Hi,
I'm the maintainer of sslh and looking to get some feedback on a policy I'm writing for it.
It has recently been added to the fedora repositories running unconfined and I'm looking to improve this with running it within its own confined domain.
The 'default' state is to listen on tcp/443 and to be able to connect to tcp/80, tcp/443, tcp/5222, tcp/1194 (on both localhost and arbitrary systems) which the default policy is configured for with the option via booleans to let it listen on or connect to any port.
I've tried to style this after the services in fedora-selinux on github in an attempt to make it consistent with existing policies.
I'd be grateful for any feedback on these before requesting this to be added to the fedora targeted policy.
Kind regards,
James
sslh te file:
policy_module(sslh,1.0.0)
######################################## # # Declarations #
## <desc> ## <p> ## Determine whether sslh can connect ## to any tcp port or if it is restricted ## to the standard http, openvpn and jabber ports. ## </p> ## </desc> gen_tunable(sslh_can_connect_any_port, false)
## <desc> ## <p> ## Determine whether sslh can listen ## on any tcp port or if it is restricted ## to the standard http. ## </p> ## </desc> gen_tunable(sslh_can_bind_any_port, false)
type sslh_t; type sslh_exec_t; init_daemon_domain(sslh_t, sslh_exec_t)
type sslh_config_t; files_config_file(sslh_config_t)
type sslh_initrc_exec_t; init_script_file(sslh_initrc_exec_t)
type sslh_var_run_t; files_pid_file(sslh_var_run_t)
type sslh_unit_file_t; systemd_unit_file(sslh_unit_file_t)
######################################## # # sslh local policy #
allow sslh_t sslh_config_t:file read_file_perms;
auth_read_passwd(sslh_t)
allow sslh_t self:capability { setuid setgid }; allow sslh_t self:process { setcap getcap };
allow sslh_t self:tcp_socket create_stream_socket_perms;
sysnet_dns_name_resolve(sslh_t)
corenet_all_recvfrom_unlabeled(sslh_t) corenet_all_recvfrom_netlabel(sslh_t) corenet_tcp_sendrecv_generic_if(sslh_t) corenet_udp_sendrecv_generic_if(sslh_t) corenet_tcp_sendrecv_generic_node(sslh_t) corenet_udp_sendrecv_generic_node(sslh_t) corenet_tcp_bind_generic_node(sslh_t) corenet_udp_bind_generic_node(sslh_t)
corenet_tcp_bind_http_port(sslh_t)
corenet_tcp_sendrecv_http_port(sslh_t) corenet_tcp_connect_http_port(sslh_t)
corenet_tcp_connect_ssh_port(sslh_t) corenet_tcp_sendrecv_ssh_port(sslh_t)
corenet_tcp_connect_openvpn_port(sslh_t) corenet_tcp_sendrecv_openvpn_port(sslh_t)
corenet_tcp_connect_jabber_client_port(sslh_t) corenet_tcp_sendrecv_jabber_client_port(sslh_t)
tunable_policy(`sslh_can_connect_any_port',` # allow sslh to connect to any port corenet_tcp_sendrecv_all_ports(sslh_t) corenet_tcp_connect_all_ports(sslh_t) ')
tunable_policy(`sslh_can_bind_any_port',` # allow sslh to bind to any port corenet_tcp_sendrecv_all_ports(sslh_t) corenet_tcp_bind_all_ports(sslh_t) ')
sslh fc file:
/usr/sbin/sslh -- gen_context(system_u:object_r:sslh_exec_t,s0) /usr/sbin/sslh-select -- gen_context(system_u:object_r:sslh_exec_t,s0) /etc/rc.d/init.d/sslh -- gen_context(system_u:object_r:sslh_initrc_exec_t,s0) /etc/sslh.cfg -- gen_context(system_u:object_r:sslh_config_t,s0) /usr/lib/systemd/system/sslh.* -- gen_context(system_u:object_r:sslh_unit_file_t,s0) /usr/lib/systemd/system/sslh@*.* -- gen_context(system_u:object_r:sslh_unit_file_t,s0) /var/run/sslh(/.*)? gen_context(system_u:object_r:sslh_var_run_t,s0)
On 04/29/2015 06:28 PM, James Hogarth wrote:
Hi,
I'm the maintainer of sslh and looking to get some feedback on a policy I'm writing for it.
It has recently been added to the fedora repositories running unconfined and I'm looking to improve this with running it within its own confined domain.
The 'default' state is to listen on tcp/443 and to be able to connect to tcp/80, tcp/443, tcp/5222, tcp/1194 (on both localhost and arbitrary systems) which the default policy is configured for with the option via booleans to let it listen on or connect to any port.
I've tried to style this after the services in fedora-selinux on github in an attempt to make it consistent with existing policies.
I'd be grateful for any feedback on these before requesting this to be added to the fedora targeted policy.
Kind regards,
James
sslh te file:
policy_module(sslh,1.0.0)
######################################## # # Declarations #
## <desc> ## <p> ## Determine whether sslh can connect ## to any tcp port or if it is restricted ## to the standard http, openvpn and jabber ports. ## </p> ## </desc> gen_tunable(sslh_can_connect_any_port, false)
## <desc> ## <p> ## Determine whether sslh can listen ## on any tcp port or if it is restricted ## to the standard http. ## </p> ## </desc> gen_tunable(sslh_can_bind_any_port, false)
type sslh_t; type sslh_exec_t; init_daemon_domain(sslh_t, sslh_exec_t)
type sslh_config_t; files_config_file(sslh_config_t)
type sslh_initrc_exec_t; init_script_file(sslh_initrc_exec_t)
type sslh_var_run_t; files_pid_file(sslh_var_run_t)
type sslh_unit_file_t; systemd_unit_file(sslh_unit_file_t)
######################################## # # sslh local policy #
allow sslh_t sslh_config_t:file read_file_perms;
auth_read_passwd(sslh_t)
allow sslh_t self:capability { setuid setgid }; allow sslh_t self:process { setcap getcap };
allow sslh_t self:tcp_socket create_stream_socket_perms;
sysnet_dns_name_resolve(sslh_t)
corenet_all_recvfrom_unlabeled(sslh_t) corenet_all_recvfrom_netlabel(sslh_t) corenet_tcp_sendrecv_generic_if(sslh_t) corenet_udp_sendrecv_generic_if(sslh_t) corenet_tcp_sendrecv_generic_node(sslh_t) corenet_udp_sendrecv_generic_node(sslh_t) corenet_tcp_bind_generic_node(sslh_t) corenet_udp_bind_generic_node(sslh_t)
corenet_tcp_bind_http_port(sslh_t)
corenet_tcp_sendrecv_http_port(sslh_t) corenet_tcp_connect_http_port(sslh_t)
corenet_tcp_connect_ssh_port(sslh_t) corenet_tcp_sendrecv_ssh_port(sslh_t)
corenet_tcp_connect_openvpn_port(sslh_t) corenet_tcp_sendrecv_openvpn_port(sslh_t)
corenet_tcp_connect_jabber_client_port(sslh_t) corenet_tcp_sendrecv_jabber_client_port(sslh_t)
tunable_policy(`sslh_can_connect_any_port',` # allow sslh to connect to any port corenet_tcp_sendrecv_all_ports(sslh_t) corenet_tcp_connect_all_ports(sslh_t) ')
tunable_policy(`sslh_can_bind_any_port',` # allow sslh to bind to any port corenet_tcp_sendrecv_all_ports(sslh_t) corenet_tcp_bind_all_ports(sslh_t) ')
sslh fc file:
/usr/sbin/sslh -- gen_context(system_u:object_r:sslh_exec_t,s0) /usr/sbin/sslh-select -- gen_context(system_u:object_r:sslh_exec_t,s0) /etc/rc.d/init.d/sslh -- gen_context(system_u:object_r:sslh_initrc_exec_t,s0) /etc/sslh.cfg -- gen_context(system_u:object_r:sslh_config_t,s0) /usr/lib/systemd/system/sslh.* -- gen_context(system_u:object_r:sslh_unit_file_t,s0) /usr/lib/systemd/system/sslh@*.* -- gen_context(system_u:object_r:sslh_unit_file_t,s0) /var/run/sslh(/.*)? gen_context(system_u:object_r:sslh_var_run_t,s0) -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
It looks good. Just I see
/var/run/sslh(/.*)? gen_context(system_u:object_r:sslh_var_run_t,s0)
but I don't see rules for it. Also you should provide also sslh.if policy file.
I don't see a reason for
/usr/lib/systemd/system/sslh@*.* -- gen_context(system_u:object_r:sslh_unit_file_t,s0)
which is covered by the previous decl.
If you provide also sslh.if we can review it at all and send possible patches.
Thank you.
On 04/30/2015 01:35 PM, Miroslav Grepl wrote:
On 04/29/2015 06:28 PM, James Hogarth wrote:
Hi,
I'm the maintainer of sslh and looking to get some feedback on a policy I'm writing for it.
It has recently been added to the fedora repositories running unconfined and I'm looking to improve this with running it within its own confined domain.
The 'default' state is to listen on tcp/443 and to be able to connect to tcp/80, tcp/443, tcp/5222, tcp/1194 (on both localhost and arbitrary systems) which the default policy is configured for with the option via booleans to let it listen on or connect to any port.
I've tried to style this after the services in fedora-selinux on github in an attempt to make it consistent with existing policies.
I'd be grateful for any feedback on these before requesting this to be added to the fedora targeted policy.
Kind regards,
James
sslh te file:
policy_module(sslh,1.0.0)
######################################## # # Declarations #
## <desc> ## <p> ## Determine whether sslh can connect ## to any tcp port or if it is restricted ## to the standard http, openvpn and jabber ports. ## </p> ## </desc> gen_tunable(sslh_can_connect_any_port, false)
## <desc> ## <p> ## Determine whether sslh can listen ## on any tcp port or if it is restricted ## to the standard http. ## </p> ## </desc> gen_tunable(sslh_can_bind_any_port, false)
type sslh_t; type sslh_exec_t; init_daemon_domain(sslh_t, sslh_exec_t)
type sslh_config_t; files_config_file(sslh_config_t)
type sslh_initrc_exec_t; init_script_file(sslh_initrc_exec_t)
type sslh_var_run_t; files_pid_file(sslh_var_run_t)
type sslh_unit_file_t; systemd_unit_file(sslh_unit_file_t)
######################################## # # sslh local policy #
allow sslh_t sslh_config_t:file read_file_perms;
auth_read_passwd(sslh_t)
allow sslh_t self:capability { setuid setgid }; allow sslh_t self:process { setcap getcap };
allow sslh_t self:tcp_socket create_stream_socket_perms;
sysnet_dns_name_resolve(sslh_t)
corenet_all_recvfrom_unlabeled(sslh_t) corenet_all_recvfrom_netlabel(sslh_t) corenet_tcp_sendrecv_generic_if(sslh_t) corenet_udp_sendrecv_generic_if(sslh_t) corenet_tcp_sendrecv_generic_node(sslh_t) corenet_udp_sendrecv_generic_node(sslh_t) corenet_tcp_bind_generic_node(sslh_t) corenet_udp_bind_generic_node(sslh_t)
corenet_tcp_bind_http_port(sslh_t)
corenet_tcp_sendrecv_http_port(sslh_t) corenet_tcp_connect_http_port(sslh_t)
corenet_tcp_connect_ssh_port(sslh_t) corenet_tcp_sendrecv_ssh_port(sslh_t)
corenet_tcp_connect_openvpn_port(sslh_t) corenet_tcp_sendrecv_openvpn_port(sslh_t)
corenet_tcp_connect_jabber_client_port(sslh_t) corenet_tcp_sendrecv_jabber_client_port(sslh_t)
tunable_policy(`sslh_can_connect_any_port',` # allow sslh to connect to any port corenet_tcp_sendrecv_all_ports(sslh_t) corenet_tcp_connect_all_ports(sslh_t) ')
tunable_policy(`sslh_can_bind_any_port',` # allow sslh to bind to any port corenet_tcp_sendrecv_all_ports(sslh_t) corenet_tcp_bind_all_ports(sslh_t) ')
sslh fc file:
/usr/sbin/sslh -- gen_context(system_u:object_r:sslh_exec_t,s0) /usr/sbin/sslh-select -- gen_context(system_u:object_r:sslh_exec_t,s0) /etc/rc.d/init.d/sslh -- gen_context(system_u:object_r:sslh_initrc_exec_t,s0) /etc/sslh.cfg -- gen_context(system_u:object_r:sslh_config_t,s0) /usr/lib/systemd/system/sslh.* -- gen_context(system_u:object_r:sslh_unit_file_t,s0) /usr/lib/systemd/system/sslh@*.* -- gen_context(system_u:object_r:sslh_unit_file_t,s0) /var/run/sslh(/.*)? gen_context(system_u:object_r:sslh_var_run_t,s0) -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
It looks good. Just I see
/var/run/sslh(/.*)? gen_context(system_u:object_r:sslh_var_run_t,s0)
but I don't see rules for it. Also you should provide also sslh.if policy file.
I don't see a reason for
/usr/lib/systemd/system/sslh@*.* -- gen_context(system_u:object_r:sslh_unit_file_t,s0)
which is covered by the previous decl.
If you provide also sslh.if we can review it at all and send possible patches.
Thank you.
Hi, As Mirek said, check his notes, and add .if source file. You can find some examples in our selinux-policy repo. https://github.com/fedora-selinux/selinux-policy/tree/rawhide-contrib. Then you could create pull request for this policy.
Thank you.
On 30 April 2015 at 12:35, Miroslav Grepl mgrepl@redhat.com wrote:
It looks good. Just I see
/var/run/sslh(/.*)? gen_context(system_u:object_r:sslh_var_run_t,s0)
but I don't see rules for it. Also you should provide also sslh.if policy file.
Ah I based this on the tor service for certain syntax ... I've not done any selinux policy writing with the new macros - only on EL5 during ex429
Since the tor te didn't have rules for this I assumed a macro picked it up to allow sysvinit based systems to write the pid...
I'll amend and include appropriate rules there as well.
On the EPEL side does policy get backported or should I update my EPEL package with the compiling of the pp in %build and include installing it in %install/%post?
I don't see a reason for
/usr/lib/systemd/system/sslh@*.* -- gen_context(system_u:object_r:sslh_unit_file_t,s0)
which is covered by the previous decl.
That was my eyes glossing over the regex (I plan to include systemd templated versions in a future release).
If you provide also sslh.if we can review it at all and send possible patches.
I'll put together an appropriate if to go along with these - the fc/te initial feedback request was just to make sure the main policy looked good and was consistent with current practices.
Thank you.
Thanks for your time and feedback
selinux@lists.fedoraproject.org