Requesting feedback on providing containment of sslh

[James Hogarth]

Hi,

I'm the maintainer of sslh and looking to get some feedback on a
policy I'm writing for it.

It has recently been added to the fedora repositories running
unconfined and I'm looking to improve this with running it within its
own confined domain.

The 'default' state is to listen on tcp/443 and to be able to connect
to tcp/80, tcp/443, tcp/5222, tcp/1194 (on both localhost and
arbitrary systems) which the default policy is configured for with the
option via booleans to let it listen on or connect to any port.

I've tried to style this after the services in fedora-selinux on
github in an attempt to make it consistent with existing policies.

I'd be grateful for any feedback on these before requesting this to be
added to the fedora targeted policy.

Kind regards,

James


sslh te file:

policy_module(sslh,1.0.0)

########################################
#
# Declarations
#

## <desc>
##    <p>
##    Determine whether sslh can connect
##    to any tcp port or if it is restricted
##      to the standard http, openvpn and jabber ports.
##    </p>
## </desc>
gen_tunable(sslh_can_connect_any_port, false)

## <desc>
##      <p>
##      Determine whether sslh can listen
##      on any tcp port or if it is restricted
##      to the standard http.
##      </p>
## </desc>
gen_tunable(sslh_can_bind_any_port, false)


type sslh_t;
type sslh_exec_t;
init_daemon_domain(sslh_t, sslh_exec_t)

type sslh_config_t;
files_config_file(sslh_config_t)

type sslh_initrc_exec_t;
init_script_file(sslh_initrc_exec_t)

type sslh_var_run_t;
files_pid_file(sslh_var_run_t)

type sslh_unit_file_t;
systemd_unit_file(sslh_unit_file_t)

########################################
#
# sslh local policy
#

allow sslh_t sslh_config_t:file read_file_perms;

auth_read_passwd(sslh_t)

allow sslh_t self:capability { setuid setgid };
allow sslh_t self:process { setcap getcap };

allow sslh_t self:tcp_socket create_stream_socket_perms;

sysnet_dns_name_resolve(sslh_t)

corenet_all_recvfrom_unlabeled(sslh_t)
corenet_all_recvfrom_netlabel(sslh_t)
corenet_tcp_sendrecv_generic_if(sslh_t)
corenet_udp_sendrecv_generic_if(sslh_t)
corenet_tcp_sendrecv_generic_node(sslh_t)
corenet_udp_sendrecv_generic_node(sslh_t)
corenet_tcp_bind_generic_node(sslh_t)
corenet_udp_bind_generic_node(sslh_t)

corenet_tcp_bind_http_port(sslh_t)

corenet_tcp_sendrecv_http_port(sslh_t)
corenet_tcp_connect_http_port(sslh_t)

corenet_tcp_connect_ssh_port(sslh_t)
corenet_tcp_sendrecv_ssh_port(sslh_t)

corenet_tcp_connect_openvpn_port(sslh_t)
corenet_tcp_sendrecv_openvpn_port(sslh_t)

corenet_tcp_connect_jabber_client_port(sslh_t)
corenet_tcp_sendrecv_jabber_client_port(sslh_t)


tunable_policy(`sslh_can_connect_any_port',`
    # allow sslh to connect to any port
    corenet_tcp_sendrecv_all_ports(sslh_t)
    corenet_tcp_connect_all_ports(sslh_t)
')

tunable_policy(`sslh_can_bind_any_port',`
    # allow sslh to bind to any port
    corenet_tcp_sendrecv_all_ports(sslh_t)
    corenet_tcp_bind_all_ports(sslh_t)
')

sslh fc file:

/usr/sbin/sslh          --    gen_context(system_u:object_r:sslh_exec_t,s0)
/usr/sbin/sslh-select        --    gen_context(system_u:object_r:sslh_exec_t,s0)
/etc/rc\.d/init\.d/sslh     --
gen_context(system_u:object_r:sslh_initrc_exec_t,s0)
/etc/sslh.cfg             --     gen_context(system_u:object_r:sslh_config_t,s0)
/usr/lib/systemd/system/sslh.*  --
gen_context(system_u:object_r:sslh_unit_file_t,s0)
/usr/lib/systemd/system/sslh@*.*  --
gen_context(system_u:object_r:sslh_unit_file_t,s0)
/var/run/sslh(/.*)?             gen_context(system_u:object_r:sslh_var_run_t,s0)