Russell Coker <russell@xxxxxxxxxxxx> writes:
> This is the policy for a Matrix daemon, it was written for Synapse but should
> be OK with minimal modifications for other Matrix daemons. Thanks to
> 0xC0ncord for writing a policy which gave me the idea for a tunable for
> federation.
>
> I am happy for this to be included in git now, but no doubt Chris will
> suggest some changes.
>
> Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx>
Added some inline comments for what i think are the most interesting
aspects.
Aside there is more room for improvement
>
> Index: refpolicy-2.20210115/policy/modules/kernel/corenetwork.te.in
> ===================================================================
> --- refpolicy-2.20210115.orig/policy/modules/kernel/corenetwork.te.in
> +++ refpolicy-2.20210115/policy/modules/kernel/corenetwork.te.in
> @@ -149,7 +149,7 @@ network_port(hadoop_namenode, tcp,8020,s
> network_port(hddtemp, tcp,7634,s0)
> network_port(howl, tcp,5335,s0, udp,5353,s0)
> network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
> -network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
> +network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0, tcp,8448,s0) #8443 is mod_nss default port
> network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
> network_port(i18n_input, tcp,9010,s0)
> network_port(imaze, tcp,5323,s0, udp,5323,s0)
> Index: refpolicy-2.20210115/policy/modules/services/matrixd.fc
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20210115/policy/modules/services/matrixd.fc
> @@ -0,0 +1,4 @@
> +/var/lib/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_var_t,s0)
> +/var/log/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_log_t,s0)
> +/etc/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_conf_t,s0)
> +/usr/bin/synctl -- gen_context(system_u:object_r:matrixd_exec_t,s0)
> Index: refpolicy-2.20210115/policy/modules/services/matrixd.if
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20210115/policy/modules/services/matrixd.if
> @@ -0,0 +1 @@
> +## <summary>Matrixd</summary>
> Index: refpolicy-2.20210115/policy/modules/services/matrixd.te
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20210115/policy/modules/services/matrixd.te
> @@ -0,0 +1,124 @@
> +policy_module(matrixd, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +## <desc>
> +## <p>
> +## Determine whether Matrixd is allowed to federate
> +## (bind all UDP ports and connect to all TCP ports).
> +## </p>
> +## </desc>
> +gen_tunable(matrix_allow_federation, true)
> +
> +## <desc>
> +## <p>
> +## Determine whether Matrixd can connect to the Postgres database.
> +## </p>
> +## </desc>
> +gen_tunable(matrix_postgresql_connect, false)
> +
> +
> +type matrixd_t;
> +type matrixd_exec_t;
> +init_daemon_domain(matrixd_t, matrixd_exec_t)
> +
> +type matrixd_var_t;
> +files_type(matrixd_var_t)
> +manage_files_pattern(matrixd_t, matrixd_var_t, matrixd_var_t)
> +files_search_var_lib(matrixd_t)
> +allow matrixd_t matrixd_var_t:file map;
> +allow matrixd_t matrixd_var_t:dir manage_dir_perms;
> +
> +type matrixd_log_t;
> +logging_log_file(matrixd_log_t)
> +logging_search_logs(matrixd_t)
> +manage_files_pattern(matrixd_t, matrixd_log_t, matrixd_log_t)
> +
> +type matrixd_conf_t;
> +files_config_file(matrixd_conf_t)
> +read_files_pattern(matrixd_t, matrixd_conf_t, matrixd_conf_t)
> +allow matrixd_t matrixd_conf_t:dir list_dir_perms;
> +
> +type matrixd_tmp_t;
> +files_tmp_file(matrixd_tmp_t)
> +allow matrixd_t matrixd_tmp_t:file { manage_file_perms map };
> +files_tmp_filetrans(matrixd_t, matrixd_tmp_t, file)
> +fs_tmpfs_filetrans(matrixd_t, matrixd_tmp_t, file)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow matrixd_t self:fifo_file rw_file_perms;
> +allow matrixd_t self:tcp_socket create_stream_socket_perms;
> +allow matrixd_t self:netlink_route_socket rw_netlink_socket_perms;
r_netlink_route_socket_perms probably
> +
> +corenet_tcp_connect_http_port(matrixd_t)
> +corenet_tcp_connect_http_cache_port(matrixd_t)
> +corenet_udp_bind_generic_port(matrixd_t)
> +corenet_tcp_bind_http_port(matrixd_t)
> +corenet_udp_bind_reserved_port(matrixd_t)
> +
> +allow matrixd_t self:udp_socket create_socket_perms;
> +allow matrixd_t self:unix_dgram_socket { create getopt setopt write };
create_socket_perms
> +# https://cffi.readthedocs.io/en/latest/using.html#callbacks
> +allow matrixd_t self:process execmem;
> +
> +can_exec(matrixd_t, { matrixd_tmp_t matrixd_var_t })
Are you sure that it requires "execute_no_trans" here and not just "map
execute"? Can you show the avc denials that prompted this rule to be added?
> +
> +kernel_read_system_state(matrixd_t)
> +kernel_search_fs_sysctls(matrixd_t)
> +kernel_read_vm_overcommit_sysctl(matrixd_t)
> +kernel_search_vm_sysctl(matrixd_t)
> +
> +corecmd_exec_bin(matrixd_t)
> +corecmd_shell_entry_type(matrixd_t)
Why would the matrixd_t domain be entered via shell_exec_t? Can you show
the avc denials that prompted this rule to be added?
> +corecmd_exec_shell(matrixd_t)
> +
> +corenet_tcp_bind_generic_node(matrixd_t)
> +corenet_udp_bind_generic_node(matrixd_t)
> +
> +dev_read_urand(matrixd_t)
> +
> +files_read_etc_files(matrixd_t)
> +files_read_etc_runtime_files(matrixd_t)
> +files_read_etc_symlinks(matrixd_t)
> +
> +# for /usr/share/ca-certificates
> +files_read_usr_files(matrixd_t)
> +
> +init_search_runtime(matrixd_t)
> +libs_exec_ldconfig(matrixd_t)
> +libs_exec_lib_files(matrixd_t)
> +logging_send_syslog_msg(matrixd_t)
> +
> +miscfiles_read_generic_tls_privkey(matrixd_t)
> +miscfiles_read_generic_certs(matrixd_t)
> +miscfiles_read_localization(matrixd_t)
> +
> +sysnet_read_config(matrixd_t)
> +
> +userdom_search_user_runtime_root(matrixd_t)
> +
> +optional_policy(`
> + apache_search_config(matrixd_t)
> +')
> +
> +tunable_policy(`matrix_allow_federation',`
> + corenet_tcp_connect_all_unreserved_ports(matrixd_t)
> + corenet_tcp_connect_generic_port(matrixd_t)
> + corenet_udp_bind_all_ports(matrixd_t)
> +', `
> + corenet_dontaudit_tcp_connect_all_ports(matrixd_t)
> + corenet_dontaudit_udp_bind_all_ports(matrixd_t)
> +')
> +
> +tunable_policy(`matrix_postgresql_connect',`
> + postgresql_stream_connect(matrixd_t)
> + postgresql_tcp_connect(matrixd_t)
> +')
> +
>
--
gpg --locate-keys dominick.grift@xxxxxxxxxxx
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
