',`
> 		corenet_udp_bind_generic_node($1_t)
> 		corenet_udp_bind_all_unreserved_ports($1_t)
> 	')

Unreserved ports means all ports >1023.  I don't think that's what we want.  
There are lots of daemons using ports >1023, many of which are IANA assigned.

> >  optional_policy(`
> >  
> >  	apache_role(staff_r, staff_t)
> >  
> >  ')
> > 
> > @@ -36,6 +40,10 @@ optional_policy(`
> > 
> >  ')
> >  
> >  optional_policy(`
> > 
> > +	netutils_domtrans_ping(staff_t)
> > +')
> > +
> 
> This is already (conditionlly) allowed in the userdom_unpriv_user_template()
> To make it work requires a boolean to be set to true (i believe)

OK, I'll remove that.

> > +optional_policy(`
> > 
> >  	postgresql_role(staff_r, staff_t)
> >  
> >  ')
> > 
> > @@ -65,6 +73,11 @@ optional_policy(`
> > 
> >  ')
> >  
> >  optional_policy(`
> > 
> > +	# for torbrowser-launcher
> > +	xdg_exec_data(staff_t)
> 
> What location is this exactly? ~/.local/bin?

~/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/
 
> I would associate a "bin_home_t" with ~/.local/bin and only allow that
> to be executed, rather than all of ~/.local
> 
> But regardless this, or similar rule should apply to
> userdom_unpriv_user_template() instead. Use the templates.

OK, I'll remove it for now.

> > +')
> > +
> > +optional_policy(`
> > 
> >  	xscreensaver_role(staff_r, staff_t)
> >  
> >  ')
> > 
> > Index: refpolicy-2.20210120/policy/modules/roles/unprivuser.te
> > ===================================================================
> > --- refpolicy-2.20210120.orig/policy/modules/roles/unprivuser.te
> > +++ refpolicy-2.20210120/policy/modules/roles/unprivuser.te
> > @@ -7,11 +7,23 @@ policy_module(unprivuser, 2.10.0)
> > 
> >  #
> >  # Declarations
> >  #
> > 
> > +## <desc>
> > +## <p>
> > +## Allow user to bind all unreserved ports
> > +## </p>
> > +## </desc>
> > +gen_tunable(user_bind_unreserved, false)
> 
> Modernize and use the existing user_tcp_server and user_udp_server
> booleans in userdom_unpriv_user_template() instead? See above comment.

OK.

> >  #role user_r;
> >  
> >  userdom_unpriv_user_template(user)
> > 
> > +tunable_policy(`user_bind_unreserved', `
> > +	corenet_tcp_bind_all_unreserved_ports(user_t)
> > +	corenet_udp_bind_all_unreserved_ports(user_t)
> > +	corenet_tcp_bind_generic_node(user_t)
> > +')
> 
> See above comment about user_tcp_server and user_udp_server booleans in
> userdom_unpriv_user_template()

OK.

> >  ')
> > 
> > @@ -25,6 +37,10 @@ optional_policy(`
> > 
> >  ')
> >  
> >  optional_policy(`
> > 
> > +	netutils_domtrans_ping(user_t)
> > +')
> > +
> 
> This is already allowed conditionally in userdom_unpriv_user_template()
> requires a boolean to be set to true to work. Adding this rule would
> break that existing model.

OK.

> > +########################################
> > +## <summary>
> > +##	Restart and get status of samba daemon
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`samba_restart',`
> > +	gen_require(`
> > +		type samba_unit_t;
> > +	')
> > +
> > +	allow $1 samba_unit_t:file getattr;
> > +	allow $1 samba_unit_t:service { start stop status reload };
> 
> This interface seems a bit broad

OK.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/