Russell Coker <russell@xxxxxxxxxxxx> writes: > This is the policy for a Matrix daemon, it was written for Synapse but should > be OK with minimal modifications for other Matrix daemons. Thanks to > 0xC0ncord for writing a policy which gave me the idea for a tunable for > federation. > > I am happy for this to be included in git now, but no doubt Chris will > suggest some changes. > > Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx> Added some inline comments for what i think are the most interesting aspects. Aside there is more room for improvement > > Index: refpolicy-2.20210115/policy/modules/kernel/corenetwork.te.in > =================================================================== > --- refpolicy-2.20210115.orig/policy/modules/kernel/corenetwork.te.in > +++ refpolicy-2.20210115/policy/modules/kernel/corenetwork.te.in > @@ -149,7 +149,7 @@ network_port(hadoop_namenode, tcp,8020,s > network_port(hddtemp, tcp,7634,s0) > network_port(howl, tcp,5335,s0, udp,5353,s0) > network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) > -network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port > +network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0, tcp,8448,s0) #8443 is mod_nss default port > network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy > network_port(i18n_input, tcp,9010,s0) > network_port(imaze, tcp,5323,s0, udp,5323,s0) > Index: refpolicy-2.20210115/policy/modules/services/matrixd.fc > =================================================================== > --- /dev/null > +++ refpolicy-2.20210115/policy/modules/services/matrixd.fc > @@ -0,0 +1,4 @@ > +/var/lib/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_var_t,s0) > +/var/log/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_log_t,s0) > +/etc/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_conf_t,s0) > +/usr/bin/synctl -- gen_context(system_u:object_r:matrixd_exec_t,s0) > Index: refpolicy-2.20210115/policy/modules/services/matrixd.if > =================================================================== > --- /dev/null > +++ refpolicy-2.20210115/policy/modules/services/matrixd.if > @@ -0,0 +1 @@ > +## <summary>Matrixd</summary> > Index: refpolicy-2.20210115/policy/modules/services/matrixd.te > =================================================================== > --- /dev/null > +++ refpolicy-2.20210115/policy/modules/services/matrixd.te > @@ -0,0 +1,124 @@ > +policy_module(matrixd, 1.0.0) > + > +######################################## > +# > +# Declarations > +# > + > +## <desc> > +## <p> > +## Determine whether Matrixd is allowed to federate > +## (bind all UDP ports and connect to all TCP ports). > +## </p> > +## </desc> > +gen_tunable(matrix_allow_federation, true) > + > +## <desc> > +## <p> > +## Determine whether Matrixd can connect to the Postgres database. > +## </p> > +## </desc> > +gen_tunable(matrix_postgresql_connect, false) > + > + > +type matrixd_t; > +type matrixd_exec_t; > +init_daemon_domain(matrixd_t, matrixd_exec_t) > + > +type matrixd_var_t; > +files_type(matrixd_var_t) > +manage_files_pattern(matrixd_t, matrixd_var_t, matrixd_var_t) > +files_search_var_lib(matrixd_t) > +allow matrixd_t matrixd_var_t:file map; > +allow matrixd_t matrixd_var_t:dir manage_dir_perms; > + > +type matrixd_log_t; > +logging_log_file(matrixd_log_t) > +logging_search_logs(matrixd_t) > +manage_files_pattern(matrixd_t, matrixd_log_t, matrixd_log_t) > + > +type matrixd_conf_t; > +files_config_file(matrixd_conf_t) > +read_files_pattern(matrixd_t, matrixd_conf_t, matrixd_conf_t) > +allow matrixd_t matrixd_conf_t:dir list_dir_perms; > + > +type matrixd_tmp_t; > +files_tmp_file(matrixd_tmp_t) > +allow matrixd_t matrixd_tmp_t:file { manage_file_perms map }; > +files_tmp_filetrans(matrixd_t, matrixd_tmp_t, file) > +fs_tmpfs_filetrans(matrixd_t, matrixd_tmp_t, file) > + > +######################################## > +# > +# Local policy > +# > + > +allow matrixd_t self:fifo_file rw_file_perms; > +allow matrixd_t self:tcp_socket create_stream_socket_perms; > +allow matrixd_t self:netlink_route_socket rw_netlink_socket_perms; r_netlink_route_socket_perms probably > + > +corenet_tcp_connect_http_port(matrixd_t) > +corenet_tcp_connect_http_cache_port(matrixd_t) > +corenet_udp_bind_generic_port(matrixd_t) > +corenet_tcp_bind_http_port(matrixd_t) > +corenet_udp_bind_reserved_port(matrixd_t) > + > +allow matrixd_t self:udp_socket create_socket_perms; > +allow matrixd_t self:unix_dgram_socket { create getopt setopt write }; create_socket_perms > +# https://cffi.readthedocs.io/en/latest/using.html#callbacks > +allow matrixd_t self:process execmem; > + > +can_exec(matrixd_t, { matrixd_tmp_t matrixd_var_t }) Are you sure that it requires "execute_no_trans" here and not just "map execute"? Can you show the avc denials that prompted this rule to be added? > + > +kernel_read_system_state(matrixd_t) > +kernel_search_fs_sysctls(matrixd_t) > +kernel_read_vm_overcommit_sysctl(matrixd_t) > +kernel_search_vm_sysctl(matrixd_t) > + > +corecmd_exec_bin(matrixd_t) > +corecmd_shell_entry_type(matrixd_t) Why would the matrixd_t domain be entered via shell_exec_t? Can you show the avc denials that prompted this rule to be added? > +corecmd_exec_shell(matrixd_t) > + > +corenet_tcp_bind_generic_node(matrixd_t) > +corenet_udp_bind_generic_node(matrixd_t) > + > +dev_read_urand(matrixd_t) > + > +files_read_etc_files(matrixd_t) > +files_read_etc_runtime_files(matrixd_t) > +files_read_etc_symlinks(matrixd_t) > + > +# for /usr/share/ca-certificates > +files_read_usr_files(matrixd_t) > + > +init_search_runtime(matrixd_t) > +libs_exec_ldconfig(matrixd_t) > +libs_exec_lib_files(matrixd_t) > +logging_send_syslog_msg(matrixd_t) > + > +miscfiles_read_generic_tls_privkey(matrixd_t) > +miscfiles_read_generic_certs(matrixd_t) > +miscfiles_read_localization(matrixd_t) > + > +sysnet_read_config(matrixd_t) > + > +userdom_search_user_runtime_root(matrixd_t) > + > +optional_policy(` > + apache_search_config(matrixd_t) > +') > + > +tunable_policy(`matrix_allow_federation',` > + corenet_tcp_connect_all_unreserved_ports(matrixd_t) > + corenet_tcp_connect_generic_port(matrixd_t) > + corenet_udp_bind_all_ports(matrixd_t) > +', ` > + corenet_dontaudit_tcp_connect_all_ports(matrixd_t) > + corenet_dontaudit_udp_bind_all_ports(matrixd_t) > +') > + > +tunable_policy(`matrix_postgresql_connect',` > + postgresql_stream_connect(matrixd_t) > + postgresql_tcp_connect(matrixd_t) > +') > + > -- gpg --locate-keys dominick.grift@xxxxxxxxxxx Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift