Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <swift@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, man/man8/, policy/modules/system/
Date: Fri, 28 Nov 2014 11:39:28
Message-Id: 1417174691.6f0f885d309f3bc6165bb7d230206ea6a6572c4e.swift@gentoo
1 commit: 6f0f885d309f3bc6165bb7d230206ea6a6572c4e
2 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3 AuthorDate: Fri Nov 28 10:13:54 2014 +0000
4 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5 CommitDate: Fri Nov 28 11:38:11 2014 +0000
6 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6f0f885d
7
8 Fix bug 529204 - Support a dhcpc_script_t domain
9
10 We introduce an executable domain (dhcpc_script_t) through which the
11 hooks can be executed for the DHCP clients. This domain is separate in
12 order to keep the privileges of the application small, but also because
13 this domain will execute commands that are not in the responsibility of
14 the DHCP client code itself (code-wise) but is provided by
15 administrators.
16
17 Security-wise, as these are scripts, it is more difficult to guarantee
18 correctness. As such, we want to isolate these privileges into its own
19 domain.
20
21 The domain will have basic privileges to support the majority of
22 installations, but we also include a sysnet_dhcpc_script_entry()
23 interface so that domain transitions can be easily added without the
24 need for augmenting the privileges of the dhcpc_script_t domain.
25
26 ---
27 man/man8/sysnetwork_selinux.8 | 110 ++++++++++++++++++++++++++++++++++
28 policy/modules/kernel/corecommands.fc | 2 +-
29 policy/modules/system/sysnetwork.fc | 1 +
30 policy/modules/system/sysnetwork.if | 29 +++++++++
31 policy/modules/system/sysnetwork.rst | 91 ++++++++++++++++++++++++++++
32 policy/modules/system/sysnetwork.te | 58 ++++++++++++++++++
33 6 files changed, 290 insertions(+), 1 deletion(-)
34
35 diff --git a/man/man8/sysnetwork_selinux.8 b/man/man8/sysnetwork_selinux.8
36 new file mode 100644
37 index 0000000..217c020
38 --- /dev/null
39 +++ b/man/man8/sysnetwork_selinux.8
40 @@ -0,0 +1,110 @@
41 +.\" Man page generated from reStructuredText.
42 +.
43 +.TH SYSNETWORK_SELINUX 8 "2014-11-28" "" "SELinux"
44 +.SH NAME
45 +sysnetwork_selinux \- SELinux policy module for system networking
46 +.
47 +.nr rst2man-indent-level 0
48 +.
49 +.de1 rstReportMargin
50 +\\$1 \\n[an-margin]
51 +level \\n[rst2man-indent-level]
52 +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
53 +-
54 +\\n[rst2man-indent0]
55 +\\n[rst2man-indent1]
56 +\\n[rst2man-indent2]
57 +..
58 +.de1 INDENT
59 +.\" .rstReportMargin pre:
60 +. RS \\$1
61 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
62 +. nr rst2man-indent-level +1
63 +.\" .rstReportMargin post:
64 +..
65 +.de UNINDENT
66 +. RE
67 +.\" indent \\n[an-margin]
68 +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
69 +.nr rst2man-indent-level -1
70 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
71 +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
72 +..
73 +.SH DESCRIPTION
74 +.sp
75 +The \fBsysnetwork\fP SELinux module supports the following core networking
76 +domains: DHCP client and ifconfig.
77 +.SS DHCP Client
78 +.sp
79 +The DHCP client policy works around the \fIdhcpc_t\fP domain. It is usually
80 +executed from within an init script, and interacts with the network subsystems
81 +in the Linux kernel in order to obtain an IP address and manage the network
82 +configuration of the system.
83 +.sp
84 +Some DHCP clients also have the ability to call additional scripts when an IP
85 +address is obtained (or released), allowing administrators to automate certain
86 +tasks on the system further. Within the SELinux policy, we (Gentoo) try to
87 +handle the hooks through the \fIdhcp_script_t\fP domain.
88 +.SS Ifconfig
89 +.sp
90 +The \fIifconfig\fP command (and associated \fIifconfig_t\fP domain) is used to manually
91 +set the IP address and other network configurations of the system.
92 +.SH BOOLEANS
93 +.sp
94 +No booleans are managed through this module.
95 +.SH DOMAINS
96 +.INDENT 0.0
97 +.TP
98 +.B dhcpc_t
99 +The main domain for the DHCP client
100 +.TP
101 +.B dhcpc_script_t
102 +The domain in which the hooks (pre\- and post processing of DHCP operations)
103 +run
104 +.TP
105 +.B ifconfig_t
106 +The domain for manual IP address handling (for instance through the
107 +\fIifconfig\fP or \fIip\fP commands)
108 +.UNINDENT
109 +.SH POLICY
110 +.sp
111 +The following interfaces can be used to enhance the default policy with
112 +sysnetwork\-related provileges. More details on these interfaces can be found in the
113 +interface HTML documentation, we will not list all available interfaces here.
114 +.SS Domain interaction
115 +.sp
116 +The most interesting definition in the policy is the \fBsysnet_dhcpc_script_entry\fP
117 +interface. It allows for the DHCP script domain (\fIdhcpc_script_t\fP) to
118 +execute a particular type (second argument) and transition to a given domain
119 +(first argument).
120 +.sp
121 +For instance, to allow a DHCP hook to execute any portage commands:
122 +.INDENT 0.0
123 +.INDENT 3.5
124 +.sp
125 +.nf
126 +.ft C
127 +sysnet_dhcpc_script_entry(portage_t, portage_exec_t)
128 +.ft P
129 +.fi
130 +.UNINDENT
131 +.UNINDENT
132 +.sp
133 +It is generally preferred to transition a DHCP hook script as fast as possible
134 +to a specific domain rather than enhancing the \fIdhcpc_script_t\fP domain with
135 +additional privileges.
136 +.SH BUGS
137 +.sp
138 +No specific bugs known.
139 +.SH SEE ALSO
140 +.INDENT 0.0
141 +.IP \(bu 2
142 +Gentoo and SELinux at \fI\%https://wiki.gentoo.org/wiki/SELinux\fP
143 +.IP \(bu 2
144 +Gentoo Hardened SELinux Project at
145 +\fI\%https://wiki.gentoo.org/wiki/Project:Hardened\fP
146 +.UNINDENT
147 +.SH AUTHOR
148 +Sven Vermeulen <swift@g.o>
149 +.\" Generated by docutils manpage writer.
150 +.
151
152 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
153 index 406a11e..40fd54b 100644
154 --- a/policy/modules/kernel/corecommands.fc
155 +++ b/policy/modules/kernel/corecommands.fc
156 @@ -143,7 +143,7 @@ ifdef(`distro_debian',`
157 /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
158
159 ifdef(`distro_gentoo',`
160 -/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
161 +#/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
162
163 /lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
164 /lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
165
166 diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
167 index a809d61..d9b674e 100644
168 --- a/policy/modules/system/sysnetwork.fc
169 +++ b/policy/modules/system/sysnetwork.fc
170 @@ -81,6 +81,7 @@ ifdef(`distro_debian',`
171 ')
172
173 ifdef(`distro_gentoo',`
174 +/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:dhcpc_script_exec_t,s0)
175 /var/run/dhcpcd\.sock -s gen_context(system_u:object_r:dhcpc_var_run_t,s0)
176 /var/run/dhcpcd\.unpriv\.sock -s gen_context(system_u:object_r:dhcpc_var_run_t,s0)
177 ')
178
179 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
180 index 2cea692..86313b6 100644
181 --- a/policy/modules/system/sysnetwork.if
182 +++ b/policy/modules/system/sysnetwork.if
183 @@ -796,3 +796,32 @@ interface(`sysnet_use_portmap',`
184
185 sysnet_read_config($1)
186 ')
187 +
188 +# This should be after an ifdef distro_gentoo but that is not allowed in an if file
189 +
190 +########################################
191 +## <summary>
192 +## Make the specified program domain
193 +## accessable from the DHCP hooks/scripts.
194 +## </summary>
195 +## <param name="domain">
196 +## <summary>
197 +## The type of the process to transition to.
198 +## </summary>
199 +## </param>
200 +## <param name="entrypoint">
201 +## <summary>
202 +## The type of the file used as an entrypoint to this domain.
203 +## </summary>
204 +## </param>
205 +#
206 +interface(`sysnet_dhcpc_script_entry',`
207 + gen_require(`
208 + type dhcpc_script_t;
209 + attribute_role dhcpc_roles;
210 + ')
211 +
212 + role dhcpc_roles types $1;
213 +
214 + domtrans_pattern(dhcpc_script_t, $2, $1)
215 +')
216
217 diff --git a/policy/modules/system/sysnetwork.rst b/policy/modules/system/sysnetwork.rst
218 new file mode 100644
219 index 0000000..13e0c34
220 --- /dev/null
221 +++ b/policy/modules/system/sysnetwork.rst
222 @@ -0,0 +1,91 @@
223 +==================
224 +sysnetwork_selinux
225 +==================
226 +
227 +-------------------------------------------
228 +SELinux policy module for system networking
229 +-------------------------------------------
230 +
231 +:Author: Sven Vermeulen <swift@g.o>
232 +:Date: 2014-11-28
233 +:Manual section: 8
234 +:Manual group: SELinux
235 +
236 +DESCRIPTION
237 +===========
238 +
239 +The **sysnetwork** SELinux module supports the following core networking
240 +domains: DHCP client and ifconfig.
241 +
242 +DHCP Client
243 +-----------
244 +
245 +The DHCP client policy works around the *dhcpc_t* domain. It is usually
246 +executed from within an init script, and interacts with the network subsystems
247 +in the Linux kernel in order to obtain an IP address and manage the network
248 +configuration of the system.
249 +
250 +Some DHCP clients also have the ability to call additional scripts when an IP
251 +address is obtained (or released), allowing administrators to automate certain
252 +tasks on the system further. Within the SELinux policy, we (Gentoo) try to
253 +handle the hooks through the *dhcp_script_t* domain.
254 +
255 +Ifconfig
256 +--------
257 +
258 +The *ifconfig* command (and associated *ifconfig_t* domain) is used to manually
259 +set the IP address and other network configurations of the system.
260 +
261 +BOOLEANS
262 +========
263 +
264 +No booleans are managed through this module.
265 +
266 +DOMAINS
267 +=======
268 +
269 +dhcpc_t
270 + The main domain for the DHCP client
271 +
272 +dhcpc_script_t
273 + The domain in which the hooks (pre- and post processing of DHCP operations)
274 + run
275 +
276 +ifconfig_t
277 + The domain for manual IP address handling (for instance through the
278 + *ifconfig* or *ip* commands)
279 +
280 +POLICY
281 +======
282 +
283 +The following interfaces can be used to enhance the default policy with
284 +sysnetwork-related provileges. More details on these interfaces can be found in the
285 +interface HTML documentation, we will not list all available interfaces here.
286 +
287 +Domain interaction
288 +------------------
289 +
290 +The most interesting definition in the policy is the ``sysnet_dhcpc_script_entry``
291 +interface. It allows for the DHCP script domain (*dhcpc_script_t*) to
292 +execute a particular type (second argument) and transition to a given domain
293 +(first argument).
294 +
295 +For instance, to allow a DHCP hook to execute any portage commands::
296 +
297 + sysnet_dhcpc_script_entry(portage_t, portage_exec_t)
298 +
299 +It is generally preferred to transition a DHCP hook script as fast as possible
300 +to a specific domain rather than enhancing the *dhcpc_script_t* domain with
301 +additional privileges.
302 +
303 +BUGS
304 +====
305 +
306 +No specific bugs known.
307 +
308 +SEE ALSO
309 +========
310 +
311 +* Gentoo and SELinux at https://wiki.gentoo.org/wiki/SELinux
312 +* Gentoo Hardened SELinux Project at
313 + https://wiki.gentoo.org/wiki/Project:Hardened
314
315 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
316 index 3576536..1dd0817 100644
317 --- a/policy/modules/system/sysnetwork.te
318 +++ b/policy/modules/system/sysnetwork.te
319 @@ -422,4 +422,62 @@ ifdef(`distro_gentoo',`
320 optional_policy(`
321 resolvconf_client_domain(dhcpc_t)
322 ')
323 +
324 + #########################################
325 + #
326 + # dhcpc_script_t
327 + #
328 +
329 + # The purpose of the dhcpc_script_t domain is to handle the post-processing of
330 + # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and I would
331 + # assume others do as well. With the dhcpc_script_t domain we can isolate the
332 + # privileges of the DHCP client itself from the hooks / flexibility that the developers
333 + # introduced.
334 +
335 + type dhcpc_script_t;
336 + domain_type(dhcpc_script_t)
337 + role dhcpc_roles types dhcpc_script_t;
338 +
339 + type dhcpc_script_exec_t;
340 + domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t)
341 +
342 + type dhcpc_script_tmp_t;
343 + files_tmp_file(dhcpc_script_tmp_t)
344 +
345 + ########################################
346 + #
347 + # dhcpc script policy
348 + #
349 +
350 + allow dhcpc_script_t self:fifo_file rw_fifo_file_perms;
351 +
352 + manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t, dhcpc_script_tmp_t)
353 + files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir })
354 +
355 + manage_files_pattern(dhcpc_script_t, dhcpc_var_run_t, dhcpc_var_run_t)
356 + files_pid_filetrans(dhcpc_script_t, dhcpc_var_run_t, { file dir })
357 +
358 + kernel_read_network_state(dhcpc_script_t)
359 + kernel_read_system_state(dhcpc_script_t)
360 +
361 + corecmd_exec_bin(dhcpc_script_t)
362 + corecmd_exec_shell(dhcpc_script_t)
363 +
364 + files_read_etc_files(dhcpc_script_t)
365 +
366 + init_use_script_fds(dhcpc_script_t)
367 + init_use_script_ptys(dhcpc_script_t)
368 +
369 + # Perhaps sysnet_domtrans_dhcpc_script could be used instead and positioned in the dhcpc_t section
370 + domtrans_pattern(dhcpc_t, dhcpc_script_exec_t, dhcpc_script_t)
371 +
372 + sysnet_manage_config(dhcpc_script_t)
373 +
374 + optional_policy(`
375 + hostname_run(dhcpc_script_t, dhcpc_roles)
376 + ')
377 +
378 + optional_policy(`
379 + ntp_manage_config(dhcpc_script_t)
380 + ')
381 ')
Report Message
Find on MARC Find on Google Groups