Re: small net patch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2/11/20 10:11 PM, Russell Coker wrote:
This patch against git refpolicy adds a few small network related policy
changes.  I think it's ready to be included.

Please inline patch and add signed-off-by.

--- refpolicy-2.20200209.orig/policy/modules/admin/netutils.te
+++ refpolicy-2.20200209/policy/modules/admin/netutils.te
@@ -110,6 +110,7 @@ allow ping_t self:tcp_socket create_sock
 allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr };
 allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
 allow ping_t self:netlink_route_socket create_netlink_socket_perms;
+allow ping_t self:icmp_socket create;
corenet_all_recvfrom_unlabeled(ping_t)
 corenet_all_recvfrom_netlabel(ping_t)
Index: refpolicy-2.20200209/policy/modules/system/sysnetwork.fc
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/system/sysnetwork.fc
+++ refpolicy-2.20200209/policy/modules/system/sysnetwork.fc
@@ -27,6 +27,7 @@ ifdef(`distro_debian',`
 /etc/dhcp3?/dhclient.*		gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/etc/tor/torsocks.conf	--	gen_context(system_u:object_r:net_conf_t,s0)
ifdef(`distro_redhat',`
 /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
Index: refpolicy-2.20200209/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20200209/policy/modules/system/sysnetwork.te
@@ -5,6 +5,14 @@ policy_module(sysnetwork, 1.24.2)
 # Declarations
 #
+## <desc>
+##      <p>
+##      Determine whether DHCP client
+##      can manage samba
+##      </p>
+## </desc>
+gen_tunable(dhcpc_manage_samba, false)
+
 attribute_role dhcpc_roles;
 roleattribute system_r dhcpc_roles;
@@ -171,6 +179,15 @@ ifdef(`init_systemd',`
 ')
optional_policy(`
+	tunable_policy(`dhcpc_manage_samba',`
+        	samba_manage_var_files(dhcpc_t)
+		init_exec_script_files(dhcpc_t)
+		init_get_system_status(dhcpc_t)
+		samba_restart(dhcpc_t)

Please elaborate here. Is this to set WINS servers?

+	')
+')
+
+optional_policy(`
 	avahi_domtrans(dhcpc_t)
 ')
Index: refpolicy-2.20200209/policy/modules/roles/staff.te
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/roles/staff.te
+++ refpolicy-2.20200209/policy/modules/roles/staff.te
@@ -15,6 +15,10 @@ userdom_unpriv_user_template(staff)
 #
 corenet_ib_access_unlabeled_pkeys(staff_t)
+corenet_tcp_bind_all_unreserved_ports(staff_t)
+corenet_udp_bind_all_unreserved_ports(staff_t)
+corenet_tcp_bind_generic_node(staff_t)

No, this may be staff, but still unprivileged.

 optional_policy(`
 	apache_role(staff_r, staff_t)
 ')
@@ -36,6 +40,10 @@ optional_policy(`
 ')
optional_policy(`
+	netutils_domtrans_ping(staff_t)
+')
+
+optional_policy(`
 	postgresql_role(staff_r, staff_t)
 ')
@@ -65,6 +73,11 @@ optional_policy(`
 ')
optional_policy(`
+	# for torbrowser-launcher
+	xdg_exec_data(staff_t)
+')
+
+optional_policy(`
 	xscreensaver_role(staff_r, staff_t)
 ')
Index: refpolicy-2.20200209/policy/modules/roles/unprivuser.te
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/roles/unprivuser.te
+++ refpolicy-2.20200209/policy/modules/roles/unprivuser.te
@@ -7,11 +7,23 @@ policy_module(unprivuser, 2.10.0)
 #
 # Declarations
 #
+## <desc>
+## <p>
+## Allow user to bind all unreserved ports
+## </p>
+## </desc>
+gen_tunable(user_bind_unreserved, false)
#role user_r; userdom_unpriv_user_template(user) +tunable_policy(`user_bind_unreserved', `
+	corenet_tcp_bind_all_unreserved_ports(user_t)
+	corenet_udp_bind_all_unreserved_ports(user_t)
+	corenet_tcp_bind_generic_node(user_t)
+')

There's already a user_tcp_server tunable in userdom_unpriv_user_template() that should be used instead.

 optional_policy(`
 	apache_role(user_r, user_t)
 ')
@@ -25,6 +37,10 @@ optional_policy(`
 ')
optional_policy(`
+	netutils_domtrans_ping(user_t)
+')

This is already maanged in userdom_unpriv_user_template().

+optional_policy(`
 	screen_role_template(user, user_r, user_t)
 ')
@@ -33,6 +49,11 @@ optional_policy(`
 ')
optional_policy(`
+	# for torbrowser-launcher
+	xdg_exec_data(user_t)
+')

How about adding this to userdom_unpriv_user_template() or userdom_common_user_template() instead?

+optional_policy(`
 	xscreensaver_role(user_r, user_t)
 ')
Index: refpolicy-2.20200209/policy/modules/services/samba.if
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/services/samba.if
+++ refpolicy-2.20200209/policy/modules/services/samba.if
@@ -714,3 +714,22 @@ interface(`samba_admin',`
 	files_list_tmp($1)
 	admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
 ')
+
+########################################
+## <summary>
+##	Restart and get status of samba daemon
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_restart',`
+	gen_require(`
+		type samba_unit_t;
+	')
+
+	allow $1 samba_unit_t:file getattr;
+	allow $1 samba_unit_t:service { start stop status reload };
+')

Break this up into at least 3 interfaces, samba_startstop, samba_status, samba_reload.


Index: refpolicy-2.20200209/policy/modules/system/xdg.if
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/system/xdg.if
+++ refpolicy-2.20200209/policy/modules/system/xdg.if
@@ -795,6 +795,24 @@ interface(`xdg_relabel_all_data',`
########################################
 ## <summary>
+##	Allow executing the xdg data home files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_exec_data',`
+	gen_require(`
+		type xdg_data_t;
+	')
+
+	can_exec($1, xdg_data_t)
+')
+
+########################################
+## <summary>
 ##	Create objects in the user home dir with an automatic type transition to
 ##	the xdg_documents_t type.
 ## </summary>

--
Chris PeBenito



[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux