Re: Policy Review

Hi all, I'm trying to (re)learn SELinux, and spent the last day or two writing a policy for the fwknopd service, starting with a skeleton generated by selinux-polgengui. I was hoping that someone here could take a look at it and suggest anywhere I can make improvements to the policy. This is a learning exercise for me, so any comments are welcome. Thanks. David ========== fwknopd.fc ========= etc/fwknop(/.*)? gen_context(system_u:object_r:fwknopd_etc_t,s0)

/usr/lib/systemd/system/fwknopd.service -- gen_context(system_u:object_r:fwknopd_unit_file_t,s0) /usr/sbin/fwknopd -- gen_context(system_u:object_r:fwknopd_exec_t,s0) /var/run/fwknop(/.*)? -- gen_context(system_u:object_r:fwknopd_var_run_t,s0) ========== fwknopd.te ========= policy_module(fwknopd, 1.0.0) ######################################## # # Declarations # type fwknopd_t; type fwknopd_exec_t; init_daemon_domain(fwknopd_t, fwknopd_exec_t) #permissive fwknopd_t; type fwknopd_etc_t; files_config_file(fwknopd_etc_t) type fwknopd_unit_file_t; systemd_unit_file(fwknopd_unit_file_t) type fwknopd_var_run_t; files_pid_file(fwknopd_var_run_t) type fwknopd_port_t; corenet_port(fwknopd_port_t) ######################################## # # fwknopd local policy # allow fwknopd_t self:capability { setuid }; allow fwknopd_t self:process { fork signal_perms }; allow fwknopd_t self:fifo_file rw_fifo_file_perms; allow fwknopd_t self:unix_stream_socket create_stream_socket_perms; # # Only need to read config files. # read_files_pattern(fwknopd_t, fwknopd_etc_t, fwknopd_etc_t) # # Create (/var)/run/fwknop directory, and manage files within that # directory. # files_create_var_run_dirs(fwknopd_t) files_pid_filetrans(fwknopd_t, fwknopd_var_run_t, dir) manage_files_pattern(fwknopd_t, fwknopd_var_run_t, fwknopd_var_run_t) # # All client messages are read via pcap. Server only needs enough # permission to create a TCP socket and bind to it, but not permission # to read or write. It doesn't need any UDP permissions at all. # kernel_read_network_state(fwknopd_t) allow fwknopd_t self:capability net_raw; allow fwknopd_t self:packet_socket create_socket_perms; allow fwknopd_t self:tcp_socket create_stream_socket_perms; allow fwknopd_t fwknopd_port_t:tcp_socket name_bind; # # Uses system() to exec other programs, mainly xiptables-multi and gpg # family. # corecmd_exec_shell(fwknopd_t) # read /proc/meminfo # provides access to generic files in /proc kernel_read_system_state(fwknopd_t) iptables_domtrans(fwknopd_t) # # GPG support # optional_policy(` gen_require(` type gpg_secret_t; ')

corecmd_exec_bin(fwknopd_t) gpg_domtrans(fwknopd_t) # App stats /root/.gnupg before running userdom_search_admin_dir(fwknopd_t) gpg_list_user_secrets(fwknopd_t) ') # # Provided by selinux-polgengui # domain_use_interactive_fds(fwknopd_t) auth_use_nsswitch(fwknopd_t) logging_send_syslog_msg(fwknopd_t) miscfiles_read_localization(fwknopd_t) ============== end ============ -- selinux mailing list selinux(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLQHbEACgkQrlYvE4MpobO/HACgiLcioLZYgDatzJiF/L8ZDypr OCsAoNu8ZM12IaR9c8iYtAJNsf86dVZe =tJcM -----END PGP SIGNATURE-----