From: dac.override@gmail.com (Dominick Grift)
Date: Thu, 2 Nov 2017 12:26:40 +0100
Subject: [refpolicy] [PATCH 2/3] gssproxy: add policy
In-Reply-To: <20171102112303.GA2846@meriadoc.perfinion.com>
References: <20171031053758.7816-1-jason@perfinion.com>
<20171031053758.7816-2-jason@perfinion.com>
<9dad30d3-4c62-8598-97fb-ee5438c04fa7@ieee.org>
<20171102112303.GA2846@meriadoc.perfinion.com>
Message-ID: <20171102112640.GA27871@julius.enp8s0.d30>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On Thu, Nov 02, 2017 at 07:23:03PM +0800, Jason Zaman via refpolicy wrote:
> On Wed, Nov 01, 2017 at 06:58:33PM -0400, Chris PeBenito wrote:
> > On 10/31/2017 01:37 AM, Jason Zaman wrote:
> > > borrowed and modified from Fedora
> > > ---
> > > gssproxy.fc | 8 +++
> > > gssproxy.if | 199 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > > gssproxy.te | 67 ++++++++++++++++++++
> > > 3 files changed, 274 insertions(+)
> > > create mode 100644 gssproxy.fc
> > > create mode 100644 gssproxy.if
> > > create mode 100644 gssproxy.te
> > >
> > > diff --git a/gssproxy.fc b/gssproxy.fc
> > > new file mode 100644
> > > index 0000000..a997015
> > > --- /dev/null
> > > +++ b/gssproxy.fc
> > > @@ -0,0 +1,8 @@
> > > +/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_t,s0)
> > > +
> > > +/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0)
> > > +
> > > +/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
> > > +
> > > +/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_run_t,s0)
> > > +/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_run_t,s0)
> > > diff --git a/gssproxy.if b/gssproxy.if
> > > new file mode 100644
> > > index 0000000..cebdb20
> > > --- /dev/null
> > > +++ b/gssproxy.if
> > > @@ -0,0 +1,199 @@
> > > +
> > > +## policy for gssproxy
> >
> > Need something more descriptive.
> >
> >
> > > +########################################
> > > +##
> > > +## Execute gssproxy in the gssproxy domin.
> > > +##
> > > +##
> > > +##
> > > +## Domain allowed to transition.
> > > +##
> > > +##
> > > +#
> > > +interface(`gssproxy_domtrans',`
> > > + gen_require(`
> > > + type gssproxy_t, gssproxy_exec_t;
> > > + ')
> > > +
> > > + corecmd_search_bin($1)
> > > + domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
> > > +')
> > > +
> > > +########################################
> > > +##
> > > +## Search gssproxy lib directories.
> > > +##
> > > +##
> > > +##
> > > +## Domain allowed access.
> > > +##
> > > +##
> > > +#
> > > +interface(`gssproxy_search_lib',`
> > > + gen_require(`
> > > + type gssproxy_var_lib_t;
> > > + ')
> > > +
> > > + allow $1 gssproxy_var_lib_t:dir search_dir_perms;
> > > + files_search_var_lib($1)
> > > +')
> > > +
> > > +########################################
> > > +##
> > > +## Read gssproxy lib files.
> > > +##
> > > +##
> > > +##
> > > +## Domain allowed access.
> > > +##
> > > +##
> > > +#
> > > +interface(`gssproxy_read_lib_files',`
> > > + gen_require(`
> > > + type gssproxy_var_lib_t;
> > > + ')
> > > +
> > > + files_search_var_lib($1)
> > > + read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > > +')
> > > +
> > > +########################################
> > > +##
> > > +## Manage gssproxy lib files.
> > > +##
> > > +##
> > > +##
> > > +## Domain allowed access.
> > > +##
> > > +##
> > > +#
> > > +interface(`gssproxy_manage_lib_files',`
> > > + gen_require(`
> > > + type gssproxy_var_lib_t;
> > > + ')
> > > +
> > > + files_search_var_lib($1)
> > > + manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > > +')
> > > +
> > > +########################################
> > > +##
> > > +## Manage gssproxy lib directories.
> > > +##
> > > +##
> > > +##
> > > +## Domain allowed access.
> > > +##
> > > +##
> > > +#
> > > +interface(`gssproxy_manage_lib_dirs',`
> > > + gen_require(`
> > > + type gssproxy_var_lib_t;
> > > + ')
> > > +
> > > + files_search_var_lib($1)
> > > + manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > > +')
> > > +
> > > +########################################
> > > +##
> > > +## Read gssproxy PID files.
> > > +##
> > > +##
> > > +##
> > > +## Domain allowed access.
> > > +##
> > > +##
> > > +#
> > > +interface(`gssproxy_read_pid_files',`
> > > + gen_require(`
> > > + type gssproxy_run_t;
> > > + ')
> > > +
> > > + files_search_pids($1)
> > > + read_files_pattern($1, gssproxy_run_t, gssproxy_run_t)
> > > +')
> > > +
> > > +########################################
> > > +##
> > > +## Execute gssproxy server in the gssproxy domain.
> > > +##
> > > +##
> > > +##
> > > +## Domain allowed to transition.
> > > +##
> > > +##
> > > +#
> > > +interface(`gssproxy_systemctl',`
> > > + gen_require(`
> > > + type gssproxy_t;
> > > + type gssproxy_unit_t;
> > > + ')
> > > +
> > > + systemd_exec_systemctl($1)
> >
> > This doesn't exist.
> >
> > > + init_reload_services($1)
> > > + allow $1 gssproxy_unit_t:file read_file_perms;
> > > + allow $1 gssproxy_unit_t:service manage_service_perms;
> > > +
> > > + ps_process_pattern($1, gssproxy_t)
> > > +')
> >
> > This interface needs to be broken up into 3 or 4.
>
> Hmm. I dont actually use systemd so i'll just drop these completely for
> now i guess since im not really sure what they should be and these were
> from fedora.
>
> Its weird that travis-ci didnt catch these unknown interfaces with
> WERROR set. I'll double check them all again then.
It would have caught it if you called for example: gssproxy_admin(sysadm_t)
Point is that if the interfaces arent called, then they arent checked either.
> >
> > > +########################################
> > > +##
> > > +## Connect to gssproxy over an unix
> > > +## domain stream socket.
> > > +##
> > > +##
> > > +##
> > > +## Domain allowed access.
> > > +##
> > > +##
> > > +#
> > > +interface(`gssproxy_stream_connect',`
> > > + gen_require(`
> > > + type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t;
> > > + ')
> > > +
> > > + files_search_pids($1)
> > > + stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t)
> > > + stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t)
> > > +')
> > > +
> > > +########################################
> > > +##
> > > +## All of the rules required to administrate
> > > +## an gssproxy environment
> > > +##
> > > +##
> > > +##
> > > +## Domain allowed access.
> > > +##
> > > +##
> > > +##
> > > +#
> > > +interface(`gssproxy_admin',`
> > > + gen_require(`
> > > + type gssproxy_t;
> > > + type gssproxy_var_lib_t;
> > > + type gssproxy_run_t;
> > > + type gssproxy_unit_t;
> > > + ')
> > > +
> > > + allow $1 gssproxy_t:process { ptrace signal_perms };
> > > + ps_process_pattern($1, gssproxy_t)
> > > +
> > > + files_search_var_lib($1)
> > > + admin_pattern($1, gssproxy_var_lib_t)
> > > +
> > > + files_search_pids($1)
> > > + admin_pattern($1, gssproxy_run_t)
> > > +
> > > + gssproxy_systemctl($1)
> > > + admin_pattern($1, gssproxy_unit_t)
> > > + allow $1 gssproxy_unit_t:service all_service_perms;
> > > + optional_policy(`
> > > + systemd_passwd_agent_exec($1)
> > > + systemd_read_fifo_file_passwd_run($1)
> >
> > More invalid interface usage.
> >
> > > + ')
> > > +')
> > > diff --git a/gssproxy.te b/gssproxy.te
> > > new file mode 100644
> > > index 0000000..466c700
> > > --- /dev/null
> > > +++ b/gssproxy.te
> > > @@ -0,0 +1,67 @@
> > > +policy_module(gssproxy, 1.0.0)
> > > +
> > > +########################################
> > > +#
> > > +# Declarations
> > > +#
> > > +
> > > +type gssproxy_t;
> > > +type gssproxy_exec_t;
> > > +init_daemon_domain(gssproxy_t, gssproxy_exec_t)
> > > +
> > > +type gssproxy_var_lib_t;
> > > +files_type(gssproxy_var_lib_t)
> > > +
> > > +type gssproxy_run_t;
> > > +files_pid_file(gssproxy_run_t)
> > > +
> > > +type gssproxy_unit_t;
> > > +init_unit_file(gssproxy_unit_t)
> > > +
> > > +########################################
> > > +#
> > > +# gssproxy local policy
> > > +#
> > > +allow gssproxy_t self:capability { setuid setgid };
> > > +allow gssproxy_t self:capability2 block_suspend;
> > > +allow gssproxy_t self:fifo_file rw_fifo_file_perms;
> > > +allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
> > > +
> > > +manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > > +manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > > +manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > > +manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > > +files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
> > > +
> > > +manage_dirs_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> > > +manage_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> > > +manage_sock_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> > > +manage_lnk_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> > > +files_pid_filetrans(gssproxy_t, gssproxy_run_t, { dir file lnk_file sock_file })
> > > +
> > > +kernel_rw_rpc_sysctls(gssproxy_t)
> > > +
> > > +domain_use_interactive_fds(gssproxy_t)
> > > +
> > > +files_read_etc_files(gssproxy_t)
> > > +
> > > +fs_getattr_all_fs(gssproxy_t)
> > > +
> > > +auth_use_nsswitch(gssproxy_t)
> > > +
> > > +dev_read_urand(gssproxy_t)
> > > +
> > > +logging_send_syslog_msg(gssproxy_t)
> > > +
> > > +miscfiles_read_localization(gssproxy_t)
> > > +
> > > +userdom_read_all_users_keys(gssproxy_t)
> > > +userdom_manage_user_tmp_dirs(gssproxy_t)
> > > +userdom_manage_user_tmp_files(gssproxy_t)
> > > +
> > > +optional_policy(`
> > > + kerberos_filetrans_named_content(gssproxy_t)
> > > + kerberos_manage_host_rcache(gssproxy_t)
> > > + kerberos_read_keytab(gssproxy_t)
> > > + kerberos_use(gssproxy_t)
> > > +')
> > >
> >
> >
> > --
> > Chris PeBenito
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171102/e4ea947e/attachment.bin