Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp3631681pxy;
        Mon, 26 Apr 2021 06:22:29 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJySt5ANLVpWB99zYxLEynRhM+iPmBP89sjbrKWv9xN79vNsV6A+hoRzfSFvCuFO36mVJ+J4
X-Received: by 2002:a17:90a:5149:: with SMTP id k9mr14942907pjm.52.1619443349752;
        Mon, 26 Apr 2021 06:22:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1619443349; cv=none;
        d=google.com; s=arc-20160816;
        b=Qu+wTSEscrRXUkpVZmNpCSlh1lPcKrN1qXkqQ1jWTEuhD3rikEzYatqmUaZrC1mLnH
         t8O6az8IzfYxIEJ9IJmrsCR6YbYTp08kBIfeDvvQG2UwNoJmVKIFBoWBFu7+f6hhYtc7
         wcoslAt7KCcPt4OIYqtiHzgiOr4anCD2NARMa1GSwcHM7MIl/K8gcebHBQKS8efp+xS/
         LHixc4d+WShD0uVML0xrCqaQyXxPtG9OxHAsx0fUGFsOS5/sghuhHXtq3+yQWbI4Ae+Q
         Hn8xRfTjuy9PS+W3Tr4sYViVKHatgk4YuSabJD6NE2s9+a/KK5IhHAxZTj8Ddm5Zxrvo
         sEDw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:subject:from
         :references:cc:to:dkim-signature:dkim-filter;
        bh=yy0OklyZZ8KHkjuqgAZmcM1K21qRGL39Ed48huC1Jo4=;
        b=d2a8Nej8nGXWXb18ccqz0MDgH6DCvhXNiE4wsUHWQ5w/JTY3z4i6BeAqdlfa0DBARv
         31ykSJNw4B6mAXFHhGPs5lrSKANb60fUze5BUADLb/n0FHxKiBebm9zTVqoO7o05043G
         oRwjVVFi39FvbvPkpptcRWGy3DoDhKoCtOGLdcJv8xqDyRbov8BkBWmTwS69li+79IiP
         CUUBQQb14gI6yOPwSP/bwVO93hH1wU1ULvNBiye2UBdVgrjsIX9QF9UqStoQNz2HIytG
         IvwgWTIambzbT1cSY8xBxcbSFgJIlNouFR8sVxTgM2UI6s2ia7mKPSq3p8wcJtRdUvPu
         9C4Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@defensec.nl header.s=default header.b=J5RYev3H;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id y2si18746209plb.437.2021.04.26.06.22.24;
        Mon, 26 Apr 2021 06:22:29 -0700 (PDT)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@defensec.nl header.s=default header.b=J5RYev3H;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231876AbhDZNXE (ORCPT <rfc822;mikie.simpson@gmail.com>
        + 17 others); Mon, 26 Apr 2021 09:23:04 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60140 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230250AbhDZNXE (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Mon, 26 Apr 2021 09:23:04 -0400
Received: from agnus.defensec.nl (agnus.defensec.nl [IPv6:2001:985:d55d::711])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id 908A4C061574
        for <selinux-refpolicy@vger.kernel.org>; Mon, 26 Apr 2021 06:22:22 -0700 (PDT)
Received: from [IPv6:2001:985:d55d::438] (brutus.lan [IPv6:2001:985:d55d::438])
        by agnus.defensec.nl (Postfix) with ESMTPSA id C031C2A06F9;
        Mon, 26 Apr 2021 15:22:17 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl C031C2A06F9
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl;
        s=default; t=1619443339;
        bh=yy0OklyZZ8KHkjuqgAZmcM1K21qRGL39Ed48huC1Jo4=;
        h=To:Cc:References:From:Subject:Date:In-Reply-To:From;
        b=J5RYev3HYGjfvIBt0DDpmYaNy/gstKRYgdpjGc77fSU/2B8lYkBrpEW8AC2JZfUx2
         AVZ6NdY5/cdR6xYwc5K7y3aIzXBbqALMWhrbJZGEHaxEqHy98WWJzUN77h6b23Tw0D
         Z+fCtpIFWUqAFG9iI4h2cIycekb5qD2S2ihFRqWY=
To:     Chris PeBenito <pebenito@ieee.org>,
        Russell Coker <russell@coker.com.au>
Cc:     selinux-refpolicy@vger.kernel.org,
        Matej Marusak <mmarusak@redhat.com>
References: <YH6gq6yWUmo93KT7@xev> <ypjlbla9f4mk.fsf@defensec.nl>
 <574c5faf-0c19-8b9a-3bfe-a71d82a1f2e6@ieee.org>
From:   Dominick Grift <dominick.grift@defensec.nl>
Subject: Re: [PATCH] cockpit web admin system
Message-ID: <3f123c6d-d01a-a032-956e-c88dbde91468@defensec.nl>
Date:   Mon, 26 Apr 2021 15:22:14 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.8.1
MIME-Version: 1.0
In-Reply-To: <574c5faf-0c19-8b9a-3bfe-a71d82a1f2e6@ieee.org>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org



On 4/26/21 2:47 PM, Chris PeBenito wrote:
> On 4/20/21 9:49 AM, Dominick Grift wrote:
>> Russell Coker <russell@coker.com.au> writes:
>>
>>> I took this from the rawhide policy and adapted it to work with
>>> refpolicy.
>>>
>>> Probably not ready for merging yet, let me know what should be changed.
>>
>> Its been a while since I played with cockpit
>>
>> Theres one thing that I want to mention though, instead of login the
>> confined users in with their login shell domain consider confining the
>> cockpit-bridge instead and make it log users in with bridge context
>> instead of the login shell context.
> 
> Do you have an example of permissions that would be concerning?

The wide direct dbus access might be concerning.

cockpit-bridge (at least when I used it) seems to chat directly with
various system services like firewalld,tuned,udisks but also various
systemd components including pid1 (although not sure if the latter are
direct or via systemctl.

There's a bunch of other access that I can't explain anymore and some of
it does not make sense. Theres network access (connects to vnc and binds
tcp sockets to ephemeral ports)

I also allowed it to mapread shadow unconditionally but that does not
make sense as shadow is mode 000 and even if the bridge would be run by
a root login it still seems to not have cap_dac_read_search access ...

https://git.defensec.nl/?p=dssp2.git;a=blob;f=policy/services/c/cockpit.cil;h=f09d5084ba0c9f1b671b26772b29eb383c40e60a;hb=HEAD#l95

Things may have changed since then as well. I just wanted to give a
heads-up, it may be nothing to worry about.

> 
> 
>> Because otherwise you'll end up extending the login shell domain with
>> permissions needed by the bridge. You can still allow the bridge to open
>> up a shell with a transition back to the login shell domain (but then
>> you will get into domain prefixes
>>
>> ie: staff_bridge_t -> shell_exec_t -> staff_t vs. user_bridge_t ->
>> shell_exec_t -> user_t etc.
> 
> 
> Otherwise I only see some style cleanup needed.  Also there is an
> optional block in the admin interface for systemd calls.  Systemd is
> required for cockpit, so it shouldn't be optional, right?
>