From 4ef6da48fa18400736a92f5d5be221c8acfe6738 Mon Sep 17 00:00:00 2001 From: Alexander Miroshnichenko Date: Wed, 10 Jul 2019 11:05:57 +0300 Subject: [PATCH] Update selinux-knot policy --- sec-policy/selinux-knot/Manifest | 6 +- sec-policy/selinux-knot/files/knot.fc | 11 +- sec-policy/selinux-knot/files/knot.if | 260 +++++++++----------------- sec-policy/selinux-knot/files/knot.te | 116 ++++++++---- 4 files changed, 175 insertions(+), 218 deletions(-) diff --git a/sec-policy/selinux-knot/Manifest b/sec-policy/selinux-knot/Manifest index 072c8f1..da3c1ee 100644 --- a/sec-policy/selinux-knot/Manifest +++ b/sec-policy/selinux-knot/Manifest @@ -1,6 +1,6 @@ -AUX knot.fc 351 BLAKE2B c405546b5b619948a3dffccad17c4ae12dcbfbc9b538e4bb7325fc5d8560e3a1b87ab0ccac4fd3dcc14be02d9112f139fe71b9bcd40e06efd8893ddf88a5c0c8 SHA512 214002c8c118e2320c3839a7e9cfccd4bd71e6fa0140351ff2c398f27609ea8ea0c5988ee30072db2729469bfc56cbc4f16de6ddcba792e1baf428215a4661a6 -AUX knot.if 4627 BLAKE2B f383b3fc55dc7c99d583a0b5d61949e5b2d328586e02db7d2e8e6b3d88d3b4a1ed67c812db38d49f71efd8b89c92d37ac9722b0bfc8f11de952f1e02725d716a SHA512 a967b731a993ecec3a9ff7189bb5866049331209f643daadd951053d29e44d133140f3fecad756dc6a6e3f1b87f880c40cae81c5c685c834d7f268bf990fab2b -AUX knot.te 2142 BLAKE2B 15de1876243e55ba3ed68ecd5bbbcb8f637e23431b5ac15958096be29dd14a248d029a27134b72d43f93bb3215b5b1f9fab7c6d9464fbdcd2ab21fb030104816 SHA512 41ad8d429d680351186b6b337fd8b122a61eea73b302bb893fe7243531ba375678239fade0496474e4ece45df667669854d3f5d3e858fe9f8b733e4b52070611 +AUX knot.fc 422 BLAKE2B 9d7602908e81ab7b72f44bd302dbd83197928a92f0eab99b7f3545bb0da1af954d02a79020e0c3a4e06867ff0d8639fbb69b8a1f1975a7fec95a59c66968db1b SHA512 dcc584755579878e700bdaec34f076626fa81e1c420d9e21bcc45daffad535c36f8d85eb746b092530e257be114111b585d8160016d22de888dd5732cac57d70 +AUX knot.if 2311 BLAKE2B be23e5e9854619d8f9df87afa3ee7906804f87680596458e123171ec0d5f37d421ced368103e65ee213a6e5b4c14c85c13566eff6ff855e5dcc7e62ff2d008d1 SHA512 fa76ae77f5874227ab0a3624ea3e8db0bfa0346d62cfeb5be58df2744daab2c97996bd724f1de38f7e29894c21ba52838d9d5a0e306ed16ef37925468047223c +AUX knot.te 3548 BLAKE2B 6bc7aec7195bc3ca2f0b453cc853a09f2b64b6e4973c3191146178916889df0489e5567bec58dd3c87dbf9c303d7517dfe06a96b44efcaeddd82760057c5e425 SHA512 e112bf828b5fbfe9adc02d56660ffe94a6521c6c4f628202e9a17afc0014aa9b3e5da25d1284c6d36143281169d6a5437795781eb24987360c87e80013077883 DIST patchbundle-selinux-base-policy-2.20180701-r1.tar.bz2 315378 BLAKE2B eeeb0b04c023c40289b6d964aefd1773d2b5d6912f1dffebf9509e6dcdbb39b17e722ee4483fb2b11193d4b987a85f90c7dc7e61cef3cf982fc2ba368d4900ef SHA512 a8b049120f1c420f9bfb55aba9ed0157ff7896ace402cd1b77b01d1ea52b67e49d915f1c00de83ff4d59b1cf8b8aa1f39b50ba312d842ed4850e75fcc7f5be42 DIST refpolicy-2.20180701.tar.bz2 753050 BLAKE2B 7069a1b9b9bef25950e62bb50ac09f4a9d5ef6fd0acc667d321da396c3935939348534458df129f7bc81687dca240b4c4fc120d1f46d452665d335c9f023da8c SHA512 9dd5a1e10da5d25fea96cc25efb682f8ac866e835a1d940b161c1ce944cac9a90a5836b03c14311acad6bf9acd9a78003f36e050d35d8edb43606575523857b5 EBUILD selinux-knot-2.20180701-r1.ebuild 377 BLAKE2B 3e0e81a404c1810ddeedad0ab2af2d6db2270f85492ea39d60992cf0b0015f500b8e70dda185af2341684115adcb580e79fba76665fbe80ba0d1db3305103082 SHA512 18f8f1a16161f4f648cbd346b467bc4bb3c810d156e6ffbdc34d12d7686f08c0911484e8c5304045ae2aef49c71d9586b574f041c1fe337fbacf1d405579c5f4 diff --git a/sec-policy/selinux-knot/files/knot.fc b/sec-policy/selinux-knot/files/knot.fc index b441e43..bbf8a35 100644 --- a/sec-policy/selinux-knot/files/knot.fc +++ b/sec-policy/selinux-knot/files/knot.fc @@ -1,10 +1,11 @@ +/etc/rc\.d/init\.d/knot -- gen_context(system_u:object_r:knot_initrc_exec_t,s0) + +/etc/knot(/.*)? gen_context(system_u:object_r:knot_conf_t,s0) + /usr/sbin/knotd -- gen_context(system_u:object_r:knotd_exec_t,s0) -/usr/sbin/knotc -- gen_context(system_u:object_r:knotc_exec_t,s0) - -/var/run/knot(/.*)? gen_context(system_u:object_r:knot_var_run_t,s0) +/usr/sbin/knotc -- gen_context(system_u:object_r:knotc_exec_t,s0) /var/lib/knot(/.*)? gen_context(system_u:object_r:knot_var_lib_t,s0) -/etc/knot(/.*)? gen_context(system_u:object_r:knot_etc_t,s0) - +/run/knot(/.*)? gen_context(system_u:object_r:knot_runtime_t,s0) diff --git a/sec-policy/selinux-knot/files/knot.if b/sec-policy/selinux-knot/files/knot.if index 1ccc9f5..cde5b5e 100644 --- a/sec-policy/selinux-knot/files/knot.if +++ b/sec-policy/selinux-knot/files/knot.if @@ -1,157 +1,8 @@ - -## policy for knotc +## high-performance authoritative-only DNS server. ######################################## ## -## Execute knotd_exec_t in the knotd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`knotd_domtrans',` - gen_require(` - type knotd_t, knotd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, knotd_exec_t, knotd_t) -') - -###################################### -## -## Execute knotd in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`knotd_exec',` - gen_require(` - type knotd_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, knotd_exec_t) -') - -######################################## -## -## Knotd /run files transitions. -## -## -## -## Domain allowed access. -## -## -# -interface(`knot_var_run_trans',` - gen_require(` - type knot_var_run_t; - type var_run_t; - type tmpfiles_t; - ') - - manage_dirs_pattern($1, knot_var_run_t, knot_var_run_t) - manage_files_pattern($1, knot_var_run_t, knot_var_run_t) - manage_lnk_files_pattern($1, knot_var_run_t, knot_var_run_t) - manage_sock_files_pattern($1, knot_var_run_t, knot_var_run_t) - search_dirs_pattern($1, knot_var_run_t, knot_var_run_t) - files_pid_filetrans($1, knot_var_run_t, { file dir sock_file}) - filetrans_pattern(tmpfiles_t, var_run_t, knot_var_run_t, dir, "knot") -') - -######################################## -## -## Knot /var/lib files mamange. -## -## -## -## Domain allowed access. -## -## -# -interface(`knot_var_lib_manage',` - gen_require(` - type knot_var_lib_t; - ') - - manage_dirs_pattern($1, knot_var_lib_t, knot_var_lib_t) - manage_files_pattern($1, knot_var_lib_t, knot_var_lib_t) - manage_lnk_files_pattern($1, knot_var_lib_t, knot_var_lib_t) - allow $1 knot_var_lib_t:file map; - files_var_lib_filetrans($1, knot_var_lib_t, { file dir }) -') - -######################################## -## -## Knotd /var/lib files transitions. -## -## -## -## Domain allowed access. -## -## -# -interface(`knot_var_lib_trans',` - gen_require(` - type knot_var_lib_t; - type var_lib_t; - type tmpfiles_t; - ') - - knot_var_lib_manage($1) - filetrans_pattern(tmpfiles_t, var_lib_t, knot_var_lib_t, dir, "knot") -') - -######################################## -## -## Knot /etc/knot files read. -## -## -## -## Domain allowed access. -## -## -# -interface(`knot_etc_t_read',` - gen_require(` - type knot_etc_t; - type initrc_t; - ') - - mmap_read_files_pattern($1, knot_etc_t, knot_etc_t) - read_files_pattern(initrc_t, knot_etc_t, knot_etc_t) -') - -######################################## -## -## Knot /tmp files transitions. -## -## -## -## Domain allowed access. -## -## -# -interface(`knot_tmp_trans',` - gen_require(` - type knot_tmp_t; - ') - - files_tmp_filetrans($1, knot_tmp_t, { file dir }) - allow $1 knot_tmp_t:file map; - allow $1 knot_tmp_t:file manage_file_perms; - allow $1 knot_tmp_t:dir manage_dir_perms; -') - -######################################## -## -## Execute knotc_exec_t in the knotc domain. +## Execute knotc in the knotc domain. ## ## ## @@ -159,40 +10,99 @@ interface(`knot_tmp_trans',` ## ## # -interface(`knotc_domtrans',` - gen_require(` - type knotc_t, knotc_exec_t; - ') +interface(`knot_domtrans_client',` + gen_require(` + type knotc_t, knotc_exec_t; + ') - corecmd_search_bin($1) - domtrans_pattern($1, knotc_exec_t, knotc_t) + corecmd_search_bin($1) + domtrans_pattern($1, knotc_exec_t, knotc_t) ') ######################################## ## -## Role access for knotc +## Execute knotc in the knotc domain, and +## allow the specified role the knotc domain. ## -## -## -## Role allowed access -## -## ## ## -## User domain for the role +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`knot_run_client',` + gen_require(` + attribute_role knot_roles; + ') + + knot_domtrans_client($1) + roleattribute $2 knot_roles; +') + +######################################## +## +## Read knot config files. +## +## +## +## Domain allowed access. ## ## # -interface(`knotc_role',` - gen_require(` - type knotc_t; - attribute_role knotc_roles; - ') +interface(`knot_read_config_file',` + gen_require(` + type knot_conf_t; + ') - roleattribute $1 knotc_roles; - - knotc_domtrans($2) - - ps_process_pattern($2, knotc_t) - allow $2 knotc_t:process { signull signal sigkill }; + read_files_pattern($1, knot_conf_t, knot_conf_t) + files_search_etc($1) +') + +######################################## +## +## All of the rules required to +## administrate an knot environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`knot_admin',` + gen_require(` + type knotc_t, knotd_t, knot_conf_t, knot_initrc_exec_t; + type knot_runtime_t, knot_tmp_t, knot_var_lib_t; + ') + + allow $2 knotc_t:process signal_perms; + allow $1 knotd_t:process { ptrace signal_perms }; + ps_process_pattern($2, knotc_t) + ps_process_pattern($1, knotd_t) + + init_startstop_service($1, $2, knotd_t, knot_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, knot_conf_t) + + files_search_pids($1) + admin_pattern($1, knot_runtime_t) + + files_search_tmp($1) + admin_pattern($1, knot_tmp_t) + + files_search_var_lib($1) + admin_pattern($1, knot_var_lib_t) ') diff --git a/sec-policy/selinux-knot/files/knot.te b/sec-policy/selinux-knot/files/knot.te index 42fd868..e2c5514 100644 --- a/sec-policy/selinux-knot/files/knot.te +++ b/sec-policy/selinux-knot/files/knot.te @@ -5,6 +5,8 @@ policy_module(knot, 1.0.0) # Declarations # +attribute_role knot_roles; + type knotd_t; type knotd_exec_t; init_daemon_domain(knotd_t, knotd_exec_t) @@ -13,16 +15,16 @@ type knotc_t; type knotc_exec_t; application_domain(knotc_t, knotc_exec_t) init_daemon_domain(knotc_t, knotc_exec_t) -role knotc_roles types knotc_t; +role knot_roles types knotc_t; -attribute_role knotc_roles; -roleattribute system_r knotc_roles; +type knot_conf_t; +files_config_file(knot_conf_t) -type knot_etc_t; -files_type(knot_etc_t) +type knot_initrc_exec_t; +init_script_file(knot_initrc_exec_t) -type knot_var_run_t; -files_pid_file(knot_var_run_t) +type knot_runtime_t; +files_pid_file(knot_runtime_t) type knot_var_lib_t; files_type(knot_var_lib_t) @@ -34,28 +36,50 @@ files_tmp_file(knot_tmp_t) # # knotd local policy # -allow knotd_t self:capability { setgid setuid dac_read_search }; -allow knotd_t self:process { fork signal_perms getcap getsched setsched }; +allow knotd_t self:capability { dac_override dac_read_search setgid setpcap setuid }; +allow knotd_t self:process { signal_perms getcap getsched setsched }; allow knotd_t self:tcp_socket create_stream_socket_perms; -allow knotd_t self:udp_socket create_stream_socket_perms; -allow knotd_t self:unix_stream_socket { listen accept }; +allow knotd_t self:udp_socket create_socket_perms; +allow knotd_t self:unix_stream_socket create_stream_socket_perms; corenet_tcp_bind_generic_node(knotd_t) corenet_udp_bind_generic_node(knotd_t) + +corenet_sendrecv_dns_server_packets(knotd_t) corenet_tcp_bind_dns_port(knotd_t) corenet_udp_bind_dns_port(knotd_t) - -knot_etc_t_read(knotd_t) -knot_var_run_trans(knotd_t) -knot_var_lib_trans(knotd_t) -knot_tmp_trans(knotd_t) +# Slave replication +corenet_tcp_connect_dns_port(knotd_t) kernel_read_kernel_sysctls(knotd_t) -fs_getattr_xattr_fs(knotd_t) -fs_dontaudit_getattr_tmpfs(knotd_t) +allow knotd_t knot_conf_t:file map; +knot_read_config_file(knotd_t) -files_read_etc_files(knotd_t) +manage_dirs_pattern(knotd_t, knot_runtime_t, knot_runtime_t) +manage_files_pattern(knotd_t, knot_runtime_t, knot_runtime_t) +manage_lnk_files_pattern(knotd_t, knot_runtime_t, knot_runtime_t) +manage_sock_files_pattern(knotd_t, knot_runtime_t, knot_runtime_t) +files_search_pids(knotd_t) ### Check it +files_pid_filetrans(knotd_t, knot_runtime_t, dir) + +allow knotd_t knot_tmp_t:file map; +allow knotd_t knot_tmp_t:file manage_file_perms; +allow knotd_t knot_tmp_t:dir manage_dir_perms; +files_tmp_filetrans(knotd_t, knot_tmp_t, { file dir }) + +allow knotd_t knot_var_lib_t:file map; +manage_dirs_pattern(knotd_t, knot_var_lib_t, knot_var_lib_t) +manage_files_pattern(knotd_t, knot_var_lib_t, knot_var_lib_t) +manage_lnk_files_pattern(knotd_t, knot_var_lib_t, knot_var_lib_t) +files_search_var_lib(knotd_t) +files_var_lib_filetrans(knotd_t, knot_var_lib_t, dir) + +files_map_etc_files(knotd_t) + +fs_getattr_xattr_fs(knotd_t) + +fs_getattr_tmpfs(knotd_t) auth_use_nsswitch(knotd_t) @@ -67,29 +91,51 @@ miscfiles_read_localization(knotd_t) # # knotc local policy # - allow knotc_t self:capability { dac_override dac_read_search }; -allow knotc_t knotd_t:unix_stream_socket connectto; -allow knotc_t knot_var_run_t:dir search; -allow knotc_t knot_var_run_t:sock_file write_sock_file_perms; +allow knotc_t self:process signal; -knot_etc_t_read(knotc_t) -knot_tmp_trans(knotc_t) -knot_var_lib_manage(knotc_t) +stream_connect_pattern(knotc_t, knot_runtime_t, knot_runtime_t, knotd_t) -fs_dontaudit_getattr_tmpfs(knotc_t) -files_dontaudit_search_var_lib(knotc_t) +allow knotc_t knot_conf_t:file map; +knot_read_config_file(knotc_t) + +allow knotc_t knot_tmp_t:file map; +allow knotc_t knot_tmp_t:file manage_file_perms; +allow knotc_t knot_tmp_t:dir manage_dir_perms; +files_tmp_filetrans(knotc_t, knot_tmp_t, { file dir }) + +allow knotc_t knot_var_lib_t:file map; +manage_dirs_pattern(knotc_t, knot_var_lib_t, knot_var_lib_t) +manage_files_pattern(knotc_t, knot_var_lib_t, knot_var_lib_t) +manage_lnk_files_pattern(knotc_t, knot_var_lib_t, knot_var_lib_t) +files_search_var_lib(knotc_t) + +files_read_etc_files(knotc_t) + +fs_getattr_tmpfs(knotc_t) domain_use_interactive_fds(knotc_t) -userdom_use_user_ptys(knotc_t) miscfiles_read_localization(knotc_t) -optional_policy(` - gen_require(` - type sysadm_t; - role sysadm_r; - ') +userdom_use_user_ptys(knotc_t) - knotc_role(sysadm_r, sysadm_t) + + +optional_policy(` + gen_require(` + type initrc_t; + ') + + knot_read_config_file(initrc_t) +') + +optional_policy(` + gen_require(` + role sysadm_r + type sysadm_t; + ') + + knot_admin(sysadm_r, sysadm_t) + knot_run_client(sysadm_r, sysadm_t) ')