On Thursday, 21 January 2021 12:23:29 AM AEDT Dominick Grift wrote:
> > Index: refpolicy-2.20210120/policy/modules/roles/staff.te
> > ===================================================================
> > --- refpolicy-2.20210120.orig/policy/modules/roles/staff.te
> > +++ refpolicy-2.20210120/policy/modules/roles/staff.te
> > @@ -15,6 +15,10 @@ userdom_unpriv_user_template(staff)
> >
> > #
> > corenet_ib_access_unlabeled_pkeys(staff_t)
> >
> > +corenet_tcp_bind_all_unreserved_ports(staff_t)
> > +corenet_udp_bind_all_unreserved_ports(staff_t)
> > +corenet_tcp_bind_generic_node(staff_t)
>
> staff_t is a "unpriv user" and so "userdom_unpriv_user_template()"
> applies to staff_t.
OK, I'll remove that.
> this template has two booleans: user_tcp_server and user_udp_server
> these booleans currently allow unpriv users to bind tcp and udp sockets
> to generic ports respectively.
>
> This is old, inaccurate and outdated. Instead those booleans should
> probably be modernized:
>
> tunable_policy(`user_tcp_server',`
> corenet_tcp_bind_generic_node($1_t)
> corenet_tcp_bind_all_unreserved_ports($1_t)
> ')
>
> tunable_policy(`user_udp_server',`
> corenet_udp_bind_generic_node($1_t)
> corenet_udp_bind_all_unreserved_ports($1_t)
> ')
Unreserved ports means all ports >1023. I don't think that's what we want.
There are lots of daemons using ports >1023, many of which are IANA assigned.
> > optional_policy(`
> >
> > apache_role(staff_r, staff_t)
> >
> > ')
> >
> > @@ -36,6 +40,10 @@ optional_policy(`
> >
> > ')
> >
> > optional_policy(`
> >
> > + netutils_domtrans_ping(staff_t)
> > +')
> > +
>
> This is already (conditionlly) allowed in the userdom_unpriv_user_template()
> To make it work requires a boolean to be set to true (i believe)
OK, I'll remove that.
> > +optional_policy(`
> >
> > postgresql_role(staff_r, staff_t)
> >
> > ')
> >
> > @@ -65,6 +73,11 @@ optional_policy(`
> >
> > ')
> >
> > optional_policy(`
> >
> > + # for torbrowser-launcher
> > + xdg_exec_data(staff_t)
>
> What location is this exactly? ~/.local/bin?
~/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/
> I would associate a "bin_home_t" with ~/.local/bin and only allow that
> to be executed, rather than all of ~/.local
>
> But regardless this, or similar rule should apply to
> userdom_unpriv_user_template() instead. Use the templates.
OK, I'll remove it for now.
> > +')
> > +
> > +optional_policy(`
> >
> > xscreensaver_role(staff_r, staff_t)
> >
> > ')
> >
> > Index: refpolicy-2.20210120/policy/modules/roles/unprivuser.te
> > ===================================================================
> > --- refpolicy-2.20210120.orig/policy/modules/roles/unprivuser.te
> > +++ refpolicy-2.20210120/policy/modules/roles/unprivuser.te
> > @@ -7,11 +7,23 @@ policy_module(unprivuser, 2.10.0)
> >
> > #
> > # Declarations
> > #
> >
> > +## <desc>
> > +## <p>
> > +## Allow user to bind all unreserved ports
> > +## </p>
> > +## </desc>
> > +gen_tunable(user_bind_unreserved, false)
>
> Modernize and use the existing user_tcp_server and user_udp_server
> booleans in userdom_unpriv_user_template() instead? See above comment.
OK.
> > #role user_r;
> >
> > userdom_unpriv_user_template(user)
> >
> > +tunable_policy(`user_bind_unreserved', `
> > + corenet_tcp_bind_all_unreserved_ports(user_t)
> > + corenet_udp_bind_all_unreserved_ports(user_t)
> > + corenet_tcp_bind_generic_node(user_t)
> > +')
>
> See above comment about user_tcp_server and user_udp_server booleans in
> userdom_unpriv_user_template()
OK.
> > ')
> >
> > @@ -25,6 +37,10 @@ optional_policy(`
> >
> > ')
> >
> > optional_policy(`
> >
> > + netutils_domtrans_ping(user_t)
> > +')
> > +
>
> This is already allowed conditionally in userdom_unpriv_user_template()
> requires a boolean to be set to true to work. Adding this rule would
> break that existing model.
OK.
> > +########################################
> > +## <summary>
> > +## Restart and get status of samba daemon
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`samba_restart',`
> > + gen_require(`
> > + type samba_unit_t;
> > + ')
> > +
> > + allow $1 samba_unit_t:file getattr;
> > + allow $1 samba_unit_t:service { start stop status reload };
>
> This interface seems a bit broad
OK.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
