From: p.chifflier@inl.fr (Pierre Chifflier) Date: Tue, 21 Oct 2008 17:22:55 +0200 Subject: [refpolicy] request for comments: policy for nufw and nuauth In-Reply-To: <48FDEF0F.3080105@redhat.com> References: <20081020162358.GB30642@piche.inl.fr> <48FCD4AD.2090606@redhat.com> <20081021085558.GD30642@piche.inl.fr> <48FDEF0F.3080105@redhat.com> Message-ID: <20081021152255.GE30642@piche.inl.fr> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, Oct 21, 2008 at 11:02:39AM -0400, Daniel J Walsh wrote: > Pierre Chifflier wrote: > > On Mon, Oct 20, 2008 at 02:57:49PM -0400, Daniel J Walsh wrote: > >> You should never (almost never) have a gen_requires interface in a te file. > >> > >> You should use interfaces. > > > > Hi, > > > > Thanks for the review. I've re-written the policies from scratch, and > > trying to use interfaces and macros when available (files attached, this > > time not gzipped, to ease review). > > > > Nothing attached. Arg, sorry - I should remember to attach files _before_ writing the contents of the mail This time, attached. Thanks, Pierre > > >> files_pid_file(nuauth_var_run_t) > >> allow nuauth_t nuauth_var_run_t:dir { search write remove_name add_name }; > >> allow nuauth_t nuauth_var_run_t:file { create write read getattr unlink }; > >> allow nuauth_t nuauth_var_run_t:sock_file { unlink create write }; > >> > >> > >> Should probably be something like > >> > >> manage_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t) > >> manage_sock_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t) > > > > Fixed > > > >>> allow nuauth_t etc_t:file { getattr read }; > >> Should be > >> files_read_etc(nuauth_t) > > > > This one does not seems to work. I had to add: > > > > allow $1 nufw_etc_t:dir list_dir_perms; > > read_files_pattern($1,nufw_etc_t,nufw_etc_t) > > read_lnk_files_pattern($1,nufw_etc_t,nufw_etc_t) > > > >> > >> # allow clients to connect > >> allow unconfined_t nuauth_port_t:tcp_socket recv_msg; > >> allow unconfined_t nuauth_port_t:tcp_socket name_connect; > >> > >> Not necessary. unconfined_t already can > corenet_port(nuauth_port_t) if ports will be >= 1024 > corenet_reserved_port(nuauth_port_t) if ports will can be < 1024 > corenet_rpc_port(nuauth_port_t) if ports will can be bewtween 600 and 1024. > > > > Not here. Maybe it's related to the way I add the port ? > > I'm using: > > semanage port -a -t nuauth_port_t -p tcp 4129 > > > > Maybe there is a boolean to allow connections ? > > > >>> allow nuauth_t bin_t:dir search; > >> corecmd_search_bin(nuauth_t) > >> > >>> allow nuauth_t postgresql_port_t:tcp_socket { name_connect send_msg > >> recv_msg }; > >> > >> Look for corenetwork calls. > >> > > > > Fixed > > > > Thanks for your help ! > > > > Pierre > > -------------- next part -------------- # nuauth executable will have: # label: system_u:object_r:nuauth_exec_t # MLS sensitivity: s0 # MCS categories: /usr/sbin/nuauth -- gen_context(system_u:object_r:nuauth_exec_t,s0) /var/run/nuauth/nuauth.pid gen_context(system_u:object_r:nuauth_var_run_t,s0) -------------- next part -------------- ## policy for nuauth ######################################## ## ## Execute a domain transition to run nuauth. ## ## ## ## Domain allowed to transition. ## ## # interface(`nuauth_domtrans',` gen_require(` type nuauth_t, nuauth_exec_t; ') domain_auto_trans($1,nuauth_exec_t,nuauth_t) allow $1 nuauth_t:fd use; allow nuauth_t $1:fd use; allow nuauth_t $1:fifo_file rw_file_perms; allow nuauth_t $1:process sigchld; ') ######################################## ## ## Allow nuauth to access nufw configuration files ## ## ## ## Domain allowed to access files. ## ## ## # interface(`nuauth_access_nufw_etc_t',` gen_require(` type nufw_etc_t; ') allow $1 nufw_etc_t:dir list_dir_perms; read_files_pattern($1,nufw_etc_t,nufw_etc_t) read_lnk_files_pattern($1,nufw_etc_t,nufw_etc_t) ') ######################################## ## ## Bind TCP sockets to the nufw port. ## ## ## ## Domain allowed access. ## ## ## # interface(`corenet_tcp_bind_nufw_port',` gen_require(` type nufw_port_t; ') allow $1 nufw_port_t:tcp_socket name_bind; ') ######################################## ## ## Bind TCP sockets to the nuauth port. ## ## ## ## Domain allowed access. ## ## ## # interface(`corenet_tcp_bind_nuauth_port',` gen_require(` type nuauth_port_t; ') allow $1 nuauth_port_t:tcp_socket name_bind; ') ######################################## ## ## Send and receive TCP traffic on the nufw port. ## ## ## ## Domain allowed access. ## ## ## # interface(`corenet_tcp_sendrecv_nufw_port',` gen_require(` type nufw_port_t; ') allow $1 nufw_port_t:tcp_socket { send_msg recv_msg }; ') ######################################## ## ## Send and receive TCP traffic on the nuauth port. ## ## ## ## Domain allowed access. ## ## ## # interface(`corenet_tcp_sendrecv_nuauth_port',` gen_require(` type nuauth_port_t; ') allow $1 nuauth_port_t:tcp_socket { send_msg recv_msg }; ') -------------- next part -------------- policy_module(nuauth,1.0.0) # add nuauth_port_t using: # semanage port -a -t nuauth_port_t -p tcp 4129 ######################################## # # Declarations # type nuauth_t; type nuauth_exec_t; domain_type(nuauth_t) init_daemon_domain(nuauth_t, nuauth_exec_t) # pid files type nuauth_var_run_t; files_pid_file(nuauth_var_run_t) # configuration files nuauth_access_nufw_etc_t(nuauth_t) ######################################## # # nuauth local policy # # Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules. # Some common macros (you might be able to remove some) files_read_etc_files(nuauth_t) libs_use_ld_so(nuauth_t) libs_use_shared_libs(nuauth_t) miscfiles_read_localization(nuauth_t) logging_send_syslog_msg(nuauth_t) ## internal communication is often done using fifo and unix sockets. #allow nuauth_t self:fifo_file { read write }; allow nuauth_t self:unix_stream_socket create_stream_socket_perms; # pid file #allow nuauth_t nuauth_var_run_t:file manage_file_perms; #allow nuauth_t nuauth_var_run_t:sock_file { unlink create write }; #allow nuauth_t nuauth_var_run_t:dir rw_dir_perms; manage_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t) manage_sock_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t) delete_sock_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t) files_pid_filetrans(nuauth_t,nuauth_var_run_t, { file sock_file }) ## Networking basics (adjust to your needs!) sysnet_dns_name_resolve(nuauth_t) corenet_tcp_sendrecv_all_if(nuauth_t) corenet_tcp_sendrecv_all_nodes(nuauth_t) corenet_tcp_sendrecv_all_ports(nuauth_t) corenet_non_ipsec_sendrecv(nuauth_t) #corenet_tcp_connect_http_port(nuauth_t) #corenet_tcp_connect_all_ports(nuauth_t) ## if it is a network daemon, consider these: #corenet_tcp_bind_all_ports(nuauth_t) corenet_tcp_bind_all_nodes(nuauth_t) allow nuauth_t self:tcp_socket { listen accept }; allow nuauth_t self:unix_dgram_socket create_socket_perms; allow nuauth_t self:netlink_route_socket rw_netlink_socket_perms; type nuauth_port_t; corenet_tcp_bind_nufw_port(nuauth_t); corenet_tcp_bind_nuauth_port(nuauth_t); corenet_port(nuauth_port_t) gen_require(` type nufw_port_t; ') corenet_port(nufw_port_t) corenet_tcp_sendrecv_nufw_port(nuauth_t); corenet_tcp_sendrecv_nuauth_port(nuauth_t); # Init script handling init_use_fds(nuauth_t) init_use_script_ptys(nuauth_t) domain_use_interactive_fds(nuauth_t) # for crypto dev_read_rand(nuauth_t) dev_read_urand(nuauth_t) allow nuauth_t self:process { signal getsched }; allow nuauth_t self:capability { dac_read_search dac_override setuid }; # for the "system" module allow nuauth_t bin_t:dir search; allow nuauth_t self:fifo_file write; auth_use_nsswitch(nuauth_t) auth_domtrans_chk_passwd(nuauth_t) # postgresql logging corenet_tcp_connect_postgresql_port(nuauth_t) corenet_tcp_sendrecv_postgresql_port(nuauth_t) # postgresql searches for file ~/.pgpass files_dontaudit_search_home(nuauth_t) # mysql logging corenet_tcp_connect_mysqld_port(nuauth_t) corenet_tcp_sendrecv_mysqld_port(nuauth_t) -------------- next part -------------- # nufw executable will have: # label: system_u:object_r:nufw_exec_t # MLS sensitivity: s0 # MCS categories: /etc/nufw(/.*)? gen_context(system_u:object_r:nufw_etc_t,s0) /usr/sbin/nufw -- gen_context(system_u:object_r:nufw_exec_t,s0) /var/run/nufw.pid gen_context(system_u:object_r:nufw_var_run_t,s0) -------------- next part -------------- ## policy for nufw ######################################## ## ## Execute a domain transition to run nufw. ## ## ## ## Domain allowed to transition. ## ## # interface(`nufw_domtrans',` gen_require(` type nufw_t, nufw_exec_t; ') domain_auto_trans($1,nufw_exec_t,nufw_t) allow $1 nufw_t:fd use; allow nufw_t $1:fd use; allow nufw_t $1:fifo_file rw_file_perms; allow nufw_t $1:process sigchld; ') ######################################## ## ## Make a TCP connection to the nufw port. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_tcp_connect_nufw_port',` gen_require(` type nufw_port_t; ') allow $1 nufw_port_t:tcp_socket name_connect; ') ######################################## ## ## Send and receive TCP traffic on the nufw port. ## ## ## ## Domain allowed access. ## ## ## # interface(`corenet_tcp_sendrecv_nufw_port',` gen_require(` type nufw_port_t; ') allow $1 nufw_port_t:tcp_socket { send_msg recv_msg }; ') -------------- next part -------------- policy_module(nufw,1.0.0) # add nufw_port_t using: # semanage port -a -t nufw_port_t -p tcp 4128 ######################################## # # Declarations # type nufw_t; type nufw_exec_t; domain_type(nufw_t) init_daemon_domain(nufw_t, nufw_exec_t) # etc files type nufw_etc_t; files_type(nufw_etc_t) # log files type nufw_var_log_t; logging_log_file(nufw_var_log_t) # pid files type nufw_var_run_t; files_pid_file(nufw_var_run_t) ######################################## # # nufw local policy # # Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules. # Some common macros (you might be able to remove some) files_read_etc_files(nufw_t) # configuration files allow nufw_t nufw_etc_t:dir list_dir_perms; read_files_pattern(nufw_t,nufw_etc_t,nufw_etc_t) read_lnk_files_pattern(nufw_t,nufw_etc_t,nufw_etc_t) libs_use_ld_so(nufw_t) libs_use_shared_libs(nufw_t) miscfiles_read_localization(nufw_t) logging_send_syslog_msg(nufw_t) ## internal communication is often done using fifo and unix sockets. #allow nufw_t self:fifo_file { read write }; allow nufw_t self:unix_stream_socket create_stream_socket_perms; # pid file allow nufw_t nufw_var_run_t:file manage_file_perms; #allow nufw_t nufw_var_run_t:sock_file manage_file_perms; allow nufw_t nufw_var_run_t:dir rw_dir_perms; files_pid_filetrans(nufw_t,nufw_var_run_t, { file sock_file }) ## Networking basics (adjust to your needs!) sysnet_dns_name_resolve(nufw_t) corenet_tcp_sendrecv_all_if(nufw_t) corenet_tcp_sendrecv_all_nodes(nufw_t) #corenet_tcp_sendrecv_all_ports(nufw_t) #corenet_non_ipsec_sendrecv(nufw_t) type nufw_port_t; corenet_tcp_connect_nufw_port(nufw_t) corenet_tcp_sendrecv_nufw_port(nufw_t) #corenet_tcp_connect_all_ports(nufw_t) ## if it is a network daemon, consider these: #corenet_tcp_bind_all_ports(nufw_t) #corenet_tcp_bind_all_nodes(nufw_t) allow nufw_t self:tcp_socket { listen accept }; allow nufw_t self:rawip_socket create_socket_perms; allow nufw_t self:netlink_socket create_socket_perms; allow nufw_t self:netlink_route_socket rw_netlink_socket_perms; # Init script handling init_use_fds(nufw_t) init_use_script_ptys(nufw_t) domain_use_interactive_fds(nufw_t) # for crypto dev_read_rand(nufw_t) dev_read_urand(nufw_t) # nufw wants sys_nice allow nufw_t self:capability { sys_nice net_admin net_raw }; allow nufw_t self:process { setsched };