Re: First forays in to writing a module to lock down PowerDNS.

Tom <tom@xxxxxxxx> · Thu, 01 Dec 2011 14:29:16 +0000

Again, thanks for the help, it's very much appreciated!

Tom.

On 01/12/11 14:23, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/01/2011 09:22 AM, Tom wrote:
I've just removed that.  It was only there because I had things
incorrectly labelled when I first started working on the module,
and audit2allow told me i should use that rule accordingly.  I've
had no denials since removing it!

Cheers.  Tom.

On 01/12/11 14:18, Daniel J Walsh wrote: On 12/01/2011 06:51 AM,
Tom wrote:
Hi again,

Thanks again for all your help.  I'm enjoying refactoring
this, making it better each time!  I've learned a lot so far,
and am starting to look ready for tackling my next module,
which will be for an in-house application we use here at
work.

I'm hoping to test this on a production server very soon.
I'm also chipping away at my colleagues whose only experience
with selinux is to turn it off!  Some of them aren't too keen
on the idea of me introducing selinux on to our platform, but
I'm just going to introduce it bit by bit and make sure it's
all documented well, and that they understand what I'm up
to.

# PowerDNS targeted enforcement module

policy_module(pdns,1.0.2)

type pdns_t; type pdns_exec_t; can_exec(pdns_t, pdns_exec_t)

init_daemon_domain(pdns_t, pdns_exec_t)

# /etc/pdns/pdns.conf type pdns_conf_t;
files_config_file(pdns_conf_t) read_files_pattern(pdns_t,
pdns_conf_t, pdns_conf_t) files_etc_filetrans(pdns_t,
pdns_conf_t, file)

# /var/run/pdns.pid /var/run/pdns.controlsocket
/var/run/subsys/pdns type pdns_var_run_t;
files_pid_file(pdns_var_run_t) manage_files_pattern(pdns_t,
pdns_var_run_t, pdns_var_run_t) manage_dirs_pattern(pdns_t,
pdns_var_run_t, pdns_var_run_t)
manage_sock_files_pattern(pdns_t, pdns_var_run_t,
pdns_var_run_t) files_pid_filetrans(pdns_t, pdns_var_run_t, {
dir file sock_file })

# General self privs allow pdns_t self:capability { setuid
chown fsetid kill setgid }; allow pdns_t self:fifo_file
rw_fifo_file_perms; allow pdns_t self:process signal_perms;
allow pdns_t self:tcp_socket create_stream_socket_perms;
allow pdns_t self:udp_socket create_socket_perms;

# General files access Macros files_read_etc_files(pdns_t)
files_read_usr_files(pdns_t)
files_read_default_files(pdns_t) libs_use_lib_files(pdns_t)
libs_use_ld_so(pdns_t) miscfiles_read_localization(pdns_t)

# General Networky stuff corenet_udp_bind_all_nodes(pdns_t)
corenet_tcp_bind_all_nodes(pdns_t)

# Syslog logging_send_syslog_msg(pdns_t)

# Inbound DNS corenet_udp_bind_dns_port(pdns_t)
corenet_udp_sendrecv_dns_port(pdns_t)
corenet_tcp_bind_dns_port(pdns_t)
corenet_tcp_sendrecv_dns_port(pdns_t)

# Inbound TCP 8081 for PDNS Web Server
corenet_tcp_bind_transproxy_port(pdns_t)
corenet_tcp_sendrecv_transproxy_port(pdns_t)

# Outbound DB Connectivity
corenet_tcp_connect_mysqld_port(pdns_t)
corenet_tcp_connect_mssql_port(pdns_t)

On 30/11/11 16:36, Daniel J Walsh wrote: On 11/30/2011 05:45
AM, Tom wrote:
Hi Again,

I've followed your advice, and I've removed all but
one requirement for var_run_t:sock_file.  I couldn't
find any interfaces which would simply give me access
to that, but it's certainly looking a lot better, and a
lot more readable! It could probably do with some more
re-factoring, but it's working well at the moment!

I haven't really thought too much about the file
labelling. I've only done the daemon binary, config
file and /var/run/pdns.pid file.  I'm not sure I've
followed best practices there at all.

Ok the next rule you need to follow, is if you need to write
to a "Generic" type, then you need to create your own type
and potentially transition to it.

# PowerDNS targeted enforcement module

policy_module(pdns,1.0.0)

require { type var_run_t; }

type pdns_t; type pdns_exec_t; allow pdns_t
pdns_exec_t:file execute_no_trans;

init_daemon_domain(pdns_t, pdns_exec_t)

# /etc/pdns/pdns.conf type pdns_conf_t;
files_config_file(pdns_conf_t)

# /var/run/pdns.pid type pdns_var_run_t;
files_pid_file(pdns_var_run_t)

# General self privs allow pdns_t self:capability {
setuid chown fsetid kill setgid }; allow pdns_t
self:fifo_file { read getattr ioctl };
allow pdns_t self:fifo_file rw_fifo_file_perms;
allow pdns_t self:process sigkill;
Might want to just add signal_perms;
allow pdns_t self:tcp_socket { setopt read bind create
accept write ioctl connect getopt listen };
allow pdns_t self:tcp_socket create_stream_socket_perms;

allow pdns_t self:udp_socket { read bind create write
getattr };
allow pdns_t self:udp_socket create_socket_perms;
# Cannot figure out an interface to use with this one:
allow pdns_t var_run_t:sock_file { create setattr };

See below
# General files access Macros
files_read_etc_files(pdns_t)
files_manage_usr_files(pdns_t)
You should have you own type?  Whar file in /usr are you
rewriting?

files_read_default_files(pdns_t)
files_rw_generic_pids(pdns_t)
files_delete_all_pids(pdns_t)
Are you actually deleting other peoples content in /var/run?
Or do you have your own content in /var/run?

For example something like

manage_dirs_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
manage_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
manage_sock_files_pattern(pdns_t, pdns_var_run_t,
pdns_var_run_t) files_pid_filetrans(pdns_t, pdns_var_run_t, {
dir file sock_file })

Then add a matching content in the fc file.

files_read_config_files(pdns_t)
libs_use_lib_files(pdns_t) libs_use_ld_so(pdns_t)
miscfiles_read_localization(pdns_t)

# Core Network corenet_udp_bind_all_nodes(pdns_t)
corenet_tcp_bind_all_nodes(pdns_t)

# Syslog logging_send_syslog_msg(pdns_t)

# Inbound DNS corenet_udp_bind_dns_port(pdns_t)
corenet_udp_sendrecv_dns_port(pdns_t)
corenet_tcp_bind_dns_port(pdns_t)
corenet_tcp_sendrecv_dns_port(pdns_t)

# Inbound TCP 8081 for PDNS Web Server
corenet_tcp_bind_transproxy_port(pdns_t)
corenet_tcp_sendrecv_transproxy_port(pdns_t)

# Outbound DB Connectivity
corenet_tcp_connect_mysqld_port(pdns_t)
corenet_tcp_connect_mssql_port(pdns_t)

Thanks again for your advice.

Tom.

On 29/11/11 16:27, Tom wrote:
Hi Daniel,

Thanks for this.  I'm just about to leave work, but
I'll be looking again in the morning, and I'll get
back to you and see what you think of version 1.0.1!
:)

Thanks again.  Tom.

On 29/11/11 16:14, Daniel J Walsh wrote:
On 11/29/2011 10:56 AM, Tom wrote:
Greetings,

This is my first attempt at writing an selinux
module. I've basically done it by trying to
confine the powerdns service, and then worked
through all of the problems I've had in the
audit log. At this point, my powerdns service
seems to work well with full functionality,
however, I'm sure there's about a million
things I could be doing to make it better. I'm
still a bit shaky on the way I've done the
domain transition, and also, I'm sure there are
a loads of macros which I could be using,
although I'm not sure whether those types of
things are distribution dependent. I'm using
CentOS 5.7, and have written this to fit in to
the targeted polifcy.

I'd be glad of any advice on how to do this
type of thing in a more efficient way.

Many thanks.  Tom.

# cat pdns.te # PowerDNS targeted enforcement
module

policy_module(pdns,1.0.0)

require { type etc_t; type lib_t; type usr_t;
type ld_so_cache_t; type ld_so_t; type lib_t;
type locale_t; type var_run_t; type devlog_t;
type syslogd_t; type initrc_var_run_t; type
dns_port_t; type inaddr_any_node_t; type
transproxy_port_t; type mysqld_port_t; type
mssql_port_t; }

type pdns_t; type pdns_exec_t;

domain_type(pdns_t) domain_entry_file(pdns_t,
pdns_exec_t) init_daemon_domain(pdns_t,
pdns_exec_t)

# /etc/pdns/pdns.conf type pdns_conf_t;
files_config_file(pdns_conf_t)

# /var/run/pdns.pid type pdns_var_run_t;
files_pid_file(pdns_var_run_t)

allow pdns_t etc_t:dir search; allow pdns_t
etc_t:file { getattr read }; allow pdns_t
usr_t:dir search; allow pdns_t usr_t:file {
write create read getattr }; allow pdns_t
lib_t:dir { search getattr }; allow pdns_t
lib_t:lnk_file read; allow pdns_t lib_t:file {
read getattr execute }; allow pdns_t
ld_so_cache_t:file read; allow pdns_t
ld_so_cache_t:file getattr; allow pdns_t
ld_so_t:file { read execute }; allow pdns_t
locale_t:file { read getattr }; allow pdns_t
pdns_conf_t:file read; allow pdns_t
var_run_t:dir { write remove_name add_name };
allow pdns_t var_run_t:sock_file { unlink
create setattr }; allow pdns_t var_run_t:file {
write create }; allow pdns_t devlog_t:sock_file
write; allow pdns_t syslogd_t:unix_dgram_socket
sendto; allow pdns_t initrc_var_run_t:file
write; allow pdns_t pdns_exec_t:file
execute_no_trans;

allow pdns_t self:process sigkill; allow
pdns_t self:fifo_file { getattr read ioctl
write }; allow pdns_t self:capability { chown
fsetid net_bind_service setuid setgid kill };
allow pdns_t self:unix_dgram_socket { create
connect write }; allow pdns_t self:udp_socket {
create bind read getattr write }; allow pdns_t
self:tcp_socket { create bind read getattr
write setopt listen connect shutdown accept
getopt ioctl };

allow pdns_t inaddr_any_node_t:udp_socket
node_bind; allow pdns_t
inaddr_any_node_t:tcp_socket node_bind;

# TCP + UDP Port 53 allow pdns_t
dns_port_t:udp_socket name_bind; allow pdns_t
dns_port_t:tcp_socket name_bind;

# TCP 8081 for PDNS Web Server allow pdns_t
transproxy_port_t:tcp_socket name_bind;

# DB Connectivity allow pdns_t
mysqld_port_t:tcp_socket name_connect; allow
pdns_t mssql_port_t:tcp_socket name_connect;

# cat pdns.fc /usr/sbin/pdns_server    --
gen_context(system_u:object_r:pdns_exec_t,s0)
/var/run/pdns.pid --
gen_context(system_u:object_r:pdns_var_run_t,s0)

/etc/pdns/pdns.conf    --
gen_context(system_u:object_r:pdns_conf_t,s0)

-- This message was distributed to subscribers
of the selinux mailing list. If you no longer
wish to subscribe, send mail to
majordomo@xxxxxxxxxxxxx with the words
"unsubscribe selinux" without quotes as the
message.
Tom try to remove the entire require block.  You should
be using interfaces and not using the types directly in
your policy.

All interfaces are available under
/usr/share/selinux/devel/include/...

For example.
allow pdns_t etc_t:dir search; allow pdns_t
etc_t:file { getattr read }; allow pdns_t
usr_t:dir search; allow pdns_t usr_t:file {
write create read getattr };
Should be

files_read_etc_files(pdns_t)
files_read_usr_files(pdns_t)

allow pdns_t transproxy_port_t:tcp_socket
name_bind;
Should be

corenet_tcp_bind_transproxy_port(pdns_t)
-- This message was distributed to subscribers of
the selinux mailing list. If you no longer wish to
subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the
message.
-- This message was distributed to subscribers of the
selinux mailing list. If you no longer wish to
subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the
message.

-- This message was distributed to subscribers of the
selinux mailing list. If you no longer wish to subscribe,
send mail to majordomo@xxxxxxxxxxxxx with the words
"unsubscribe selinux" without quotes as the message.

What default_t files do you have on your system?  default_t means
these are files on the system that SELinux has no idea what the
content is.  It usually means you added a new directory at /.  If
you could classify this data as label and label it correctly you
should be able to remove the files_read_default.   Most confined
apps are not allowed to use content labeled default_t.

Excellent, then I think your policy looks good from a cursory review.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7Xjf8ACgkQrlYvE4MpobMcRACfTblmFXgiITDHEW6yZv5qAPwT
3uoAoKthjiYOAgExf8flV86AJWpdJ3iG
=Vbuz
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.