1 |
commit: 6f0f885d309f3bc6165bb7d230206ea6a6572c4e |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Fri Nov 28 10:13:54 2014 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Nov 28 11:38:11 2014 +0000 |
6 |
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6f0f885d |
7 |
|
8 |
Fix bug 529204 - Support a dhcpc_script_t domain |
9 |
|
10 |
We introduce an executable domain (dhcpc_script_t) through which the |
11 |
hooks can be executed for the DHCP clients. This domain is separate in |
12 |
order to keep the privileges of the application small, but also because |
13 |
this domain will execute commands that are not in the responsibility of |
14 |
the DHCP client code itself (code-wise) but is provided by |
15 |
administrators. |
16 |
|
17 |
Security-wise, as these are scripts, it is more difficult to guarantee |
18 |
correctness. As such, we want to isolate these privileges into its own |
19 |
domain. |
20 |
|
21 |
The domain will have basic privileges to support the majority of |
22 |
installations, but we also include a sysnet_dhcpc_script_entry() |
23 |
interface so that domain transitions can be easily added without the |
24 |
need for augmenting the privileges of the dhcpc_script_t domain. |
25 |
|
26 |
--- |
27 |
man/man8/sysnetwork_selinux.8 | 110 ++++++++++++++++++++++++++++++++++ |
28 |
policy/modules/kernel/corecommands.fc | 2 +- |
29 |
policy/modules/system/sysnetwork.fc | 1 + |
30 |
policy/modules/system/sysnetwork.if | 29 +++++++++ |
31 |
policy/modules/system/sysnetwork.rst | 91 ++++++++++++++++++++++++++++ |
32 |
policy/modules/system/sysnetwork.te | 58 ++++++++++++++++++ |
33 |
6 files changed, 290 insertions(+), 1 deletion(-) |
34 |
|
35 |
diff --git a/man/man8/sysnetwork_selinux.8 b/man/man8/sysnetwork_selinux.8 |
36 |
new file mode 100644 |
37 |
index 0000000..217c020 |
38 |
--- /dev/null |
39 |
+++ b/man/man8/sysnetwork_selinux.8 |
40 |
@@ -0,0 +1,110 @@ |
41 |
+.\" Man page generated from reStructuredText. |
42 |
+. |
43 |
+.TH SYSNETWORK_SELINUX 8 "2014-11-28" "" "SELinux" |
44 |
+.SH NAME |
45 |
+sysnetwork_selinux \- SELinux policy module for system networking |
46 |
+. |
47 |
+.nr rst2man-indent-level 0 |
48 |
+. |
49 |
+.de1 rstReportMargin |
50 |
+\\$1 \\n[an-margin] |
51 |
+level \\n[rst2man-indent-level] |
52 |
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] |
53 |
+- |
54 |
+\\n[rst2man-indent0] |
55 |
+\\n[rst2man-indent1] |
56 |
+\\n[rst2man-indent2] |
57 |
+.. |
58 |
+.de1 INDENT |
59 |
+.\" .rstReportMargin pre: |
60 |
+. RS \\$1 |
61 |
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] |
62 |
+. nr rst2man-indent-level +1 |
63 |
+.\" .rstReportMargin post: |
64 |
+.. |
65 |
+.de UNINDENT |
66 |
+. RE |
67 |
+.\" indent \\n[an-margin] |
68 |
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] |
69 |
+.nr rst2man-indent-level -1 |
70 |
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] |
71 |
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u |
72 |
+.. |
73 |
+.SH DESCRIPTION |
74 |
+.sp |
75 |
+The \fBsysnetwork\fP SELinux module supports the following core networking |
76 |
+domains: DHCP client and ifconfig. |
77 |
+.SS DHCP Client |
78 |
+.sp |
79 |
+The DHCP client policy works around the \fIdhcpc_t\fP domain. It is usually |
80 |
+executed from within an init script, and interacts with the network subsystems |
81 |
+in the Linux kernel in order to obtain an IP address and manage the network |
82 |
+configuration of the system. |
83 |
+.sp |
84 |
+Some DHCP clients also have the ability to call additional scripts when an IP |
85 |
+address is obtained (or released), allowing administrators to automate certain |
86 |
+tasks on the system further. Within the SELinux policy, we (Gentoo) try to |
87 |
+handle the hooks through the \fIdhcp_script_t\fP domain. |
88 |
+.SS Ifconfig |
89 |
+.sp |
90 |
+The \fIifconfig\fP command (and associated \fIifconfig_t\fP domain) is used to manually |
91 |
+set the IP address and other network configurations of the system. |
92 |
+.SH BOOLEANS |
93 |
+.sp |
94 |
+No booleans are managed through this module. |
95 |
+.SH DOMAINS |
96 |
+.INDENT 0.0 |
97 |
+.TP |
98 |
+.B dhcpc_t |
99 |
+The main domain for the DHCP client |
100 |
+.TP |
101 |
+.B dhcpc_script_t |
102 |
+The domain in which the hooks (pre\- and post processing of DHCP operations) |
103 |
+run |
104 |
+.TP |
105 |
+.B ifconfig_t |
106 |
+The domain for manual IP address handling (for instance through the |
107 |
+\fIifconfig\fP or \fIip\fP commands) |
108 |
+.UNINDENT |
109 |
+.SH POLICY |
110 |
+.sp |
111 |
+The following interfaces can be used to enhance the default policy with |
112 |
+sysnetwork\-related provileges. More details on these interfaces can be found in the |
113 |
+interface HTML documentation, we will not list all available interfaces here. |
114 |
+.SS Domain interaction |
115 |
+.sp |
116 |
+The most interesting definition in the policy is the \fBsysnet_dhcpc_script_entry\fP |
117 |
+interface. It allows for the DHCP script domain (\fIdhcpc_script_t\fP) to |
118 |
+execute a particular type (second argument) and transition to a given domain |
119 |
+(first argument). |
120 |
+.sp |
121 |
+For instance, to allow a DHCP hook to execute any portage commands: |
122 |
+.INDENT 0.0 |
123 |
+.INDENT 3.5 |
124 |
+.sp |
125 |
+.nf |
126 |
+.ft C |
127 |
+sysnet_dhcpc_script_entry(portage_t, portage_exec_t) |
128 |
+.ft P |
129 |
+.fi |
130 |
+.UNINDENT |
131 |
+.UNINDENT |
132 |
+.sp |
133 |
+It is generally preferred to transition a DHCP hook script as fast as possible |
134 |
+to a specific domain rather than enhancing the \fIdhcpc_script_t\fP domain with |
135 |
+additional privileges. |
136 |
+.SH BUGS |
137 |
+.sp |
138 |
+No specific bugs known. |
139 |
+.SH SEE ALSO |
140 |
+.INDENT 0.0 |
141 |
+.IP \(bu 2 |
142 |
+Gentoo and SELinux at \fI\%https://wiki.gentoo.org/wiki/SELinux\fP |
143 |
+.IP \(bu 2 |
144 |
+Gentoo Hardened SELinux Project at |
145 |
+\fI\%https://wiki.gentoo.org/wiki/Project:Hardened\fP |
146 |
+.UNINDENT |
147 |
+.SH AUTHOR |
148 |
+Sven Vermeulen <swift@g.o> |
149 |
+.\" Generated by docutils manpage writer. |
150 |
+. |
151 |
|
152 |
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc |
153 |
index 406a11e..40fd54b 100644 |
154 |
--- a/policy/modules/kernel/corecommands.fc |
155 |
+++ b/policy/modules/kernel/corecommands.fc |
156 |
@@ -143,7 +143,7 @@ ifdef(`distro_debian',` |
157 |
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) |
158 |
|
159 |
ifdef(`distro_gentoo',` |
160 |
-/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) |
161 |
+#/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) |
162 |
|
163 |
/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0) |
164 |
/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0) |
165 |
|
166 |
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc |
167 |
index a809d61..d9b674e 100644 |
168 |
--- a/policy/modules/system/sysnetwork.fc |
169 |
+++ b/policy/modules/system/sysnetwork.fc |
170 |
@@ -81,6 +81,7 @@ ifdef(`distro_debian',` |
171 |
') |
172 |
|
173 |
ifdef(`distro_gentoo',` |
174 |
+/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:dhcpc_script_exec_t,s0) |
175 |
/var/run/dhcpcd\.sock -s gen_context(system_u:object_r:dhcpc_var_run_t,s0) |
176 |
/var/run/dhcpcd\.unpriv\.sock -s gen_context(system_u:object_r:dhcpc_var_run_t,s0) |
177 |
') |
178 |
|
179 |
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if |
180 |
index 2cea692..86313b6 100644 |
181 |
--- a/policy/modules/system/sysnetwork.if |
182 |
+++ b/policy/modules/system/sysnetwork.if |
183 |
@@ -796,3 +796,32 @@ interface(`sysnet_use_portmap',` |
184 |
|
185 |
sysnet_read_config($1) |
186 |
') |
187 |
+ |
188 |
+# This should be after an ifdef distro_gentoo but that is not allowed in an if file |
189 |
+ |
190 |
+######################################## |
191 |
+## <summary> |
192 |
+## Make the specified program domain |
193 |
+## accessable from the DHCP hooks/scripts. |
194 |
+## </summary> |
195 |
+## <param name="domain"> |
196 |
+## <summary> |
197 |
+## The type of the process to transition to. |
198 |
+## </summary> |
199 |
+## </param> |
200 |
+## <param name="entrypoint"> |
201 |
+## <summary> |
202 |
+## The type of the file used as an entrypoint to this domain. |
203 |
+## </summary> |
204 |
+## </param> |
205 |
+# |
206 |
+interface(`sysnet_dhcpc_script_entry',` |
207 |
+ gen_require(` |
208 |
+ type dhcpc_script_t; |
209 |
+ attribute_role dhcpc_roles; |
210 |
+ ') |
211 |
+ |
212 |
+ role dhcpc_roles types $1; |
213 |
+ |
214 |
+ domtrans_pattern(dhcpc_script_t, $2, $1) |
215 |
+') |
216 |
|
217 |
diff --git a/policy/modules/system/sysnetwork.rst b/policy/modules/system/sysnetwork.rst |
218 |
new file mode 100644 |
219 |
index 0000000..13e0c34 |
220 |
--- /dev/null |
221 |
+++ b/policy/modules/system/sysnetwork.rst |
222 |
@@ -0,0 +1,91 @@ |
223 |
+================== |
224 |
+sysnetwork_selinux |
225 |
+================== |
226 |
+ |
227 |
+------------------------------------------- |
228 |
+SELinux policy module for system networking |
229 |
+------------------------------------------- |
230 |
+ |
231 |
+:Author: Sven Vermeulen <swift@g.o> |
232 |
+:Date: 2014-11-28 |
233 |
+:Manual section: 8 |
234 |
+:Manual group: SELinux |
235 |
+ |
236 |
+DESCRIPTION |
237 |
+=========== |
238 |
+ |
239 |
+The **sysnetwork** SELinux module supports the following core networking |
240 |
+domains: DHCP client and ifconfig. |
241 |
+ |
242 |
+DHCP Client |
243 |
+----------- |
244 |
+ |
245 |
+The DHCP client policy works around the *dhcpc_t* domain. It is usually |
246 |
+executed from within an init script, and interacts with the network subsystems |
247 |
+in the Linux kernel in order to obtain an IP address and manage the network |
248 |
+configuration of the system. |
249 |
+ |
250 |
+Some DHCP clients also have the ability to call additional scripts when an IP |
251 |
+address is obtained (or released), allowing administrators to automate certain |
252 |
+tasks on the system further. Within the SELinux policy, we (Gentoo) try to |
253 |
+handle the hooks through the *dhcp_script_t* domain. |
254 |
+ |
255 |
+Ifconfig |
256 |
+-------- |
257 |
+ |
258 |
+The *ifconfig* command (and associated *ifconfig_t* domain) is used to manually |
259 |
+set the IP address and other network configurations of the system. |
260 |
+ |
261 |
+BOOLEANS |
262 |
+======== |
263 |
+ |
264 |
+No booleans are managed through this module. |
265 |
+ |
266 |
+DOMAINS |
267 |
+======= |
268 |
+ |
269 |
+dhcpc_t |
270 |
+ The main domain for the DHCP client |
271 |
+ |
272 |
+dhcpc_script_t |
273 |
+ The domain in which the hooks (pre- and post processing of DHCP operations) |
274 |
+ run |
275 |
+ |
276 |
+ifconfig_t |
277 |
+ The domain for manual IP address handling (for instance through the |
278 |
+ *ifconfig* or *ip* commands) |
279 |
+ |
280 |
+POLICY |
281 |
+====== |
282 |
+ |
283 |
+The following interfaces can be used to enhance the default policy with |
284 |
+sysnetwork-related provileges. More details on these interfaces can be found in the |
285 |
+interface HTML documentation, we will not list all available interfaces here. |
286 |
+ |
287 |
+Domain interaction |
288 |
+------------------ |
289 |
+ |
290 |
+The most interesting definition in the policy is the ``sysnet_dhcpc_script_entry`` |
291 |
+interface. It allows for the DHCP script domain (*dhcpc_script_t*) to |
292 |
+execute a particular type (second argument) and transition to a given domain |
293 |
+(first argument). |
294 |
+ |
295 |
+For instance, to allow a DHCP hook to execute any portage commands:: |
296 |
+ |
297 |
+ sysnet_dhcpc_script_entry(portage_t, portage_exec_t) |
298 |
+ |
299 |
+It is generally preferred to transition a DHCP hook script as fast as possible |
300 |
+to a specific domain rather than enhancing the *dhcpc_script_t* domain with |
301 |
+additional privileges. |
302 |
+ |
303 |
+BUGS |
304 |
+==== |
305 |
+ |
306 |
+No specific bugs known. |
307 |
+ |
308 |
+SEE ALSO |
309 |
+======== |
310 |
+ |
311 |
+* Gentoo and SELinux at https://wiki.gentoo.org/wiki/SELinux |
312 |
+* Gentoo Hardened SELinux Project at |
313 |
+ https://wiki.gentoo.org/wiki/Project:Hardened |
314 |
|
315 |
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te |
316 |
index 3576536..1dd0817 100644 |
317 |
--- a/policy/modules/system/sysnetwork.te |
318 |
+++ b/policy/modules/system/sysnetwork.te |
319 |
@@ -422,4 +422,62 @@ ifdef(`distro_gentoo',` |
320 |
optional_policy(` |
321 |
resolvconf_client_domain(dhcpc_t) |
322 |
') |
323 |
+ |
324 |
+ ######################################### |
325 |
+ # |
326 |
+ # dhcpc_script_t |
327 |
+ # |
328 |
+ |
329 |
+ # The purpose of the dhcpc_script_t domain is to handle the post-processing of |
330 |
+ # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and I would |
331 |
+ # assume others do as well. With the dhcpc_script_t domain we can isolate the |
332 |
+ # privileges of the DHCP client itself from the hooks / flexibility that the developers |
333 |
+ # introduced. |
334 |
+ |
335 |
+ type dhcpc_script_t; |
336 |
+ domain_type(dhcpc_script_t) |
337 |
+ role dhcpc_roles types dhcpc_script_t; |
338 |
+ |
339 |
+ type dhcpc_script_exec_t; |
340 |
+ domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t) |
341 |
+ |
342 |
+ type dhcpc_script_tmp_t; |
343 |
+ files_tmp_file(dhcpc_script_tmp_t) |
344 |
+ |
345 |
+ ######################################## |
346 |
+ # |
347 |
+ # dhcpc script policy |
348 |
+ # |
349 |
+ |
350 |
+ allow dhcpc_script_t self:fifo_file rw_fifo_file_perms; |
351 |
+ |
352 |
+ manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t, dhcpc_script_tmp_t) |
353 |
+ files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir }) |
354 |
+ |
355 |
+ manage_files_pattern(dhcpc_script_t, dhcpc_var_run_t, dhcpc_var_run_t) |
356 |
+ files_pid_filetrans(dhcpc_script_t, dhcpc_var_run_t, { file dir }) |
357 |
+ |
358 |
+ kernel_read_network_state(dhcpc_script_t) |
359 |
+ kernel_read_system_state(dhcpc_script_t) |
360 |
+ |
361 |
+ corecmd_exec_bin(dhcpc_script_t) |
362 |
+ corecmd_exec_shell(dhcpc_script_t) |
363 |
+ |
364 |
+ files_read_etc_files(dhcpc_script_t) |
365 |
+ |
366 |
+ init_use_script_fds(dhcpc_script_t) |
367 |
+ init_use_script_ptys(dhcpc_script_t) |
368 |
+ |
369 |
+ # Perhaps sysnet_domtrans_dhcpc_script could be used instead and positioned in the dhcpc_t section |
370 |
+ domtrans_pattern(dhcpc_t, dhcpc_script_exec_t, dhcpc_script_t) |
371 |
+ |
372 |
+ sysnet_manage_config(dhcpc_script_t) |
373 |
+ |
374 |
+ optional_policy(` |
375 |
+ hostname_run(dhcpc_script_t, dhcpc_roles) |
376 |
+ ') |
377 |
+ |
378 |
+ optional_policy(` |
379 |
+ ntp_manage_config(dhcpc_script_t) |
380 |
+ ') |
381 |
') |