From: dac.override@gmail.com (Dominick Grift)
Date: Thu, 2 Nov 2017 12:26:40 +0100
Subject: [refpolicy] [PATCH 2/3] gssproxy: add policy
In-Reply-To: <20171102112303.GA2846@meriadoc.perfinion.com>
References: <20171031053758.7816-1-jason@perfinion.com>
	<20171031053758.7816-2-jason@perfinion.com>
	<9dad30d3-4c62-8598-97fb-ee5438c04fa7@ieee.org>
	<20171102112303.GA2846@meriadoc.perfinion.com>
Message-ID: <20171102112640.GA27871@julius.enp8s0.d30>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, Nov 02, 2017 at 07:23:03PM +0800, Jason Zaman via refpolicy wrote:
> On Wed, Nov 01, 2017 at 06:58:33PM -0400, Chris PeBenito wrote:
> > On 10/31/2017 01:37 AM, Jason Zaman wrote:
> > > borrowed and modified from Fedora
> > > ---
> > >   gssproxy.fc |   8 +++
> > >   gssproxy.if | 199 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > >   gssproxy.te |  67 ++++++++++++++++++++
> > >   3 files changed, 274 insertions(+)
> > >   create mode 100644 gssproxy.fc
> > >   create mode 100644 gssproxy.if
> > >   create mode 100644 gssproxy.te
> > > 
> > > diff --git a/gssproxy.fc b/gssproxy.fc
> > > new file mode 100644
> > > index 0000000..a997015
> > > --- /dev/null
> > > +++ b/gssproxy.fc
> > > @@ -0,0 +1,8 @@
> > > +/usr/lib/systemd/system/gssproxy.service	--	gen_context(system_u:object_r:gssproxy_unit_t,s0)
> > > +
> > > +/usr/sbin/gssproxy				--	gen_context(system_u:object_r:gssproxy_exec_t,s0)
> > > +
> > > +/var/lib/gssproxy(/.*)?					gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
> > > +
> > > +/run/gssproxy\.pid				--	gen_context(system_u:object_r:gssproxy_run_t,s0)
> > > +/run/gssproxy\.sock				-s	gen_context(system_u:object_r:gssproxy_run_t,s0)
> > > diff --git a/gssproxy.if b/gssproxy.if
> > > new file mode 100644
> > > index 0000000..cebdb20
> > > --- /dev/null
> > > +++ b/gssproxy.if
> > > @@ -0,0 +1,199 @@
> > > +
> > > +## <summary>policy for gssproxy</summary>
> > 
> > Need something more descriptive.
> > 
> > 
> > > +########################################
> > > +## <summary>
> > > +##	Execute gssproxy in the gssproxy domin.
> > > +## </summary>
> > > +## <param name="domain">
> > > +## <summary>
> > > +##	Domain allowed to transition.
> > > +## </summary>
> > > +## </param>
> > > +#
> > > +interface(`gssproxy_domtrans',`
> > > +	gen_require(`
> > > +		type gssproxy_t, gssproxy_exec_t;
> > > +	')
> > > +
> > > +	corecmd_search_bin($1)
> > > +	domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
> > > +')
> > > +
> > > +########################################
> > > +## <summary>
> > > +##	Search gssproxy lib directories.
> > > +## </summary>
> > > +## <param name="domain">
> > > +##	<summary>
> > > +##	Domain allowed access.
> > > +##	</summary>
> > > +## </param>
> > > +#
> > > +interface(`gssproxy_search_lib',`
> > > +	gen_require(`
> > > +		type gssproxy_var_lib_t;
> > > +	')
> > > +
> > > +	allow $1 gssproxy_var_lib_t:dir search_dir_perms;
> > > +	files_search_var_lib($1)
> > > +')
> > > +
> > > +########################################
> > > +## <summary>
> > > +##	Read gssproxy lib files.
> > > +## </summary>
> > > +## <param name="domain">
> > > +##	<summary>
> > > +##	Domain allowed access.
> > > +##	</summary>
> > > +## </param>
> > > +#
> > > +interface(`gssproxy_read_lib_files',`
> > > +	gen_require(`
> > > +		type gssproxy_var_lib_t;
> > > +	')
> > > +
> > > +	files_search_var_lib($1)
> > > +	read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > > +')
> > > +
> > > +########################################
> > > +## <summary>
> > > +##	Manage gssproxy lib files.
> > > +## </summary>
> > > +## <param name="domain">
> > > +##	<summary>
> > > +##	Domain allowed access.
> > > +##	</summary>
> > > +## </param>
> > > +#
> > > +interface(`gssproxy_manage_lib_files',`
> > > +	gen_require(`
> > > +		type gssproxy_var_lib_t;
> > > +	')
> > > +
> > > +	files_search_var_lib($1)
> > > +	manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > > +')
> > > +
> > > +########################################
> > > +## <summary>
> > > +##	Manage gssproxy lib directories.
> > > +## </summary>
> > > +## <param name="domain">
> > > +##	<summary>
> > > +##	Domain allowed access.
> > > +##	</summary>
> > > +## </param>
> > > +#
> > > +interface(`gssproxy_manage_lib_dirs',`
> > > +	gen_require(`
> > > +		type gssproxy_var_lib_t;
> > > +	')
> > > +
> > > +	files_search_var_lib($1)
> > > +	manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > > +')
> > > +
> > > +########################################
> > > +## <summary>
> > > +##	Read gssproxy PID files.
> > > +## </summary>
> > > +## <param name="domain">
> > > +##	<summary>
> > > +##	Domain allowed access.
> > > +##	</summary>
> > > +## </param>
> > > +#
> > > +interface(`gssproxy_read_pid_files',`
> > > +	gen_require(`
> > > +		type gssproxy_run_t;
> > > +	')
> > > +
> > > +	files_search_pids($1)
> > > +	read_files_pattern($1, gssproxy_run_t, gssproxy_run_t)
> > > +')
> > > +
> > > +########################################
> > > +## <summary>
> > > +##	Execute gssproxy server in the gssproxy domain.
> > > +## </summary>
> > > +## <param name="domain">
> > > +##	<summary>
> > > +##	Domain allowed to transition.
> > > +##	</summary>
> > > +## </param>
> > > +#
> > > +interface(`gssproxy_systemctl',`
> > > +	gen_require(`
> > > +		type gssproxy_t;
> > > +		type gssproxy_unit_t;
> > > +	')
> > > +
> > > +	systemd_exec_systemctl($1)
> > 
> > This doesn't exist.
> > 
> > > +	init_reload_services($1)
> > > +	allow $1 gssproxy_unit_t:file read_file_perms;
> > > +	allow $1 gssproxy_unit_t:service manage_service_perms;
> > > +
> > > +	ps_process_pattern($1, gssproxy_t)
> > > +')
> > 
> > This interface needs to be broken up into 3 or 4.
> 
> Hmm. I dont actually use systemd so i'll just drop these completely for
> now i guess since im not really sure what they should be and these were
> from fedora.
> 
> Its weird that travis-ci didnt catch these unknown interfaces with
> WERROR set. I'll double check them all again then.

It would have caught it if you called for example: gssproxy_admin(sysadm_t)

Point is that if the interfaces arent called, then they arent checked either.

> > 
> > > +########################################
> > > +## <summary>
> > > +##	Connect to gssproxy over an unix
> > > +##	domain stream socket.
> > > +## </summary>
> > > +## <param name="domain">
> > > +##	<summary>
> > > +##	Domain allowed access.
> > > +##	</summary>
> > > +## </param>
> > > +#
> > > +interface(`gssproxy_stream_connect',`
> > > +	gen_require(`
> > > +		type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t;
> > > +	')
> > > +
> > > +	files_search_pids($1)
> > > +	stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t)
> > > +	stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t)
> > > +')
> > > +
> > > +########################################
> > > +## <summary>
> > > +##	All of the rules required to administrate
> > > +##	an gssproxy environment
> > > +## </summary>
> > > +## <param name="domain">
> > > +##	<summary>
> > > +##	Domain allowed access.
> > > +##	</summary>
> > > +## </param>
> > > +## <rolecap/>
> > > +#
> > > +interface(`gssproxy_admin',`
> > > +	gen_require(`
> > > +		type gssproxy_t;
> > > +		type gssproxy_var_lib_t;
> > > +		type gssproxy_run_t;
> > > +		type gssproxy_unit_t;
> > > +	')
> > > +
> > > +	allow $1 gssproxy_t:process { ptrace signal_perms };
> > > +	ps_process_pattern($1, gssproxy_t)
> > > +
> > > +	files_search_var_lib($1)
> > > +	admin_pattern($1, gssproxy_var_lib_t)
> > > +
> > > +	files_search_pids($1)
> > > +	admin_pattern($1, gssproxy_run_t)
> > > +
> > > +	gssproxy_systemctl($1)
> > > +	admin_pattern($1, gssproxy_unit_t)
> > > +	allow $1 gssproxy_unit_t:service all_service_perms;
> > > +	optional_policy(`
> > > +		systemd_passwd_agent_exec($1)
> > > +		systemd_read_fifo_file_passwd_run($1)
> > 
> > More invalid interface usage.
> > 
> > > +	')
> > > +')
> > > diff --git a/gssproxy.te b/gssproxy.te
> > > new file mode 100644
> > > index 0000000..466c700
> > > --- /dev/null
> > > +++ b/gssproxy.te
> > > @@ -0,0 +1,67 @@
> > > +policy_module(gssproxy, 1.0.0)
> > > +
> > > +########################################
> > > +#
> > > +# Declarations
> > > +#
> > > +
> > > +type gssproxy_t;
> > > +type gssproxy_exec_t;
> > > +init_daemon_domain(gssproxy_t, gssproxy_exec_t)
> > > +
> > > +type gssproxy_var_lib_t;
> > > +files_type(gssproxy_var_lib_t)
> > > +
> > > +type gssproxy_run_t;
> > > +files_pid_file(gssproxy_run_t)
> > > +
> > > +type gssproxy_unit_t;
> > > +init_unit_file(gssproxy_unit_t)
> > > +
> > > +########################################
> > > +#
> > > +# gssproxy local policy
> > > +#
> > > +allow gssproxy_t self:capability { setuid setgid };
> > > +allow gssproxy_t self:capability2 block_suspend;
> > > +allow gssproxy_t self:fifo_file rw_fifo_file_perms;
> > > +allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
> > > +
> > > +manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > > +manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > > +manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > > +manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > > +files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
> > > +
> > > +manage_dirs_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> > > +manage_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> > > +manage_sock_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> > > +manage_lnk_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> > > +files_pid_filetrans(gssproxy_t, gssproxy_run_t, { dir file lnk_file sock_file })
> > > +
> > > +kernel_rw_rpc_sysctls(gssproxy_t)
> > > +
> > > +domain_use_interactive_fds(gssproxy_t)
> > > +
> > > +files_read_etc_files(gssproxy_t)
> > > +
> > > +fs_getattr_all_fs(gssproxy_t)
> > > +
> > > +auth_use_nsswitch(gssproxy_t)
> > > +
> > > +dev_read_urand(gssproxy_t)
> > > +
> > > +logging_send_syslog_msg(gssproxy_t)
> > > +
> > > +miscfiles_read_localization(gssproxy_t)
> > > +
> > > +userdom_read_all_users_keys(gssproxy_t)
> > > +userdom_manage_user_tmp_dirs(gssproxy_t)
> > > +userdom_manage_user_tmp_files(gssproxy_t)
> > > +
> > > +optional_policy(`
> > > +	kerberos_filetrans_named_content(gssproxy_t)
> > > +	kerberos_manage_host_rcache(gssproxy_t)
> > > +	kerberos_read_keytab(gssproxy_t)
> > > +	kerberos_use(gssproxy_t)
> > > +')
> > > 
> > 
> > 
> > -- 
> > Chris PeBenito
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171102/e4ea947e/attachment.bin