Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp185737pxb; Wed, 27 Jan 2021 05:33:36 -0800 (PST) X-Google-Smtp-Source: ABdhPJyYyM7qyzTZ4iVuuQLAAaRUco/mqy5r8g1khEL1SMsDvP400bE4o+lST53TRtjZMcO8PP49 X-Received: by 2002:aa7:dd49:: with SMTP id o9mr8938158edw.14.1611754416315; Wed, 27 Jan 2021 05:33:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611754416; cv=none; d=google.com; s=arc-20160816; b=lDm7HEEeg142Xu0v1YAfRdot9712L+HhHq7MmQ1RX4MBgnUUT5Q3PPoypIWWPDZBh/ oiGsBH7xsnpi5UaUEser8/rmIHJSuATt9vW19MMJKN3Oui8iMkA8Wkt3zeul8hGlO0h3 vfHJKJetZpEu+h8zBrdDHhS8ptVaHn/cBn7algBdDNkrWLKXvpDD9lga4LJ+RiRq6ohV TbF54aXvuzZEgWBi4G/P2QIEyaEikDlfea+3ebSWVjdg/CqxqsJCM2O38P51zTjsaVxi z1LFntRgrP2KRm/QEzh+qs/yd16x3shm+zWDiwNsUXVYH1BlpJf8MohrxiP/WusJc30I ZDxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:message-id:in-reply-to :date:references:subject:cc:to:from:dkim-signature:dkim-filter; bh=MuZhw1GiIi3gvA1A4CuEPvVTGCMaeGHpoxQAbYzULmQ=; b=OUMk5OjF8135TUg6//5/kJ6CMoEere6rJtLEbTFzhLzllEGvGzpIZkavl/PfiOhi5H VpY1TOXzERRx6t/F8MPfL5+dgdrKoNA64CA9tMqcd44E/LEmtlrDMpHCryQEq+o3i1YS BZsPnjoGU6iwqBCvN5Oqzfmr6DMLfoqIk37RPEJqP41S3lwKIO4iu2wVrp0EC3jsuhj5 bJscg7hi2WR6VYygW6Z7ssjYDsmQWbSZXlMzx8vhXaGEfNaC4Dnl+r654s9f1TQjacyV JByic8RfVGSUy0x7x8oVFtZZzkHMLlixEY1EWxgIVFIc/39ybGVGCIWRxm2R02X2pGlu 0sdg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=LYg75uPq; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w18si949926edc.255.2021.01.27.05.33.29; Wed, 27 Jan 2021 05:33:36 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=LYg75uPq; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233159AbhA0NcD (ORCPT + 16 others); Wed, 27 Jan 2021 08:32:03 -0500 Received: from agnus.defensec.nl ([80.100.19.56]:43452 "EHLO agnus.defensec.nl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238468AbhA0NaE (ORCPT ); Wed, 27 Jan 2021 08:30:04 -0500 Received: from brutus (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id 93CE72A12B1; Wed, 27 Jan 2021 14:29:19 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl 93CE72A12B1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1611754159; bh=MuZhw1GiIi3gvA1A4CuEPvVTGCMaeGHpoxQAbYzULmQ=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=LYg75uPqwbKc8Pmcje1zALKLSCKjxSBPFwNvU44TqHBgQp8X1tie4zAckExfQDMPc X1cZxPCJ8GJYytYQ4sWo+YBYfRkAVjGtht7eqf7K6onklcB7yMVukHUeYAlxSaftJn PKMlfHQ3AfYs0t1MEbFk47oh2DitTyd5j1esv1n0= From: Dominick Grift To: Russell Coker Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] misc network patches with Dominick's changes References: Date: Wed, 27 Jan 2021 14:29:16 +0100 In-Reply-To: (Russell Coker's message of "Wed, 27 Jan 2021 18:12:41 +1100") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Russell Coker writes: > Here's the latest version of my misc network patch with some changes > Dominick suggested and with the controversial things from my previous > patch removed. > > Signed-off-by: Russell Coker > > Index: refpolicy-2.20210126/policy/modules/admin/netutils.te > =================================================================== > --- refpolicy-2.20210126.orig/policy/modules/admin/netutils.te > +++ refpolicy-2.20210126/policy/modules/admin/netutils.te > @@ -109,6 +109,7 @@ allow ping_t self:tcp_socket create_sock > allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr }; > allow ping_t self:packet_socket { create ioctl read write bind getopt setopt }; > allow ping_t self:netlink_route_socket create_netlink_socket_perms; > +allow ping_t self:icmp_socket create; > > corenet_all_recvfrom_netlabel(ping_t) > corenet_sendrecv_icmp_packets(ping_t) > @@ -156,13 +157,14 @@ allow traceroute_t self:capability { net > allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms; > allow traceroute_t self:process signal; > allow traceroute_t self:rawip_socket create_socket_perms; > -allow traceroute_t self:packet_socket create_socket_perms; > +allow traceroute_t self:packet_socket { map create_socket_perms }; > allow traceroute_t self:udp_socket create_socket_perms; > > can_exec(traceroute_t, traceroute_exec_t) > > kernel_read_system_state(traceroute_t) > kernel_read_network_state(traceroute_t) > +kernel_search_fs_sysctls(traceroute_t) > > corecmd_search_bin(traceroute_t) > > @@ -197,6 +199,7 @@ auth_use_nsswitch(traceroute_t) > > logging_send_syslog_msg(traceroute_t) > > +miscfiles_read_generic_certs(traceroute_t) > miscfiles_read_localization(traceroute_t) > > userdom_use_inherited_user_terminals(traceroute_t) > Index: refpolicy-2.20210126/policy/modules/system/sysnetwork.fc > =================================================================== > --- refpolicy-2.20210126.orig/policy/modules/system/sysnetwork.fc > +++ refpolicy-2.20210126/policy/modules/system/sysnetwork.fc > @@ -27,6 +27,7 @@ ifdef(`distro_debian',` > /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) > > /etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) > +/etc/tor/torsocks.conf -- gen_context(system_u:object_r:net_conf_t,s0) minor but bet to escape the period: /etc/tor/torsocks\.conf not sure why you associate this with net_conf_t. I probably would have labeled all of /etc/tor tor_conf_t (for confined tor administration etc) > > ifdef(`distro_redhat',` > /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) > Index: refpolicy-2.20210126/policy/modules/system/sysnetwork.te > =================================================================== > --- refpolicy-2.20210126.orig/policy/modules/system/sysnetwork.te > +++ refpolicy-2.20210126/policy/modules/system/sysnetwork.te > @@ -5,6 +5,14 @@ policy_module(sysnetwork, 1.26.5) > # Declarations > # > > +## > +##

> +## Determine whether DHCP client > +## can manage samba > +##

> +## > +gen_tunable(dhcpc_manage_samba, false) > + > attribute_role dhcpc_roles; > roleattribute system_r dhcpc_roles; > > @@ -175,6 +183,18 @@ ifdef(`init_systemd',` > ') > > optional_policy(` > + tunable_policy(`dhcpc_manage_samba',` > + samba_manage_var_files(dhcpc_t) > + init_exec_script_files(dhcpc_t) > + init_get_system_status(dhcpc_t) > + samba_stop(dhcpc_t) > + samba_start(dhcpc_t) > + samba_reload(dhcpc_t) > + samba_status(dhcpc_t) > + ') > +') > + > +optional_policy(` > avahi_domtrans(dhcpc_t) > ') > > Index: refpolicy-2.20210126/policy/modules/roles/unprivuser.te > =================================================================== > --- refpolicy-2.20210126.orig/policy/modules/roles/unprivuser.te > +++ refpolicy-2.20210126/policy/modules/roles/unprivuser.te > @@ -25,6 +25,10 @@ optional_policy(` > ') > > optional_policy(` > + netutils_domtrans_ping(user_t) > +') this is already allowed conditionally as said before. you should be able to remove this. > + > +optional_policy(` > screen_role_template(user, user_r, user_t) > ') > > Index: refpolicy-2.20210126/policy/modules/services/samba.if > =================================================================== > --- refpolicy-2.20210126.orig/policy/modules/services/samba.if > +++ refpolicy-2.20210126/policy/modules/services/samba.if > @@ -729,3 +729,79 @@ interface(`samba_admin',` > files_list_tmp($1) > admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t }) > ') > + > +######################################## > +## > +## start samba daemon > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`samba_start',` > + gen_require(` > + type samba_unit_t; > + ') > + > + allow $1 samba_unit_t:file getattr; > + allow $1 samba_unit_t:service start; > +') > + > +######################################## > +## > +## stop samba daemon > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`samba_stop',` > + gen_require(` > + type samba_unit_t; > + ') > + > + allow $1 samba_unit_t:file getattr; > + allow $1 samba_unit_t:service stop; > +') > + > +######################################## > +## > +## get status of samba daemon > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`samba_status',` > + gen_require(` > + type samba_unit_t; > + ') > + > + allow $1 samba_unit_t:file getattr; > + allow $1 samba_unit_t:service status; > +') > + > +######################################## > +## > +## reload samba daemon > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`samba_reload',` > + gen_require(` > + type samba_unit_t; > + ') > + > + allow $1 samba_unit_t:file getattr; > + allow $1 samba_unit_t:service reload; > +') > Index: refpolicy-2.20210126/policy/modules/services/mon.te > =================================================================== > --- refpolicy-2.20210126.orig/policy/modules/services/mon.te > +++ refpolicy-2.20210126/policy/modules/services/mon.te > @@ -58,6 +58,9 @@ manage_files_pattern(mon_t, mon_var_log_ > manage_files_pattern(mon_t, mon_runtime_t, mon_runtime_t) > files_runtime_filetrans(mon_t, mon_runtime_t, file) > > +# to read fips_enabled > +kernel_read_crypto_sysctls(mon_t) > + > kernel_read_kernel_sysctls(mon_t) > kernel_read_network_state(mon_t) > kernel_read_system_state(mon_t) > Index: refpolicy-2.20210126/policy/modules/services/mailman.te > =================================================================== > --- refpolicy-2.20210126.orig/policy/modules/services/mailman.te > +++ refpolicy-2.20210126/policy/modules/services/mailman.te > @@ -112,6 +112,7 @@ corecmd_exec_bin(mailman_cgi_t) > dev_read_urand(mailman_cgi_t) > > files_search_locks(mailman_cgi_t) > +files_read_usr_files(mailman_cgi_t) > > term_use_controlling_term(mailman_cgi_t) > > Index: refpolicy-2.20210126/policy/modules/services/dkim.te > =================================================================== > --- refpolicy-2.20210126.orig/policy/modules/services/dkim.te > +++ refpolicy-2.20210126/policy/modules/services/dkim.te > @@ -35,6 +35,7 @@ kernel_read_vm_overcommit_sysctl(dkim_mi > > corenet_udp_bind_generic_node(dkim_milter_t) > corenet_udp_bind_all_unreserved_ports(dkim_milter_t) > +corenet_udp_bind_generic_port(dkim_milter_t) > > dev_read_urand(dkim_milter_t) > # for cpu/online > -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift