-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/01/2011 09:22 AM, Tom wrote:
> I've just removed that. It was only there because I had things
> incorrectly labelled when I first started working on the module,
> and audit2allow told me i should use that rule accordingly. I've
> had no denials since removing it!
>
> Cheers. Tom.
>
> On 01/12/11 14:18, Daniel J Walsh wrote: On 12/01/2011 06:51 AM,
> Tom wrote:
>>>> Hi again,
>>>>
>>>> Thanks again for all your help. I'm enjoying refactoring
>>>> this, making it better each time! I've learned a lot so far,
>>>> and am starting to look ready for tackling my next module,
>>>> which will be for an in-house application we use here at
>>>> work.
>>>>
>>>> I'm hoping to test this on a production server very soon.
>>>> I'm also chipping away at my colleagues whose only experience
>>>> with selinux is to turn it off! Some of them aren't too keen
>>>> on the idea of me introducing selinux on to our platform, but
>>>> I'm just going to introduce it bit by bit and make sure it's
>>>> all documented well, and that they understand what I'm up
>>>> to.
>>>>
>>>>
>>>> # PowerDNS targeted enforcement module
>>>>
>>>> policy_module(pdns,1.0.2)
>>>>
>>>> type pdns_t; type pdns_exec_t; can_exec(pdns_t, pdns_exec_t)
>>>>
>>>> init_daemon_domain(pdns_t, pdns_exec_t)
>>>>
>>>> # /etc/pdns/pdns.conf type pdns_conf_t;
>>>> files_config_file(pdns_conf_t) read_files_pattern(pdns_t,
>>>> pdns_conf_t, pdns_conf_t) files_etc_filetrans(pdns_t,
>>>> pdns_conf_t, file)
>>>>
>>>> # /var/run/pdns.pid /var/run/pdns.controlsocket
>>>> /var/run/subsys/pdns type pdns_var_run_t;
>>>> files_pid_file(pdns_var_run_t) manage_files_pattern(pdns_t,
>>>> pdns_var_run_t, pdns_var_run_t) manage_dirs_pattern(pdns_t,
>>>> pdns_var_run_t, pdns_var_run_t)
>>>> manage_sock_files_pattern(pdns_t, pdns_var_run_t,
>>>> pdns_var_run_t) files_pid_filetrans(pdns_t, pdns_var_run_t, {
>>>> dir file sock_file })
>>>>
>>>> # General self privs allow pdns_t self:capability { setuid
>>>> chown fsetid kill setgid }; allow pdns_t self:fifo_file
>>>> rw_fifo_file_perms; allow pdns_t self:process signal_perms;
>>>> allow pdns_t self:tcp_socket create_stream_socket_perms;
>>>> allow pdns_t self:udp_socket create_socket_perms;
>>>>
>>>> # General files access Macros files_read_etc_files(pdns_t)
>>>> files_read_usr_files(pdns_t)
>>>> files_read_default_files(pdns_t) libs_use_lib_files(pdns_t)
>>>> libs_use_ld_so(pdns_t) miscfiles_read_localization(pdns_t)
>>>>
>>>> # General Networky stuff corenet_udp_bind_all_nodes(pdns_t)
>>>> corenet_tcp_bind_all_nodes(pdns_t)
>>>>
>>>> # Syslog logging_send_syslog_msg(pdns_t)
>>>>
>>>> # Inbound DNS corenet_udp_bind_dns_port(pdns_t)
>>>> corenet_udp_sendrecv_dns_port(pdns_t)
>>>> corenet_tcp_bind_dns_port(pdns_t)
>>>> corenet_tcp_sendrecv_dns_port(pdns_t)
>>>>
>>>> # Inbound TCP 8081 for PDNS Web Server
>>>> corenet_tcp_bind_transproxy_port(pdns_t)
>>>> corenet_tcp_sendrecv_transproxy_port(pdns_t)
>>>>
>>>> # Outbound DB Connectivity
>>>> corenet_tcp_connect_mysqld_port(pdns_t)
>>>> corenet_tcp_connect_mssql_port(pdns_t)
>>>>
>>>>
>>>>
>>>>
>>>> On 30/11/11 16:36, Daniel J Walsh wrote: On 11/30/2011 05:45
>>>> AM, Tom wrote:
>>>>>>> Hi Again,
>>>>>>>
>>>>>>> I've followed your advice, and I've removed all but
>>>>>>> one requirement for var_run_t:sock_file. I couldn't
>>>>>>> find any interfaces which would simply give me access
>>>>>>> to that, but it's certainly looking a lot better, and a
>>>>>>> lot more readable! It could probably do with some more
>>>>>>> re-factoring, but it's working well at the moment!
>>>>>>>
>>>>>>> I haven't really thought too much about the file
>>>>>>> labelling. I've only done the daemon binary, config
>>>>>>> file and /var/run/pdns.pid file. I'm not sure I've
>>>>>>> followed best practices there at all.
>>>>>>>
>>>>>>>
>>>> Ok the next rule you need to follow, is if you need to write
>>>> to a "Generic" type, then you need to create your own type
>>>> and potentially transition to it.
>>>>
>>>>>>> # PowerDNS targeted enforcement module
>>>>>>>
>>>>>>> policy_module(pdns,1.0.0)
>>>>>>>
>>>>>>> require { type var_run_t; }
>>>>>>>
>>>>>>> type pdns_t; type pdns_exec_t; allow pdns_t
>>>>>>> pdns_exec_t:file execute_no_trans;
>>>>>>>
>>>>>>> init_daemon_domain(pdns_t, pdns_exec_t)
>>>>>>>
>>>>>>> # /etc/pdns/pdns.conf type pdns_conf_t;
>>>>>>> files_config_file(pdns_conf_t)
>>>>>>>
>>>>>>> # /var/run/pdns.pid type pdns_var_run_t;
>>>>>>> files_pid_file(pdns_var_run_t)
>>>>>>>
>>>>>>> # General self privs allow pdns_t self:capability {
>>>>>>> setuid chown fsetid kill setgid }; allow pdns_t
>>>>>>> self:fifo_file { read getattr ioctl };
>>>> allow pdns_t self:fifo_file rw_fifo_file_perms;
>>>>>>> allow pdns_t self:process sigkill;
>>>> Might want to just add signal_perms;
>>>>>>> allow pdns_t self:tcp_socket { setopt read bind create
>>>>>>> accept write ioctl connect getopt listen };
>>>> allow pdns_t self:tcp_socket create_stream_socket_perms;
>>>>
>>>>>>> allow pdns_t self:udp_socket { read bind create write
>>>>>>> getattr };
>>>> allow pdns_t self:udp_socket create_socket_perms;
>>>>>>> # Cannot figure out an interface to use with this one:
>>>>>>> allow pdns_t var_run_t:sock_file { create setattr };
>>>>>>>
>>>> See below
>>>>>>> # General files access Macros
>>>>>>> files_read_etc_files(pdns_t)
>>>>>>> files_manage_usr_files(pdns_t)
>>>> You should have you own type? Whar file in /usr are you
>>>> rewriting?
>>>>
>>>>>>> files_read_default_files(pdns_t)
>>>>>>> files_rw_generic_pids(pdns_t)
>>>>>>> files_delete_all_pids(pdns_t)
>>>> Are you actually deleting other peoples content in /var/run?
>>>> Or do you have your own content in /var/run?
>>>>
>>>> For example something like
>>>>
>>>> manage_dirs_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
>>>> manage_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
>>>> manage_sock_files_pattern(pdns_t, pdns_var_run_t,
>>>> pdns_var_run_t) files_pid_filetrans(pdns_t, pdns_var_run_t, {
>>>> dir file sock_file })
>>>>
>>>> Then add a matching content in the fc file.
>>>>
>>>>>>> files_read_config_files(pdns_t)
>>>>>>> libs_use_lib_files(pdns_t) libs_use_ld_so(pdns_t)
>>>>>>> miscfiles_read_localization(pdns_t)
>>>>>>>
>>>>>>> # Core Network corenet_udp_bind_all_nodes(pdns_t)
>>>>>>> corenet_tcp_bind_all_nodes(pdns_t)
>>>>>>>
>>>>>>> # Syslog logging_send_syslog_msg(pdns_t)
>>>>>>>
>>>>>>> # Inbound DNS corenet_udp_bind_dns_port(pdns_t)
>>>>>>> corenet_udp_sendrecv_dns_port(pdns_t)
>>>>>>> corenet_tcp_bind_dns_port(pdns_t)
>>>>>>> corenet_tcp_sendrecv_dns_port(pdns_t)
>>>>>>>
>>>>>>> # Inbound TCP 8081 for PDNS Web Server
>>>>>>> corenet_tcp_bind_transproxy_port(pdns_t)
>>>>>>> corenet_tcp_sendrecv_transproxy_port(pdns_t)
>>>>>>>
>>>>>>> # Outbound DB Connectivity
>>>>>>> corenet_tcp_connect_mysqld_port(pdns_t)
>>>>>>> corenet_tcp_connect_mssql_port(pdns_t)
>>>>>>>
>>>>>>>
>>>>>>> Thanks again for your advice.
>>>>>>>
>>>>>>> Tom.
>>>>>>>
>>>>>>>
>>>>>>> On 29/11/11 16:27, Tom wrote:
>>>>>>>> Hi Daniel,
>>>>>>>>
>>>>>>>> Thanks for this. I'm just about to leave work, but
>>>>>>>> I'll be looking again in the morning, and I'll get
>>>>>>>> back to you and see what you think of version 1.0.1!
>>>>>>>> :)
>>>>>>>>
>>>>>>>> Thanks again. Tom.
>>>>>>>>
>>>>>>>>
>>>>>>>> On 29/11/11 16:14, Daniel J Walsh wrote:
>>>>>>> On 11/29/2011 10:56 AM, Tom wrote:
>>>>>>>>>>> Greetings,
>>>>>>>>>>>
>>>>>>>>>>> This is my first attempt at writing an selinux
>>>>>>>>>>> module. I've basically done it by trying to
>>>>>>>>>>> confine the powerdns service, and then worked
>>>>>>>>>>> through all of the problems I've had in the
>>>>>>>>>>> audit log. At this point, my powerdns service
>>>>>>>>>>> seems to work well with full functionality,
>>>>>>>>>>> however, I'm sure there's about a million
>>>>>>>>>>> things I could be doing to make it better. I'm
>>>>>>>>>>> still a bit shaky on the way I've done the
>>>>>>>>>>> domain transition, and also, I'm sure there are
>>>>>>>>>>> a loads of macros which I could be using,
>>>>>>>>>>> although I'm not sure whether those types of
>>>>>>>>>>> things are distribution dependent. I'm using
>>>>>>>>>>> CentOS 5.7, and have written this to fit in to
>>>>>>>>>>> the targeted polifcy.
>>>>>>>>>>>
>>>>>>>>>>> I'd be glad of any advice on how to do this
>>>>>>>>>>> type of thing in a more efficient way.
>>>>>>>>>>>
>>>>>>>>>>> Many thanks. Tom.
>>>>>>>>>>>
>>>>>>>>>>> # cat pdns.te # PowerDNS targeted enforcement
>>>>>>>>>>> module
>>>>>>>>>>>
>>>>>>>>>>> policy_module(pdns,1.0.0)
>>>>>>>>>>>
>>>>>>>>>>> require { type etc_t; type lib_t; type usr_t;
>>>>>>>>>>> type ld_so_cache_t; type ld_so_t; type lib_t;
>>>>>>>>>>> type locale_t; type var_run_t; type devlog_t;
>>>>>>>>>>> type syslogd_t; type initrc_var_run_t; type
>>>>>>>>>>> dns_port_t; type inaddr_any_node_t; type
>>>>>>>>>>> transproxy_port_t; type mysqld_port_t; type
>>>>>>>>>>> mssql_port_t; }
>>>>>>>>>>>
>>>>>>>>>>> type pdns_t; type pdns_exec_t;
>>>>>>>>>>>
>>>>>>>>>>> domain_type(pdns_t) domain_entry_file(pdns_t,
>>>>>>>>>>> pdns_exec_t) init_daemon_domain(pdns_t,
>>>>>>>>>>> pdns_exec_t)
>>>>>>>>>>>
>>>>>>>>>>> # /etc/pdns/pdns.conf type pdns_conf_t;
>>>>>>>>>>> files_config_file(pdns_conf_t)
>>>>>>>>>>>
>>>>>>>>>>> # /var/run/pdns.pid type pdns_var_run_t;
>>>>>>>>>>> files_pid_file(pdns_var_run_t)
>>>>>>>>>>>
>>>>>>>>>>> allow pdns_t etc_t:dir search; allow pdns_t
>>>>>>>>>>> etc_t:file { getattr read }; allow pdns_t
>>>>>>>>>>> usr_t:dir search; allow pdns_t usr_t:file {
>>>>>>>>>>> write create read getattr }; allow pdns_t
>>>>>>>>>>> lib_t:dir { search getattr }; allow pdns_t
>>>>>>>>>>> lib_t:lnk_file read; allow pdns_t lib_t:file {
>>>>>>>>>>> read getattr execute }; allow pdns_t
>>>>>>>>>>> ld_so_cache_t:file read; allow pdns_t
>>>>>>>>>>> ld_so_cache_t:file getattr; allow pdns_t
>>>>>>>>>>> ld_so_t:file { read execute }; allow pdns_t
>>>>>>>>>>> locale_t:file { read getattr }; allow pdns_t
>>>>>>>>>>> pdns_conf_t:file read; allow pdns_t
>>>>>>>>>>> var_run_t:dir { write remove_name add_name };
>>>>>>>>>>> allow pdns_t var_run_t:sock_file { unlink
>>>>>>>>>>> create setattr }; allow pdns_t var_run_t:file {
>>>>>>>>>>> write create }; allow pdns_t devlog_t:sock_file
>>>>>>>>>>> write; allow pdns_t syslogd_t:unix_dgram_socket
>>>>>>>>>>> sendto; allow pdns_t initrc_var_run_t:file
>>>>>>>>>>> write; allow pdns_t pdns_exec_t:file
>>>>>>>>>>> execute_no_trans;
>>>>>>>>>>>
>>>>>>>>>>> allow pdns_t self:process sigkill; allow
>>>>>>>>>>> pdns_t self:fifo_file { getattr read ioctl
>>>>>>>>>>> write }; allow pdns_t self:capability { chown
>>>>>>>>>>> fsetid net_bind_service setuid setgid kill };
>>>>>>>>>>> allow pdns_t self:unix_dgram_socket { create
>>>>>>>>>>> connect write }; allow pdns_t self:udp_socket {
>>>>>>>>>>> create bind read getattr write }; allow pdns_t
>>>>>>>>>>> self:tcp_socket { create bind read getattr
>>>>>>>>>>> write setopt listen connect shutdown accept
>>>>>>>>>>> getopt ioctl };
>>>>>>>>>>>
>>>>>>>>>>> allow pdns_t inaddr_any_node_t:udp_socket
>>>>>>>>>>> node_bind; allow pdns_t
>>>>>>>>>>> inaddr_any_node_t:tcp_socket node_bind;
>>>>>>>>>>>
>>>>>>>>>>> # TCP + UDP Port 53 allow pdns_t
>>>>>>>>>>> dns_port_t:udp_socket name_bind; allow pdns_t
>>>>>>>>>>> dns_port_t:tcp_socket name_bind;
>>>>>>>>>>>
>>>>>>>>>>> # TCP 8081 for PDNS Web Server allow pdns_t
>>>>>>>>>>> transproxy_port_t:tcp_socket name_bind;
>>>>>>>>>>>
>>>>>>>>>>> # DB Connectivity allow pdns_t
>>>>>>>>>>> mysqld_port_t:tcp_socket name_connect; allow
>>>>>>>>>>> pdns_t mssql_port_t:tcp_socket name_connect;
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> # cat pdns.fc /usr/sbin/pdns_server --
>>>>>>>>>>> gen_context(system_u:object_r:pdns_exec_t,s0)
>>>>>>>>>>> /var/run/pdns.pid --
>>>>>>>>>>> gen_context(system_u:object_r:pdns_var_run_t,s0)
>>>>>>>>>>>
>>>>>>>>>>>
/etc/pdns/pdns.conf --
>>>>>>>>>>> gen_context(system_u:object_r:pdns_conf_t,s0)
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> -- This message was distributed to subscribers
>>>>>>>>>>> of the selinux mailing list. If you no longer
>>>>>>>>>>> wish to subscribe, send mail to
>>>>>>>>>>> majordomo@xxxxxxxxxxxxx with the words
>>>>>>>>>>> "unsubscribe selinux" without quotes as the
>>>>>>>>>>> message.
>>>>>>> Tom try to remove the entire require block. You should
>>>>>>> be using interfaces and not using the types directly in
>>>>>>> your policy.
>>>>>>>
>>>>>>> All interfaces are available under
>>>>>>> /usr/share/selinux/devel/include/...
>>>>>>>
>>>>>>> For example.
>>>>>>>>>>> allow pdns_t etc_t:dir search; allow pdns_t
>>>>>>>>>>> etc_t:file { getattr read }; allow pdns_t
>>>>>>>>>>> usr_t:dir search; allow pdns_t usr_t:file {
>>>>>>>>>>> write create read getattr };
>>>>>>> Should be
>>>>>>>
>>>>>>> files_read_etc_files(pdns_t)
>>>>>>> files_read_usr_files(pdns_t)
>>>>>>>
>>>>>>>
>>>>>>>>>>> allow pdns_t transproxy_port_t:tcp_socket
>>>>>>>>>>> name_bind;
>>>>>>> Should be
>>>>>>>
>>>>>>> corenet_tcp_bind_transproxy_port(pdns_t)
>>>>>>>> -- This message was distributed to subscribers of
>>>>>>>> the selinux mailing list. If you no longer wish to
>>>>>>>> subscribe, send mail to majordomo@xxxxxxxxxxxxx with
>>>>>>>> the words "unsubscribe selinux" without quotes as the
>>>>>>>> message.
>>>>>>> -- This message was distributed to subscribers of the
>>>>>>> selinux mailing list. If you no longer wish to
>>>>>>> subscribe, send mail to majordomo@xxxxxxxxxxxxx with
>>>>>>> the words "unsubscribe selinux" without quotes as the
>>>>>>> message.
>>>>>>>
>>>>>>>
>>>>
>>>> -- This message was distributed to subscribers of the
>>>> selinux mailing list. If you no longer wish to subscribe,
>>>> send mail to majordomo@xxxxxxxxxxxxx with the words
>>>> "unsubscribe selinux" without quotes as the message.
>>>>
>>>>
> What default_t files do you have on your system? default_t means
> these are files on the system that SELinux has no idea what the
> content is. It usually means you added a new directory at /. If
> you could classify this data as label and label it correctly you
> should be able to remove the files_read_default. Most confined
> apps are not allowed to use content labeled default_t.
>
Excellent, then I think your policy looks good from a cursory review.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7Xjf8ACgkQrlYvE4MpobMcRACfTblmFXgiITDHEW6yZv5qAPwT
3uoAoKthjiYOAgExf8flV86AJWpdJ3iG
=Vbuz
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
