Hi again,
Thanks again for all your help. I'm enjoying refactoring this,
making it better each time! I've learned a lot so far, and am
starting to look ready for tackling my next module, which will be
for an in-house application we use here at work.
I'm hoping to test this on a production server very soon. I'm
also chipping away at my colleagues whose only experience with
selinux is to turn it off! Some of them aren't too keen on the
idea of me introducing selinux on to our platform, but I'm just
going to introduce it bit by bit and make sure it's all documented
well, and that they understand what I'm up to.
# PowerDNS targeted enforcement module
policy_module(pdns,1.0.2)
type pdns_t; type pdns_exec_t; can_exec(pdns_t, pdns_exec_t)
init_daemon_domain(pdns_t, pdns_exec_t)
# /etc/pdns/pdns.conf type pdns_conf_t;
files_config_file(pdns_conf_t) read_files_pattern(pdns_t,
pdns_conf_t, pdns_conf_t) files_etc_filetrans(pdns_t, pdns_conf_t,
file)
# /var/run/pdns.pid /var/run/pdns.controlsocket
/var/run/subsys/pdns type pdns_var_run_t;
files_pid_file(pdns_var_run_t) manage_files_pattern(pdns_t,
pdns_var_run_t, pdns_var_run_t) manage_dirs_pattern(pdns_t,
pdns_var_run_t, pdns_var_run_t) manage_sock_files_pattern(pdns_t,
pdns_var_run_t, pdns_var_run_t) files_pid_filetrans(pdns_t,
pdns_var_run_t, { dir file sock_file })
# General self privs allow pdns_t self:capability { setuid chown
fsetid kill setgid }; allow pdns_t self:fifo_file
rw_fifo_file_perms; allow pdns_t self:process signal_perms; allow
pdns_t self:tcp_socket create_stream_socket_perms; allow pdns_t
self:udp_socket create_socket_perms;
# General files access Macros files_read_etc_files(pdns_t)
files_read_usr_files(pdns_t) files_read_default_files(pdns_t)
libs_use_lib_files(pdns_t) libs_use_ld_so(pdns_t)
miscfiles_read_localization(pdns_t)
# General Networky stuff corenet_udp_bind_all_nodes(pdns_t)
corenet_tcp_bind_all_nodes(pdns_t)
# Syslog logging_send_syslog_msg(pdns_t)
# Inbound DNS corenet_udp_bind_dns_port(pdns_t)
corenet_udp_sendrecv_dns_port(pdns_t)
corenet_tcp_bind_dns_port(pdns_t)
corenet_tcp_sendrecv_dns_port(pdns_t)
# Inbound TCP 8081 for PDNS Web Server
corenet_tcp_bind_transproxy_port(pdns_t)
corenet_tcp_sendrecv_transproxy_port(pdns_t)
# Outbound DB Connectivity corenet_tcp_connect_mysqld_port(pdns_t)
corenet_tcp_connect_mssql_port(pdns_t)
On 30/11/11 16:36, Daniel J Walsh wrote: On 11/30/2011 05:45 AM,
Tom wrote:
Hi Again,
I've followed your advice, and I've removed all but one
requirement for var_run_t:sock_file. I couldn't find any
interfaces which would simply give me access to that, but
it's certainly looking a lot better, and a lot more readable!
It could probably do with some more re-factoring, but it's
working well at the moment!
I haven't really thought too much about the file labelling.
I've only done the daemon binary, config file and
/var/run/pdns.pid file. I'm not sure I've followed best
practices there at all.
Ok the next rule you need to follow, is if you need to write to a
"Generic" type, then you need to create your own type and
potentially transition to it.
# PowerDNS targeted enforcement module
policy_module(pdns,1.0.0)
require { type var_run_t; }
type pdns_t; type pdns_exec_t; allow pdns_t pdns_exec_t:file
execute_no_trans;
init_daemon_domain(pdns_t, pdns_exec_t)
# /etc/pdns/pdns.conf type pdns_conf_t;
files_config_file(pdns_conf_t)
# /var/run/pdns.pid type pdns_var_run_t;
files_pid_file(pdns_var_run_t)
# General self privs allow pdns_t self:capability { setuid
chown fsetid kill setgid }; allow pdns_t self:fifo_file {
read getattr ioctl };
allow pdns_t self:fifo_file rw_fifo_file_perms;
allow pdns_t self:process sigkill;
Might want to just add signal_perms;
allow pdns_t self:tcp_socket { setopt read bind create
accept write ioctl connect getopt listen };
allow pdns_t self:tcp_socket create_stream_socket_perms;
allow pdns_t self:udp_socket { read bind create write getattr
};
allow pdns_t self:udp_socket create_socket_perms;
# Cannot figure out an interface to use with this one: allow
pdns_t var_run_t:sock_file { create setattr };
See below
# General files access Macros files_read_etc_files(pdns_t)
files_manage_usr_files(pdns_t)
You should have you own type? Whar file in /usr are you
rewriting?
files_read_default_files(pdns_t)
files_rw_generic_pids(pdns_t) files_delete_all_pids(pdns_t)
Are you actually deleting other peoples content in /var/run? Or
do you have your own content in /var/run?
For example something like
manage_dirs_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
manage_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
manage_sock_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t)
files_pid_filetrans(pdns_t, pdns_var_run_t, { dir file sock_file
})
Then add a matching content in the fc file.
files_read_config_files(pdns_t) libs_use_lib_files(pdns_t)
libs_use_ld_so(pdns_t) miscfiles_read_localization(pdns_t)
# Core Network corenet_udp_bind_all_nodes(pdns_t)
corenet_tcp_bind_all_nodes(pdns_t)
# Syslog logging_send_syslog_msg(pdns_t)
# Inbound DNS corenet_udp_bind_dns_port(pdns_t)
corenet_udp_sendrecv_dns_port(pdns_t)
corenet_tcp_bind_dns_port(pdns_t)
corenet_tcp_sendrecv_dns_port(pdns_t)
# Inbound TCP 8081 for PDNS Web Server
corenet_tcp_bind_transproxy_port(pdns_t)
corenet_tcp_sendrecv_transproxy_port(pdns_t)
# Outbound DB Connectivity
corenet_tcp_connect_mysqld_port(pdns_t)
corenet_tcp_connect_mssql_port(pdns_t)
Thanks again for your advice.
Tom.
On 29/11/11 16:27, Tom wrote:
Hi Daniel,
Thanks for this. I'm just about to leave work, but I'll
be looking again in the morning, and I'll get back to you
and see what you think of version 1.0.1! :)
Thanks again. Tom.
On 29/11/11 16:14, Daniel J Walsh wrote:
On 11/29/2011 10:56 AM, Tom wrote:
Greetings,
This is my first attempt at writing an selinux
module. I've basically done it by trying to confine
the powerdns service, and then worked through all of
the problems I've had in the audit log. At this
point, my powerdns service seems to work well with
full functionality, however, I'm sure there's about a
million things I could be doing to make it better.
I'm still a bit shaky on the way I've done the domain
transition, and also, I'm sure there are a loads of
macros which I could be using, although I'm not sure
whether those types of things are distribution
dependent. I'm using CentOS 5.7, and have written
this to fit in to the targeted polifcy.
I'd be glad of any advice on how to do this type of
thing in a more efficient way.
Many thanks. Tom.
# cat pdns.te # PowerDNS targeted enforcement module
policy_module(pdns,1.0.0)
require { type etc_t; type lib_t; type usr_t; type
ld_so_cache_t; type ld_so_t; type lib_t; type
locale_t; type var_run_t; type devlog_t; type
syslogd_t; type initrc_var_run_t; type dns_port_t;
type inaddr_any_node_t; type transproxy_port_t; type
mysqld_port_t; type mssql_port_t; }
type pdns_t; type pdns_exec_t;
domain_type(pdns_t) domain_entry_file(pdns_t,
pdns_exec_t) init_daemon_domain(pdns_t, pdns_exec_t)
# /etc/pdns/pdns.conf type pdns_conf_t;
files_config_file(pdns_conf_t)
# /var/run/pdns.pid type pdns_var_run_t;
files_pid_file(pdns_var_run_t)
allow pdns_t etc_t:dir search; allow pdns_t
etc_t:file { getattr read }; allow pdns_t usr_t:dir
search; allow pdns_t usr_t:file { write create read
getattr }; allow pdns_t lib_t:dir { search getattr };
allow pdns_t lib_t:lnk_file read; allow pdns_t
lib_t:file { read getattr execute }; allow pdns_t
ld_so_cache_t:file read; allow pdns_t
ld_so_cache_t:file getattr; allow pdns_t ld_so_t:file
{ read execute }; allow pdns_t locale_t:file { read
getattr }; allow pdns_t pdns_conf_t:file read; allow
pdns_t var_run_t:dir { write remove_name add_name };
allow pdns_t var_run_t:sock_file { unlink create
setattr }; allow pdns_t var_run_t:file { write create
}; allow pdns_t devlog_t:sock_file write; allow
pdns_t syslogd_t:unix_dgram_socket sendto; allow
pdns_t initrc_var_run_t:file write; allow pdns_t
pdns_exec_t:file execute_no_trans;
allow pdns_t self:process sigkill; allow pdns_t
self:fifo_file { getattr read ioctl write }; allow
pdns_t self:capability { chown fsetid
net_bind_service setuid setgid kill }; allow pdns_t
self:unix_dgram_socket { create connect write };
allow pdns_t self:udp_socket { create bind read
getattr write }; allow pdns_t self:tcp_socket {
create bind read getattr write setopt listen connect
shutdown accept getopt ioctl };
allow pdns_t inaddr_any_node_t:udp_socket node_bind;
allow pdns_t inaddr_any_node_t:tcp_socket node_bind;
# TCP + UDP Port 53 allow pdns_t
dns_port_t:udp_socket name_bind; allow pdns_t
dns_port_t:tcp_socket name_bind;
# TCP 8081 for PDNS Web Server allow pdns_t
transproxy_port_t:tcp_socket name_bind;
# DB Connectivity allow pdns_t
mysqld_port_t:tcp_socket name_connect; allow pdns_t
mssql_port_t:tcp_socket name_connect;
# cat pdns.fc /usr/sbin/pdns_server --
gen_context(system_u:object_r:pdns_exec_t,s0)
/var/run/pdns.pid --
gen_context(system_u:object_r:pdns_var_run_t,s0)
/etc/pdns/pdns.conf --
gen_context(system_u:object_r:pdns_conf_t,s0)
-- This message was distributed to subscribers of
the selinux mailing list. If you no longer wish to
subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the
message.
Tom try to remove the entire require block. You should be
using interfaces and not using the types directly in your
policy.
All interfaces are available under
/usr/share/selinux/devel/include/...
For example.
allow pdns_t etc_t:dir search; allow pdns_t
etc_t:file { getattr read }; allow pdns_t usr_t:dir
search; allow pdns_t usr_t:file { write create read
getattr };
Should be
files_read_etc_files(pdns_t) files_read_usr_files(pdns_t)
allow pdns_t transproxy_port_t:tcp_socket name_bind;
Should be
corenet_tcp_bind_transproxy_port(pdns_t)
-- This message was distributed to subscribers of the
selinux mailing list. If you no longer wish to subscribe,
send mail to majordomo@xxxxxxxxxxxxx with the words
"unsubscribe selinux" without quotes as the message.
-- This message was distributed to subscribers of the
selinux mailing list. If you no longer wish to subscribe,
send mail to majordomo@xxxxxxxxxxxxx with the words
"unsubscribe selinux" without quotes as the message.
-- This message was distributed to subscribers of the selinux
mailing list. If you no longer wish to subscribe, send mail to
majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux"
without quotes as the message.
