Re: Requesting feedback on providing containment of sslh

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 04/29/2015 06:28 PM, James Hogarth wrote:
> Hi,
> 
> I'm the maintainer of sslh and looking to get some feedback on a
> policy I'm writing for it.
> 
> It has recently been added to the fedora repositories running
> unconfined and I'm looking to improve this with running it within its
> own confined domain.
> 
> The 'default' state is to listen on tcp/443 and to be able to connect
> to tcp/80, tcp/443, tcp/5222, tcp/1194 (on both localhost and
> arbitrary systems) which the default policy is configured for with the
> option via booleans to let it listen on or connect to any port.
> 
> I've tried to style this after the services in fedora-selinux on
> github in an attempt to make it consistent with existing policies.
> 
> I'd be grateful for any feedback on these before requesting this to be
> added to the fedora targeted policy.
> 
> Kind regards,
> 
> James
> 
> 
> sslh te file:
> 
> policy_module(sslh,1.0.0)
> 
> ########################################
> #
> # Declarations
> #
> 
> ## <desc>
> ##    <p>
> ##    Determine whether sslh can connect
> ##    to any tcp port or if it is restricted
> ##      to the standard http, openvpn and jabber ports.
> ##    </p>
> ## </desc>
> gen_tunable(sslh_can_connect_any_port, false)
> 
> ## <desc>
> ##      <p>
> ##      Determine whether sslh can listen
> ##      on any tcp port or if it is restricted
> ##      to the standard http.
> ##      </p>
> ## </desc>
> gen_tunable(sslh_can_bind_any_port, false)
> 
> 
> type sslh_t;
> type sslh_exec_t;
> init_daemon_domain(sslh_t, sslh_exec_t)
> 
> type sslh_config_t;
> files_config_file(sslh_config_t)
> 
> type sslh_initrc_exec_t;
> init_script_file(sslh_initrc_exec_t)
> 
> type sslh_var_run_t;
> files_pid_file(sslh_var_run_t)
> 
> type sslh_unit_file_t;
> systemd_unit_file(sslh_unit_file_t)
> 
> ########################################
> #
> # sslh local policy
> #
> 
> allow sslh_t sslh_config_t:file read_file_perms;
> 
> auth_read_passwd(sslh_t)
> 
> allow sslh_t self:capability { setuid setgid };
> allow sslh_t self:process { setcap getcap };
> 
> allow sslh_t self:tcp_socket create_stream_socket_perms;
> 
> sysnet_dns_name_resolve(sslh_t)
> 
> corenet_all_recvfrom_unlabeled(sslh_t)
> corenet_all_recvfrom_netlabel(sslh_t)
> corenet_tcp_sendrecv_generic_if(sslh_t)
> corenet_udp_sendrecv_generic_if(sslh_t)
> corenet_tcp_sendrecv_generic_node(sslh_t)
> corenet_udp_sendrecv_generic_node(sslh_t)
> corenet_tcp_bind_generic_node(sslh_t)
> corenet_udp_bind_generic_node(sslh_t)
> 
> corenet_tcp_bind_http_port(sslh_t)
> 
> corenet_tcp_sendrecv_http_port(sslh_t)
> corenet_tcp_connect_http_port(sslh_t)
> 
> corenet_tcp_connect_ssh_port(sslh_t)
> corenet_tcp_sendrecv_ssh_port(sslh_t)
> 
> corenet_tcp_connect_openvpn_port(sslh_t)
> corenet_tcp_sendrecv_openvpn_port(sslh_t)
> 
> corenet_tcp_connect_jabber_client_port(sslh_t)
> corenet_tcp_sendrecv_jabber_client_port(sslh_t)
> 
> 
> tunable_policy(`sslh_can_connect_any_port',`
>     # allow sslh to connect to any port
>     corenet_tcp_sendrecv_all_ports(sslh_t)
>     corenet_tcp_connect_all_ports(sslh_t)
> ')
> 
> tunable_policy(`sslh_can_bind_any_port',`
>     # allow sslh to bind to any port
>     corenet_tcp_sendrecv_all_ports(sslh_t)
>     corenet_tcp_bind_all_ports(sslh_t)
> ')
> 
> sslh fc file:
> 
> /usr/sbin/sslh          --    gen_context(system_u:object_r:sslh_exec_t,s0)
> /usr/sbin/sslh-select        --    gen_context(system_u:object_r:sslh_exec_t,s0)
> /etc/rc\.d/init\.d/sslh     --
> gen_context(system_u:object_r:sslh_initrc_exec_t,s0)
> /etc/sslh.cfg             --     gen_context(system_u:object_r:sslh_config_t,s0)
> /usr/lib/systemd/system/sslh.*  --
> gen_context(system_u:object_r:sslh_unit_file_t,s0)
> /usr/lib/systemd/system/sslh@*.*  --
> gen_context(system_u:object_r:sslh_unit_file_t,s0)
> /var/run/sslh(/.*)?             gen_context(system_u:object_r:sslh_var_run_t,s0)
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
It looks good. Just I see

/var/run/sslh(/.*)?
gen_context(system_u:object_r:sslh_var_run_t,s0)

but I don't see rules for it. Also you should provide also sslh.if
policy file.

I don't see a reason for

/usr/lib/systemd/system/sslh@*.*  --
gen_context(system_u:object_r:sslh_unit_file_t,s0)

which is covered by the previous decl.

If you provide also sslh.if we can review it at all and send possible
patches.

Thank you.

-- 
Miroslav Grepl
Software Engineering, SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux