Hi,
attached are some diffs to NSA cvs policy (I'm not using refpolicy, and
if you really want to win my for a new policy, make one without M4...)
Reasons / Changes:
- Debian slapd actually is in /usr/lib, not /usr/sbin
(there is a symlink in /usr/sbin only)
- I don't use NetworkManager, so I'd like it to be ifdef'd
- Some updates to the asterisk policy I was possibly the only user of
(e.g. to add external audio sources and timer support)
- removal of that really weird "dhcpc_t locale_t:file write"
- debian dpkg needs get_security
- debian ntp has a cronjob to rotate its logs
I also attached some new policy files:
- tor: The onion router (tor.eff.org)
- heartbeat (Version 1, can enable arp_proxy and add/remove IPs)
- nsupdate (from bind, dynamic dns updates via dns protocol)
- munin (successor of LRRD, load graphing)
Btw, I think the tor policy is rather simple, so people might want to
look at it as an example for policy writing.
I still have some changes in my policy not included here, for example I
was lacking this to login as "root" on the console:
allow sysadm_t getty_t:fd use;
my "strict" dir is a symlink:
allow checkpolicy_t selinux_config_t:lnk_file read;
and I use iptables-save/iptables-restore, they try to acces /etc/mtab
allow iptables_t etc_runtime_t:file { getattr read };
best regards,
Erich Schubert
--
erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_
You know we all became mathematicians for the same reason: //\
we were lazy. --- Max Rosenlicht V_/_
Wer keine Zeit mehr mit echten Freunden verbringt, der wird bald
sein Gleichgewicht verlieren. --- Michael Levine
#DESC HEARTBEAT - high availability failover
#
# Author: Erich Schubert <erich@debian.org>
# X-Debian-Packages: heartbeat
#
#################################
#
# Rules for the heartbeat_t domain.
#
# heartbeat_exec_t is the type of the heartbeat executable.
#
daemon_domain(heartbeat, `, privlog, sysctl_net_writer')
etcdir_domain(heartbeat)
var_lib_domain(heartbeat)
uses_shlib(heartbeat_t)
# Heartbeat uses Shared Memory
allow heartbeat_t self:shm create_shm_perms;
tmp_domain(heartbeat)
# can execute all kind of stuff...
allow heartbeat_t { bin_t sbin_t }:dir r_dir_perms;
allow heartbeat_t { bin_t sbin_t }:lnk_file r_file_perms;
can_exec(heartbeat_t, { bin_t sbin_t heartbeat_exec_t shell_exec_t })
can_network(heartbeat_t)
# heartbeat needs some information
allow heartbeat_t { etc_t etc_runtime_t }:file r_file_perms;
allow heartbeat_t self:fifo_file rw_file_perms;
allow heartbeat_t heartbeat_var_lib_t:fifo_file create_file_perms;
allow heartbeat_t heartbeat_var_lib_t:sock_file create_file_perms;
allow heartbeat_t heartbeat_var_lib_t:dir { create_file_perms rmdir };
# heartbeat needs to run ifconfig
domain_auto_trans(heartbeat_t, ifconfig_exec_t, ifconfig_t)
# heartbeat can run ndc
ifdef(`named.te',`
domain_auto_trans(heartbeat_t, ndc_exec_t, ndc_t)
can_exec(heartbeat_t, initrc_exec_t)
')
# to switch proxy_arp on/off
rw_dir_file( heartbeat_t, sysctl_net_t);
# initrc needs to read config
r_dir_file(initrc_t, heartbeat_etc_t)
# and unix dgram sockets
allow heartbeat_t self:packet_socket { create_socket_perms };
allow heartbeat_t self:unix_dgram_socket { create_socket_perms listen };
allow heartbeat_t self:unix_stream_socket { create_socket_perms listen connectto accept };
# Heartbeat uses currently unnamed "reserved" ports
allow heartbeat_t reserved_port_t:udp_socket { name_bind create_socket_perms };
# to ping
allow heartbeat_t self:rawip_socket { bind create_socket_perms };
allow heartbeat_t netif_type:netif { rawip_send rawip_recv };
allow heartbeat_t node_type:node { rawip_send rawip_recv };
allow heartbeat_t self:capability { net_raw net_bind_service setgid setuid sys_nice ipc_lock dac_override };
allow heartbeat_t proc_t:file { read getattr };
allow heartbeat_t self:process { getsched setsched setpgid sigchld };
#DESC MUNIN - network-wide load graphing
#
# Author: Erich Schubert <erich@debian.org>
# X-Debian-Packages: munin, munin-node
#
#################################
#
# Rules for the munin_t domain.
#
# munin_exec_t is the type of the munin executable.
#
daemon_domain(munin, `, privmail')
allow munin_t munin_var_run_t:sock_file create_file_perms;
etcdir_domain(munin)
type munin_port_t, port_type;
log_domain(munin)
tmp_domain(munin)
var_lib_domain(munin)
# perl
allow munin_t { sbin_t bin_t }:dir { search getattr };
allow munin_t { bin_t }:lnk_file read;
# for helper apps
can_exec_any(munin_t)
read_locale(munin_t)
# has cron jobs
system_crond_entry(munin_exec_t, munin_t)
allow crond_t munin_var_lib_t:dir search;
# init script
allow initrc_t munin_log_t:file { write append setattr ioctl };
# allow to drop privileges and renice
allow munin_t self:capability { setgid setuid dac_override dac_read_search };
allow munin_t self:process { getsched setsched sigchld };
allow munin_t urandom_device_t:chr_file { getattr read };
allow munin_t usr_t:file { read ioctl };
can_exec(munin_t, munin_exec_t)
can_exec(munin_t, bin_t)
allow munin_t bin_t:dir { search };
allow munin_t usr_t:lnk_file { read };
allow munin_t self:fifo_file rw_file_perms;
# Allow access to the munin databases
create_dir_file(munin_t, munin_var_lib_t)
allow munin_t var_lib_t:dir search;
# write log files
allow munin_t munin_log_t:dir rw_dir_perms;
allow munin_t munin_log_t:file create_file_perms;
# read config files
r_dir_file(initrc_t, munin_etc_t)
allow munin_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
# for accessing the output directory
#ifdef(`apache.te', `
allow munin_t httpd_sys_content_t:dir { search };
#')
allow munin_t etc_t:dir search;
can_unix_connect(sysadm_t, munin_t)
can_unix_connect(munin_t, munin_t)
can_unix_send(munin_t, munin_t)
can_network_server(munin_t)
allow munin_t munin_t:tcp_socket connect;
allow munin_t munin_port_t:tcp_socket { name_connect name_bind };
allow munin_t self:unix_stream_socket { create_socket_perms listen accept ioctl };
ifdef(`logrotate.te', `
r_dir_file(logrotate_t, munin_etc_t)
allow logrotate_t munin_var_lib_t:dir search;
allow logrotate_t munin_var_run_t:dir search;
allow logrotate_t munin_var_run_t:sock_file write;
can_unix_connect(logrotate_t, munin_t)
')
ifdef(`fnord-tcpsvd.te',`
# web server may read output files
allow http_request_t munin_var_lib_t:dir r_dir_perms;
allow http_request_t { munin_var_lib_t munin_etc_t }:file r_file_perms;
')
# get info from /proc
allow munin_t { proc_t proc_net_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:dir r_dir_perms;
allow munin_t { proc_t proc_net_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:file { read getattr };
allow munin_t { proc_t proc_net_t sysctl_t }:file ioctl;
allow munin_t { var_spool_t postfix_spool_t postfix_spool_maildrop_t }:dir r_dir_perms;
allow munin_t { var_spool_t postfix_spool_t postfix_spool_maildrop_t }:file { getattr };
# get info from self (WHY?)
allow munin_t self:file { read ioctl };
# let it check the mail logs
r_dir_file(munin_t, var_log_t)
#DESC NSUPDATE - dynamic zone updates for bind
#
# Authors: Erich Schubert
# X-Debian-Packages: bind bind9
#
application_domain(nsupdate)
# to access keys stored there
allow nsupdate_t named_zone_t:dir { search };
allow nsupdate_t named_zone_t:file r_file_perms;
can_network(nsupdate_t)
allow nsupdate_t self:netlink_route_socket { create_socket_perms nlmsg_read write };
# allow UDP transfer to/from any program
can_udp_send(named_t, nsupdate_t)
can_udp_send(nsupdate_t, named_t)
can_tcp_connect(nsupdate_t, named_t)
read_locale(nsupdate_t)
# read basic config files
allow nsupdate_t etc_t:file { getattr read };
allow nsupdate_t self:process { fork signal };
allow nsupdate_t self:capability { net_admin };
allow nsupdate_t self:fifo_file rw_file_perms;
# allow a _local_ named to write its zone files
ifdef(`named.te',`
rw_dir_create_file(named_t, named_zone_t)
')
# heartbeat
/usr/lib/heartbeat/.* -- system_u:object_r:heartbeat_exec_t
/usr/bin/cl_status -- system_u:object_r:heartbeat_exec_t
/var/lib/heartbeat(/.*)? system_u:object_r:heartbeat_var_lib_t
/var/run/heartbeat.* -- system_u:object_r:heartbeat_var_run_t
/etc/ha.d(/.*)? system_u:object_r:heartbeat_etc_t
/etc/ha.d/resource.d/.* -- system_u:object_r:heartbeat_exec_t
/etc/ha.d/rc.d/.* -- system_u:object_r:heartbeat_exec_t
/etc/ha.d/harc -- system_u:object_r:heartbeat_exec_t
# munin
/usr/bin/munin-.* -- system_u:object_r:munin_exec_t
/usr/sbin/munin-.* -- system_u:object_r:munin_exec_t
/usr/share/munin/munin-.* -- system_u:object_r:munin_exec_t
/usr/share/munin/plugins/.* -- system_u:object_r:munin_exec_t
/var/run/munin(/.*)? system_u:object_r:munin_var_run_t
/var/log/munin(/.*)? system_u:object_r:munin_log_t
/var/lib/munin(/.*)? system_u:object_r:munin_var_lib_t
/var/www/munin(/.*)? system_u:object_r:munin_var_lib_t
/etc/munin(/.*)? system_u:object_r:munin_etc_t
/usr/bin/nsupdate -- system_u:object_r:nsupdate_exec_t
/var/lib/tor(/.*)? system_u:object_r:tor_var_lib_t
/var/log/tor(/.*)? system_u:object_r:tor_log_t
/etc/tor(/.*)? system_u:object_r:tor_etc_t
/var/run/tor(/.*)? system_u:object_r:tor_var_run_t
/usr/sbin/tor system_u:object_r:tor_exec_t
#DESC tor - the onion router
#
# Authors: Erich Schubert <erich@debian.org>
#
# X-Debian-Packages: tor
#
# The onion router
daemon_domain(tor)
var_lib_domain(tor)
log_domain(tor)
etc_domain(tor)
can_network(tor_t)
# read config
r_dir_file(tor_t, tor_etc_t)
# write logs
create_dir_file(tor_t, tor_log_t)
# internal communication
allow tor_t self:fifo_file { read write };
# can get random numbers for crypto
allow tor_t urandom_device_t:chr_file { getattr read };
# can bind to regular ports
allow tor_t port_t:tcp_socket name_bind;
# connect to just about any, because some people run tor on 443 etc.
allow tor_t port_type:tcp_socket name_connect;
# network communication
allow tor_t self:unix_stream_socket create_stream_socket_perms;
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
Hi,
> - munin (successor of LRRD, load graphing)
This also needs
---
# Munin
portcon tcp 4949 system_u:object_r:munin_port_t
---
at least if you do remote statistics.
best regards,
Erich Schubert
--
erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_
This one's tricky. You have to use imaginary numbers, like //\
eleventeen... --- Hobbes V_/_
Wirklich gute Freunde machen sich erst aus dem Staub, wenn man
sie braucht. --- Charles Maurice de Tayllerand
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
On Wed, 2005-12-21 at 03:36 +0100, Erich Schubert wrote:
> Hi,
> attached are some diffs to NSA cvs policy (I'm not using refpolicy, and
> if you really want to win my for a new policy, make one without M4...)
Hmm...well, as noted previously, further work on the NSA example policy
has been superseded by the reference policy project,
http://serefpolicy.sf.net. And m4 is very useful, despite its
shortcomings. But there is ongoing work on higher level policy
languages and frameworks.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
Hi,
one more thing missing in the SELinux policy:
portcon udp 1194 system_u:object_r:openvpn_port_t
1194 is the current default port for openvpn (official IANA assignment)
port 5000 is an old value, when it didn't have an IANA port yet.
best regards,
Erich Schubert
--
erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_
Friends are those who reach out for //\
your hand but touch your heart. V_/_
Wer keine Zeit mehr mit echten Freunden verbringt, der wird bald
sein Gleichgewicht verlieren. --- Michael Levine
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.