Hi,
I have tried to write policy modules for 2 applications I'm maintaining
(and contributing): nufw and nuauth.
Since this is my first policies, it would be great to have some feedback
on the contents. I would like to propose these modules for integration
in the standard policy, if possible.
If you don't know nufw or nuauth, a few words of description:
- nufw use the NFQUEUE target of iptables (and so, a nfnetlink socket)
to receive packets in userspace. It will send the packets using a TLS
connection to nuauth, the user authenticating daemon, wait for a
decision, and apply it.
This is the simplest of the 2 daemons.
- nuauth is the authentication daemon. It has several roles:
- wait for connections from nufw daemons, receive packets, apply ACL
(see later), and return verdict
- wait for connections from nutcpc (clients), validate login/pass
using PAM, and communicate with them
- check ACL in a plain text file, or a LDAP server
- log messages to syslog, MySQL, or PostgreSQL (depending on the
loaded modules, and the configuration).
- nuauth and the clients use SASL for authentication, and TLS for all
communications
The policy module for nuauth is not complete, I'm still working on it.
Any help/comment would be appreciated !
Thanks,
Pierre
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nufw-selinux.tgz
Type: application/x-gtar
Size: 1914 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081020/b76fa12e/attachment.gtar
Pierre Chifflier wrote:
> Hi,
>
> I have tried to write policy modules for 2 applications I'm maintaining
> (and contributing): nufw and nuauth.
>
> Since this is my first policies, it would be great to have some feedback
> on the contents. I would like to propose these modules for integration
> in the standard policy, if possible.
>
>
> If you don't know nufw or nuauth, a few words of description:
>
> - nufw use the NFQUEUE target of iptables (and so, a nfnetlink socket)
> to receive packets in userspace. It will send the packets using a TLS
> connection to nuauth, the user authenticating daemon, wait for a
> decision, and apply it.
> This is the simplest of the 2 daemons.
>
> - nuauth is the authentication daemon. It has several roles:
> - wait for connections from nufw daemons, receive packets, apply ACL
> (see later), and return verdict
> - wait for connections from nutcpc (clients), validate login/pass
> using PAM, and communicate with them
> - check ACL in a plain text file, or a LDAP server
> - log messages to syslog, MySQL, or PostgreSQL (depending on the
> loaded modules, and the configuration).
> - nuauth and the clients use SASL for authentication, and TLS for all
> communications
> The policy module for nuauth is not complete, I'm still working on it.
>
> Any help/comment would be appreciated !
>
> Thanks,
> Pierre
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
You should never (almost never) have a gen_requires interface in a te file.
You should use interfaces.
audit2allow -R
will attempt to find the correct interface for the AVC that was generated.
type nufw_etc_t;
type nufw_port_t;
Should have interfaces defined for them to be used by other domains.
files_pid_file(nuauth_var_run_t)
allow nuauth_t nuauth_var_run_t:dir { search write remove_name add_name };
allow nuauth_t nuauth_var_run_t:file { create write read getattr unlink };
allow nuauth_t nuauth_var_run_t:sock_file { unlink create write };
Should probably be something like
manage_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t)
manage_sock_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t)
> allow nuauth_t etc_t:file { getattr read };
Should be
files_read_etc(nuauth_t)
# allow clients to connect
allow unconfined_t nuauth_port_t:tcp_socket recv_msg;
allow unconfined_t nuauth_port_t:tcp_socket name_connect;
Not necessary. unconfined_t already can
>allow nuauth_t bin_t:dir search;
corecmd_search_bin(nuauth_t)
> allow nuauth_t postgresql_port_t:tcp_socket { name_connect send_msg
recv_msg };
Look for corenetwork calls.
On Mon, Oct 20, 2008 at 02:57:49PM -0400, Daniel J Walsh wrote:
> You should never (almost never) have a gen_requires interface in a te file.
>
> You should use interfaces.
Hi,
Thanks for the review. I've re-written the policies from scratch, and
trying to use interfaces and macros when available (files attached, this
time not gzipped, to ease review).
> files_pid_file(nuauth_var_run_t)
> allow nuauth_t nuauth_var_run_t:dir { search write remove_name add_name };
> allow nuauth_t nuauth_var_run_t:file { create write read getattr unlink };
> allow nuauth_t nuauth_var_run_t:sock_file { unlink create write };
>
>
> Should probably be something like
>
> manage_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t)
> manage_sock_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t)
Fixed
>
> > allow nuauth_t etc_t:file { getattr read };
> Should be
> files_read_etc(nuauth_t)
This one does not seems to work. I had to add:
allow $1 nufw_etc_t:dir list_dir_perms;
read_files_pattern($1,nufw_etc_t,nufw_etc_t)
read_lnk_files_pattern($1,nufw_etc_t,nufw_etc_t)
>
>
> # allow clients to connect
> allow unconfined_t nuauth_port_t:tcp_socket recv_msg;
> allow unconfined_t nuauth_port_t:tcp_socket name_connect;
>
> Not necessary. unconfined_t already can
Not here. Maybe it's related to the way I add the port ?
I'm using:
semanage port -a -t nuauth_port_t -p tcp 4129
Maybe there is a boolean to allow connections ?
>
> >allow nuauth_t bin_t:dir search;
> corecmd_search_bin(nuauth_t)
>
> > allow nuauth_t postgresql_port_t:tcp_socket { name_connect send_msg
> recv_msg };
>
> Look for corenetwork calls.
>
Fixed
Thanks for your help !
Pierre
Pierre Chifflier wrote:
> On Mon, Oct 20, 2008 at 02:57:49PM -0400, Daniel J Walsh wrote:
>> You should never (almost never) have a gen_requires interface in a te file.
>>
>> You should use interfaces.
>
> Hi,
>
> Thanks for the review. I've re-written the policies from scratch, and
> trying to use interfaces and macros when available (files attached, this
> time not gzipped, to ease review).
>
Nothing attached.
>> files_pid_file(nuauth_var_run_t)
>> allow nuauth_t nuauth_var_run_t:dir { search write remove_name add_name };
>> allow nuauth_t nuauth_var_run_t:file { create write read getattr unlink };
>> allow nuauth_t nuauth_var_run_t:sock_file { unlink create write };
>>
>>
>> Should probably be something like
>>
>> manage_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t)
>> manage_sock_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t)
>
> Fixed
>
>>> allow nuauth_t etc_t:file { getattr read };
>> Should be
>> files_read_etc(nuauth_t)
>
> This one does not seems to work. I had to add:
>
> allow $1 nufw_etc_t:dir list_dir_perms;
> read_files_pattern($1,nufw_etc_t,nufw_etc_t)
> read_lnk_files_pattern($1,nufw_etc_t,nufw_etc_t)
>
>>
>> # allow clients to connect
>> allow unconfined_t nuauth_port_t:tcp_socket recv_msg;
>> allow unconfined_t nuauth_port_t:tcp_socket name_connect;
>>
>> Not necessary. unconfined_t already can
corenet_port(nuauth_port_t) if ports will be >= 1024
corenet_reserved_port(nuauth_port_t) if ports will can be < 1024
corenet_rpc_port(nuauth_port_t) if ports will can be bewtween 600 and 1024.
> Not here. Maybe it's related to the way I add the port ?
> I'm using:
> semanage port -a -t nuauth_port_t -p tcp 4129
>
> Maybe there is a boolean to allow connections ?
>
>>> allow nuauth_t bin_t:dir search;
>> corecmd_search_bin(nuauth_t)
>>
>>> allow nuauth_t postgresql_port_t:tcp_socket { name_connect send_msg
>> recv_msg };
>>
>> Look for corenetwork calls.
>>
>
> Fixed
>
> Thanks for your help !
>
> Pierre
>
On Tue, Oct 21, 2008 at 11:02:39AM -0400, Daniel J Walsh wrote:
> Pierre Chifflier wrote:
> > On Mon, Oct 20, 2008 at 02:57:49PM -0400, Daniel J Walsh wrote:
> >> You should never (almost never) have a gen_requires interface in a te file.
> >>
> >> You should use interfaces.
> >
> > Hi,
> >
> > Thanks for the review. I've re-written the policies from scratch, and
> > trying to use interfaces and macros when available (files attached, this
> > time not gzipped, to ease review).
> >
>
> Nothing attached.
Arg, sorry - I should remember to attach files _before_ writing the
contents of the mail
This time, attached.
Thanks,
Pierre
>
> >> files_pid_file(nuauth_var_run_t)
> >> allow nuauth_t nuauth_var_run_t:dir { search write remove_name add_name };
> >> allow nuauth_t nuauth_var_run_t:file { create write read getattr unlink };
> >> allow nuauth_t nuauth_var_run_t:sock_file { unlink create write };
> >>
> >>
> >> Should probably be something like
> >>
> >> manage_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t)
> >> manage_sock_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t)
> >
> > Fixed
> >
> >>> allow nuauth_t etc_t:file { getattr read };
> >> Should be
> >> files_read_etc(nuauth_t)
> >
> > This one does not seems to work. I had to add:
> >
> > allow $1 nufw_etc_t:dir list_dir_perms;
> > read_files_pattern($1,nufw_etc_t,nufw_etc_t)
> > read_lnk_files_pattern($1,nufw_etc_t,nufw_etc_t)
> >
> >>
> >> # allow clients to connect
> >> allow unconfined_t nuauth_port_t:tcp_socket recv_msg;
> >> allow unconfined_t nuauth_port_t:tcp_socket name_connect;
> >>
> >> Not necessary. unconfined_t already can
> corenet_port(nuauth_port_t) if ports will be >= 1024
> corenet_reserved_port(nuauth_port_t) if ports will can be < 1024
> corenet_rpc_port(nuauth_port_t) if ports will can be bewtween 600 and 1024.
>
>
> > Not here. Maybe it's related to the way I add the port ?
> > I'm using:
> > semanage port -a -t nuauth_port_t -p tcp 4129
> >
> > Maybe there is a boolean to allow connections ?
> >
> >>> allow nuauth_t bin_t:dir search;
> >> corecmd_search_bin(nuauth_t)
> >>
> >>> allow nuauth_t postgresql_port_t:tcp_socket { name_connect send_msg
> >> recv_msg };
> >>
> >> Look for corenetwork calls.
> >>
> >
> > Fixed
> >
> > Thanks for your help !
> >
> > Pierre
> >
-------------- next part --------------
# nuauth executable will have:
# label: system_u:object_r:nuauth_exec_t
# MLS sensitivity: s0
# MCS categories: <none>
/usr/sbin/nuauth -- gen_context(system_u:object_r:nuauth_exec_t,s0)
/var/run/nuauth/nuauth.pid gen_context(system_u:object_r:nuauth_var_run_t,s0)
-------------- next part --------------
## <summary>policy for nuauth</summary>
########################################
## <summary>
## Execute a domain transition to run nuauth.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`nuauth_domtrans',`
gen_require(`
type nuauth_t, nuauth_exec_t;
')
domain_auto_trans($1,nuauth_exec_t,nuauth_t)
allow $1 nuauth_t:fd use;
allow nuauth_t $1:fd use;
allow nuauth_t $1:fifo_file rw_file_perms;
allow nuauth_t $1:process sigchld;
')
########################################
## <summary>
## Allow nuauth to access nufw configuration files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to access files.
## </summary>
## <param name="domain">
## </param>
#
interface(`nuauth_access_nufw_etc_t',`
gen_require(`
type nufw_etc_t;
')
allow $1 nufw_etc_t:dir list_dir_perms;
read_files_pattern($1,nufw_etc_t,nufw_etc_t)
read_lnk_files_pattern($1,nufw_etc_t,nufw_etc_t)
')
########################################
## <summary>
## Bind TCP sockets to the nufw port.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="none"/>
#
interface(`corenet_tcp_bind_nufw_port',`
gen_require(`
type nufw_port_t;
')
allow $1 nufw_port_t:tcp_socket name_bind;
')
########################################
## <summary>
## Bind TCP sockets to the nuauth port.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="none"/>
#
interface(`corenet_tcp_bind_nuauth_port',`
gen_require(`
type nuauth_port_t;
')
allow $1 nuauth_port_t:tcp_socket name_bind;
')
########################################
## <summary>
## Send and receive TCP traffic on the nufw port.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="both" weight="10"/>
#
interface(`corenet_tcp_sendrecv_nufw_port',`
gen_require(`
type nufw_port_t;
')
allow $1 nufw_port_t:tcp_socket { send_msg recv_msg };
')
########################################
## <summary>
## Send and receive TCP traffic on the nuauth port.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="both" weight="10"/>
#
interface(`corenet_tcp_sendrecv_nuauth_port',`
gen_require(`
type nuauth_port_t;
')
allow $1 nuauth_port_t:tcp_socket { send_msg recv_msg };
')
-------------- next part --------------
policy_module(nuauth,1.0.0)
# add nuauth_port_t using:
# semanage port -a -t nuauth_port_t -p tcp 4129
########################################
#
# Declarations
#
type nuauth_t;
type nuauth_exec_t;
domain_type(nuauth_t)
init_daemon_domain(nuauth_t, nuauth_exec_t)
# pid files
type nuauth_var_run_t;
files_pid_file(nuauth_var_run_t)
# configuration files
nuauth_access_nufw_etc_t(nuauth_t)
########################################
#
# nuauth local policy
#
# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
# Some common macros (you might be able to remove some)
files_read_etc_files(nuauth_t)
libs_use_ld_so(nuauth_t)
libs_use_shared_libs(nuauth_t)
miscfiles_read_localization(nuauth_t)
logging_send_syslog_msg(nuauth_t)
## internal communication is often done using fifo and unix sockets.
#allow nuauth_t self:fifo_file { read write };
allow nuauth_t self:unix_stream_socket create_stream_socket_perms;
# pid file
#allow nuauth_t nuauth_var_run_t:file manage_file_perms;
#allow nuauth_t nuauth_var_run_t:sock_file { unlink create write };
#allow nuauth_t nuauth_var_run_t:dir rw_dir_perms;
manage_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t)
manage_sock_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t)
delete_sock_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t)
files_pid_filetrans(nuauth_t,nuauth_var_run_t, { file sock_file })
## Networking basics (adjust to your needs!)
sysnet_dns_name_resolve(nuauth_t)
corenet_tcp_sendrecv_all_if(nuauth_t)
corenet_tcp_sendrecv_all_nodes(nuauth_t)
corenet_tcp_sendrecv_all_ports(nuauth_t)
corenet_non_ipsec_sendrecv(nuauth_t)
#corenet_tcp_connect_http_port(nuauth_t)
#corenet_tcp_connect_all_ports(nuauth_t)
## if it is a network daemon, consider these:
#corenet_tcp_bind_all_ports(nuauth_t)
corenet_tcp_bind_all_nodes(nuauth_t)
allow nuauth_t self:tcp_socket { listen accept };
allow nuauth_t self:unix_dgram_socket create_socket_perms;
allow nuauth_t self:netlink_route_socket rw_netlink_socket_perms;
type nuauth_port_t;
corenet_tcp_bind_nufw_port(nuauth_t);
corenet_tcp_bind_nuauth_port(nuauth_t);
corenet_port(nuauth_port_t)
gen_require(` type nufw_port_t; ')
corenet_port(nufw_port_t)
corenet_tcp_sendrecv_nufw_port(nuauth_t);
corenet_tcp_sendrecv_nuauth_port(nuauth_t);
# Init script handling
init_use_fds(nuauth_t)
init_use_script_ptys(nuauth_t)
domain_use_interactive_fds(nuauth_t)
# for crypto
dev_read_rand(nuauth_t)
dev_read_urand(nuauth_t)
allow nuauth_t self:process { signal getsched };
allow nuauth_t self:capability { dac_read_search dac_override setuid };
# for the "system" module
allow nuauth_t bin_t:dir search;
allow nuauth_t self:fifo_file write;
auth_use_nsswitch(nuauth_t)
auth_domtrans_chk_passwd(nuauth_t)
# postgresql logging
corenet_tcp_connect_postgresql_port(nuauth_t)
corenet_tcp_sendrecv_postgresql_port(nuauth_t)
# postgresql searches for file ~/.pgpass
files_dontaudit_search_home(nuauth_t)
# mysql logging
corenet_tcp_connect_mysqld_port(nuauth_t)
corenet_tcp_sendrecv_mysqld_port(nuauth_t)
-------------- next part --------------
# nufw executable will have:
# label: system_u:object_r:nufw_exec_t
# MLS sensitivity: s0
# MCS categories: <none>
/etc/nufw(/.*)? gen_context(system_u:object_r:nufw_etc_t,s0)
/usr/sbin/nufw -- gen_context(system_u:object_r:nufw_exec_t,s0)
/var/run/nufw.pid gen_context(system_u:object_r:nufw_var_run_t,s0)
-------------- next part --------------
## <summary>policy for nufw</summary>
########################################
## <summary>
## Execute a domain transition to run nufw.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`nufw_domtrans',`
gen_require(`
type nufw_t, nufw_exec_t;
')
domain_auto_trans($1,nufw_exec_t,nufw_t)
allow $1 nufw_t:fd use;
allow nufw_t $1:fd use;
allow nufw_t $1:fifo_file rw_file_perms;
allow nufw_t $1:process sigchld;
')
########################################
## <summary>
## Make a TCP connection to the nufw port.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`corenet_tcp_connect_nufw_port',`
gen_require(`
type nufw_port_t;
')
allow $1 nufw_port_t:tcp_socket name_connect;
')
########################################
## <summary>
## Send and receive TCP traffic on the nufw port.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="both" weight="10"/>
#
interface(`corenet_tcp_sendrecv_nufw_port',`
gen_require(`
type nufw_port_t;
')
allow $1 nufw_port_t:tcp_socket { send_msg recv_msg };
')
-------------- next part --------------
policy_module(nufw,1.0.0)
# add nufw_port_t using:
# semanage port -a -t nufw_port_t -p tcp 4128
########################################
#
# Declarations
#
type nufw_t;
type nufw_exec_t;
domain_type(nufw_t)
init_daemon_domain(nufw_t, nufw_exec_t)
# etc files
type nufw_etc_t;
files_type(nufw_etc_t)
# log files
type nufw_var_log_t;
logging_log_file(nufw_var_log_t)
# pid files
type nufw_var_run_t;
files_pid_file(nufw_var_run_t)
########################################
#
# nufw local policy
#
# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
# Some common macros (you might be able to remove some)
files_read_etc_files(nufw_t)
# configuration files
allow nufw_t nufw_etc_t:dir list_dir_perms;
read_files_pattern(nufw_t,nufw_etc_t,nufw_etc_t)
read_lnk_files_pattern(nufw_t,nufw_etc_t,nufw_etc_t)
libs_use_ld_so(nufw_t)
libs_use_shared_libs(nufw_t)
miscfiles_read_localization(nufw_t)
logging_send_syslog_msg(nufw_t)
## internal communication is often done using fifo and unix sockets.
#allow nufw_t self:fifo_file { read write };
allow nufw_t self:unix_stream_socket create_stream_socket_perms;
# pid file
allow nufw_t nufw_var_run_t:file manage_file_perms;
#allow nufw_t nufw_var_run_t:sock_file manage_file_perms;
allow nufw_t nufw_var_run_t:dir rw_dir_perms;
files_pid_filetrans(nufw_t,nufw_var_run_t, { file sock_file })
## Networking basics (adjust to your needs!)
sysnet_dns_name_resolve(nufw_t)
corenet_tcp_sendrecv_all_if(nufw_t)
corenet_tcp_sendrecv_all_nodes(nufw_t)
#corenet_tcp_sendrecv_all_ports(nufw_t)
#corenet_non_ipsec_sendrecv(nufw_t)
type nufw_port_t;
corenet_tcp_connect_nufw_port(nufw_t)
corenet_tcp_sendrecv_nufw_port(nufw_t)
#corenet_tcp_connect_all_ports(nufw_t)
## if it is a network daemon, consider these:
#corenet_tcp_bind_all_ports(nufw_t)
#corenet_tcp_bind_all_nodes(nufw_t)
allow nufw_t self:tcp_socket { listen accept };
allow nufw_t self:rawip_socket create_socket_perms;
allow nufw_t self:netlink_socket create_socket_perms;
allow nufw_t self:netlink_route_socket rw_netlink_socket_perms;
# Init script handling
init_use_fds(nufw_t)
init_use_script_ptys(nufw_t)
domain_use_interactive_fds(nufw_t)
# for crypto
dev_read_rand(nufw_t)
dev_read_urand(nufw_t)
# nufw wants sys_nice
allow nufw_t self:capability { sys_nice net_admin net_raw };
allow nufw_t self:process { setsched };