Requesting feedback on providing containment of sslh
Miroslav Grepl
mgrepl at redhat.com
Thu Apr 30 11:35:14 UTC 2015
On 04/29/2015 06:28 PM, James Hogarth wrote:
> Hi,
>
> I'm the maintainer of sslh and looking to get some feedback on a
> policy I'm writing for it.
>
> It has recently been added to the fedora repositories running
> unconfined and I'm looking to improve this with running it within its
> own confined domain.
>
> The 'default' state is to listen on tcp/443 and to be able to connect
> to tcp/80, tcp/443, tcp/5222, tcp/1194 (on both localhost and
> arbitrary systems) which the default policy is configured for with the
> option via booleans to let it listen on or connect to any port.
>
> I've tried to style this after the services in fedora-selinux on
> github in an attempt to make it consistent with existing policies.
>
> I'd be grateful for any feedback on these before requesting this to be
> added to the fedora targeted policy.
>
> Kind regards,
>
> James
>
>
> sslh te file:
>
> policy_module(sslh,1.0.0)
>
> ########################################
> #
> # Declarations
> #
>
> ## <desc>
> ## <p>
> ## Determine whether sslh can connect
> ## to any tcp port or if it is restricted
> ## to the standard http, openvpn and jabber ports.
> ## </p>
> ## </desc>
> gen_tunable(sslh_can_connect_any_port, false)
>
> ## <desc>
> ## <p>
> ## Determine whether sslh can listen
> ## on any tcp port or if it is restricted
> ## to the standard http.
> ## </p>
> ## </desc>
> gen_tunable(sslh_can_bind_any_port, false)
>
>
> type sslh_t;
> type sslh_exec_t;
> init_daemon_domain(sslh_t, sslh_exec_t)
>
> type sslh_config_t;
> files_config_file(sslh_config_t)
>
> type sslh_initrc_exec_t;
> init_script_file(sslh_initrc_exec_t)
>
> type sslh_var_run_t;
> files_pid_file(sslh_var_run_t)
>
> type sslh_unit_file_t;
> systemd_unit_file(sslh_unit_file_t)
>
> ########################################
> #
> # sslh local policy
> #
>
> allow sslh_t sslh_config_t:file read_file_perms;
>
> auth_read_passwd(sslh_t)
>
> allow sslh_t self:capability { setuid setgid };
> allow sslh_t self:process { setcap getcap };
>
> allow sslh_t self:tcp_socket create_stream_socket_perms;
>
> sysnet_dns_name_resolve(sslh_t)
>
> corenet_all_recvfrom_unlabeled(sslh_t)
> corenet_all_recvfrom_netlabel(sslh_t)
> corenet_tcp_sendrecv_generic_if(sslh_t)
> corenet_udp_sendrecv_generic_if(sslh_t)
> corenet_tcp_sendrecv_generic_node(sslh_t)
> corenet_udp_sendrecv_generic_node(sslh_t)
> corenet_tcp_bind_generic_node(sslh_t)
> corenet_udp_bind_generic_node(sslh_t)
>
> corenet_tcp_bind_http_port(sslh_t)
>
> corenet_tcp_sendrecv_http_port(sslh_t)
> corenet_tcp_connect_http_port(sslh_t)
>
> corenet_tcp_connect_ssh_port(sslh_t)
> corenet_tcp_sendrecv_ssh_port(sslh_t)
>
> corenet_tcp_connect_openvpn_port(sslh_t)
> corenet_tcp_sendrecv_openvpn_port(sslh_t)
>
> corenet_tcp_connect_jabber_client_port(sslh_t)
> corenet_tcp_sendrecv_jabber_client_port(sslh_t)
>
>
> tunable_policy(`sslh_can_connect_any_port',`
> # allow sslh to connect to any port
> corenet_tcp_sendrecv_all_ports(sslh_t)
> corenet_tcp_connect_all_ports(sslh_t)
> ')
>
> tunable_policy(`sslh_can_bind_any_port',`
> # allow sslh to bind to any port
> corenet_tcp_sendrecv_all_ports(sslh_t)
> corenet_tcp_bind_all_ports(sslh_t)
> ')
>
> sslh fc file:
>
> /usr/sbin/sslh -- gen_context(system_u:object_r:sslh_exec_t,s0)
> /usr/sbin/sslh-select -- gen_context(system_u:object_r:sslh_exec_t,s0)
> /etc/rc\.d/init\.d/sslh --
> gen_context(system_u:object_r:sslh_initrc_exec_t,s0)
> /etc/sslh.cfg -- gen_context(system_u:object_r:sslh_config_t,s0)
> /usr/lib/systemd/system/sslh.* --
> gen_context(system_u:object_r:sslh_unit_file_t,s0)
> /usr/lib/systemd/system/sslh@*.* --
> gen_context(system_u:object_r:sslh_unit_file_t,s0)
> /var/run/sslh(/.*)? gen_context(system_u:object_r:sslh_var_run_t,s0)
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
It looks good. Just I see
/var/run/sslh(/.*)?
gen_context(system_u:object_r:sslh_var_run_t,s0)
but I don't see rules for it. Also you should provide also sslh.if
policy file.
I don't see a reason for
/usr/lib/systemd/system/sslh@*.* --
gen_context(system_u:object_r:sslh_unit_file_t,s0)
which is covered by the previous decl.
If you provide also sslh.if we can review it at all and send possible
patches.
Thank you.
--
Miroslav Grepl
Software Engineering, SELinux Solutions
Red Hat, Inc.
More information about the selinux
mailing list