Requesting feedback on providing containment of sslh

Lukas Vrabec lvrabec at redhat.com
Thu Apr 30 14:11:50 UTC 2015 

On 04/30/2015 01:35 PM, Miroslav Grepl wrote:
> On 04/29/2015 06:28 PM, James Hogarth wrote:
>> Hi,
>>
>> I'm the maintainer of sslh and looking to get some feedback on a
>> policy I'm writing for it.
>>
>> It has recently been added to the fedora repositories running
>> unconfined and I'm looking to improve this with running it within its
>> own confined domain.
>>
>> The 'default' state is to listen on tcp/443 and to be able to connect
>> to tcp/80, tcp/443, tcp/5222, tcp/1194 (on both localhost and
>> arbitrary systems) which the default policy is configured for with the
>> option via booleans to let it listen on or connect to any port.
>>
>> I've tried to style this after the services in fedora-selinux on
>> github in an attempt to make it consistent with existing policies.
>>
>> I'd be grateful for any feedback on these before requesting this to be
>> added to the fedora targeted policy.
>>
>> Kind regards,
>>
>> James
>>
>>
>> sslh te file:
>>
>> policy_module(sslh,1.0.0)
>>
>> ########################################
>> #
>> # Declarations
>> #
>>
>> ## <desc>
>> ##    <p>
>> ##    Determine whether sslh can connect
>> ##    to any tcp port or if it is restricted
>> ##      to the standard http, openvpn and jabber ports.
>> ##    </p>
>> ## </desc>
>> gen_tunable(sslh_can_connect_any_port, false)
>>
>> ## <desc>
>> ##      <p>
>> ##      Determine whether sslh can listen
>> ##      on any tcp port or if it is restricted
>> ##      to the standard http.
>> ##      </p>
>> ## </desc>
>> gen_tunable(sslh_can_bind_any_port, false)
>>
>>
>> type sslh_t;
>> type sslh_exec_t;
>> init_daemon_domain(sslh_t, sslh_exec_t)
>>
>> type sslh_config_t;
>> files_config_file(sslh_config_t)
>>
>> type sslh_initrc_exec_t;
>> init_script_file(sslh_initrc_exec_t)
>>
>> type sslh_var_run_t;
>> files_pid_file(sslh_var_run_t)
>>
>> type sslh_unit_file_t;
>> systemd_unit_file(sslh_unit_file_t)
>>
>> ########################################
>> #
>> # sslh local policy
>> #
>>
>> allow sslh_t sslh_config_t:file read_file_perms;
>>
>> auth_read_passwd(sslh_t)
>>
>> allow sslh_t self:capability { setuid setgid };
>> allow sslh_t self:process { setcap getcap };
>>
>> allow sslh_t self:tcp_socket create_stream_socket_perms;
>>
>> sysnet_dns_name_resolve(sslh_t)
>>
>> corenet_all_recvfrom_unlabeled(sslh_t)
>> corenet_all_recvfrom_netlabel(sslh_t)
>> corenet_tcp_sendrecv_generic_if(sslh_t)
>> corenet_udp_sendrecv_generic_if(sslh_t)
>> corenet_tcp_sendrecv_generic_node(sslh_t)
>> corenet_udp_sendrecv_generic_node(sslh_t)
>> corenet_tcp_bind_generic_node(sslh_t)
>> corenet_udp_bind_generic_node(sslh_t)
>>
>> corenet_tcp_bind_http_port(sslh_t)
>>
>> corenet_tcp_sendrecv_http_port(sslh_t)
>> corenet_tcp_connect_http_port(sslh_t)
>>
>> corenet_tcp_connect_ssh_port(sslh_t)
>> corenet_tcp_sendrecv_ssh_port(sslh_t)
>>
>> corenet_tcp_connect_openvpn_port(sslh_t)
>> corenet_tcp_sendrecv_openvpn_port(sslh_t)
>>
>> corenet_tcp_connect_jabber_client_port(sslh_t)
>> corenet_tcp_sendrecv_jabber_client_port(sslh_t)
>>
>>
>> tunable_policy(`sslh_can_connect_any_port',`
>>      # allow sslh to connect to any port
>>      corenet_tcp_sendrecv_all_ports(sslh_t)
>>      corenet_tcp_connect_all_ports(sslh_t)
>> ')
>>
>> tunable_policy(`sslh_can_bind_any_port',`
>>      # allow sslh to bind to any port
>>      corenet_tcp_sendrecv_all_ports(sslh_t)
>>      corenet_tcp_bind_all_ports(sslh_t)
>> ')
>>
>> sslh fc file:
>>
>> /usr/sbin/sslh          --    gen_context(system_u:object_r:sslh_exec_t,s0)
>> /usr/sbin/sslh-select        --    gen_context(system_u:object_r:sslh_exec_t,s0)
>> /etc/rc\.d/init\.d/sslh     --
>> gen_context(system_u:object_r:sslh_initrc_exec_t,s0)
>> /etc/sslh.cfg             --     gen_context(system_u:object_r:sslh_config_t,s0)
>> /usr/lib/systemd/system/sslh.*  --
>> gen_context(system_u:object_r:sslh_unit_file_t,s0)
>> /usr/lib/systemd/system/sslh@*.*  --
>> gen_context(system_u:object_r:sslh_unit_file_t,s0)
>> /var/run/sslh(/.*)?             gen_context(system_u:object_r:sslh_var_run_t,s0)
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
> It looks good. Just I see
>
> /var/run/sslh(/.*)?
> gen_context(system_u:object_r:sslh_var_run_t,s0)
>
> but I don't see rules for it. Also you should provide also sslh.if
> policy file.
>
> I don't see a reason for
>
> /usr/lib/systemd/system/sslh@*.*  --
> gen_context(system_u:object_r:sslh_unit_file_t,s0)
>
> which is covered by the previous decl.
>
> If you provide also sslh.if we can review it at all and send possible
> patches.
>
> Thank you.
>

Hi,
As Mirek said, check his notes, and add .if source file. You can find 
some examples in our selinux-policy repo. 
https://github.com/fedora-selinux/selinux-policy/tree/rawhide-contrib. 
Then you could  create pull request for this policy.

Thank you.

-- 
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.

More information about the selinux mailing list