On 04/30/2015 01:35 PM, Miroslav Grepl wrote:
On 04/29/2015 06:28 PM, James Hogarth wrote:
Hi,
I'm the maintainer of sslh and looking to get some feedback on a
policy I'm writing for it.
It has recently been added to the fedora repositories running
unconfined and I'm looking to improve this with running it within its
own confined domain.
The 'default' state is to listen on tcp/443 and to be able to connect
to tcp/80, tcp/443, tcp/5222, tcp/1194 (on both localhost and
arbitrary systems) which the default policy is configured for with the
option via booleans to let it listen on or connect to any port.
I've tried to style this after the services in fedora-selinux on
github in an attempt to make it consistent with existing policies.
I'd be grateful for any feedback on these before requesting this to be
added to the fedora targeted policy.
Kind regards,
James
sslh te file:
policy_module(sslh,1.0.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Determine whether sslh can connect
## to any tcp port or if it is restricted
## to the standard http, openvpn and jabber ports.
## </p>
## </desc>
gen_tunable(sslh_can_connect_any_port, false)
## <desc>
## <p>
## Determine whether sslh can listen
## on any tcp port or if it is restricted
## to the standard http.
## </p>
## </desc>
gen_tunable(sslh_can_bind_any_port, false)
type sslh_t;
type sslh_exec_t;
init_daemon_domain(sslh_t, sslh_exec_t)
type sslh_config_t;
files_config_file(sslh_config_t)
type sslh_initrc_exec_t;
init_script_file(sslh_initrc_exec_t)
type sslh_var_run_t;
files_pid_file(sslh_var_run_t)
type sslh_unit_file_t;
systemd_unit_file(sslh_unit_file_t)
########################################
#
# sslh local policy
#
allow sslh_t sslh_config_t:file read_file_perms;
auth_read_passwd(sslh_t)
allow sslh_t self:capability { setuid setgid };
allow sslh_t self:process { setcap getcap };
allow sslh_t self:tcp_socket create_stream_socket_perms;
sysnet_dns_name_resolve(sslh_t)
corenet_all_recvfrom_unlabeled(sslh_t)
corenet_all_recvfrom_netlabel(sslh_t)
corenet_tcp_sendrecv_generic_if(sslh_t)
corenet_udp_sendrecv_generic_if(sslh_t)
corenet_tcp_sendrecv_generic_node(sslh_t)
corenet_udp_sendrecv_generic_node(sslh_t)
corenet_tcp_bind_generic_node(sslh_t)
corenet_udp_bind_generic_node(sslh_t)
corenet_tcp_bind_http_port(sslh_t)
corenet_tcp_sendrecv_http_port(sslh_t)
corenet_tcp_connect_http_port(sslh_t)
corenet_tcp_connect_ssh_port(sslh_t)
corenet_tcp_sendrecv_ssh_port(sslh_t)
corenet_tcp_connect_openvpn_port(sslh_t)
corenet_tcp_sendrecv_openvpn_port(sslh_t)
corenet_tcp_connect_jabber_client_port(sslh_t)
corenet_tcp_sendrecv_jabber_client_port(sslh_t)
tunable_policy(`sslh_can_connect_any_port',`
# allow sslh to connect to any port
corenet_tcp_sendrecv_all_ports(sslh_t)
corenet_tcp_connect_all_ports(sslh_t)
')
tunable_policy(`sslh_can_bind_any_port',`
# allow sslh to bind to any port
corenet_tcp_sendrecv_all_ports(sslh_t)
corenet_tcp_bind_all_ports(sslh_t)
')
sslh fc file:
/usr/sbin/sslh -- gen_context(system_u:object_r:sslh_exec_t,s0)
/usr/sbin/sslh-select -- gen_context(system_u:object_r:sslh_exec_t,s0)
/etc/rc\.d/init\.d/sslh --
gen_context(system_u:object_r:sslh_initrc_exec_t,s0)
/etc/sslh.cfg -- gen_context(system_u:object_r:sslh_config_t,s0)
/usr/lib/systemd/system/sslh.* --
gen_context(system_u:object_r:sslh_unit_file_t,s0)
/usr/lib/systemd/system/sslh@*.* --
gen_context(system_u:object_r:sslh_unit_file_t,s0)
/var/run/sslh(/.*)? gen_context(system_u:object_r:sslh_var_run_t,s0)
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
It looks good. Just I see
/var/run/sslh(/.*)?
gen_context(system_u:object_r:sslh_var_run_t,s0)
but I don't see rules for it. Also you should provide also sslh.if
policy file.
I don't see a reason for
/usr/lib/systemd/system/sslh@*.* --
gen_context(system_u:object_r:sslh_unit_file_t,s0)
which is covered by the previous decl.
If you provide also sslh.if we can review it at all and send possible
patches.
Thank you.
Hi,
As Mirek said, check his notes, and add .if source file. You can find
some examples in our selinux-policy repo.
https://github.com/fedora-selinux/selinux-policy/tree/rawhide-contrib.
Then you could create pull request for this policy.
Thank you.
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux