[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, man/man8/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, man/man8/

[Sven Vermeulen]

commit:     384a7ab97439bd150d51c938062a2b90c5441a66
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Nov 28 10:13:54 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Dec 15 18:56:22 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=384a7ab9

Fix bug 529204 - Support a dhcpc_script_t domain

We introduce an executable domain (dhcpc_script_t) through which the
hooks can be executed for the DHCP clients. This domain is separate in
order to keep the privileges of the application small, but also because
this domain will execute commands that are not in the responsibility of
the DHCP client code itself (code-wise) but is provided by
administrators.

Security-wise, as these are scripts, it is more difficult to guarantee
correctness. As such, we want to isolate these privileges into its own
domain.

The domain will have basic privileges to support the majority of
installations, but we also include a sysnet_dhcpc_script_entry()
interface so that domain transitions can be easily added without the
need for augmenting the privileges of the dhcpc_script_t domain.

---
 man/man8/sysnetwork_selinux.8         | 110 ++++++++++++++++++++++++++++++++++
 policy/modules/kernel/corecommands.fc |   2 +-
 policy/modules/system/sysnetwork.fc   |   1 +
 policy/modules/system/sysnetwork.if   |  29 +++++++++
 policy/modules/system/sysnetwork.rst  |  91 ++++++++++++++++++++++++++++
 policy/modules/system/sysnetwork.te   |  58 ++++++++++++++++++
 6 files changed, 290 insertions(+), 1 deletion(-)

diff --git a/man/man8/sysnetwork_selinux.8 b/man/man8/sysnetwork_selinux.8
new file mode 100644
index 0000000..217c020
--- /dev/null
+++ b/man/man8/sysnetwork_selinux.8
@@ -0,0 +1,110 @@
+.\" Man page generated from reStructuredText.
+.
+.TH SYSNETWORK_SELINUX 8 "2014-11-28" "" "SELinux"
+.SH NAME
+sysnetwork_selinux \- SELinux policy module for system networking
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SH DESCRIPTION
+.sp
+The \fBsysnetwork\fP SELinux module supports the following core networking
+domains: DHCP client and ifconfig.
+.SS DHCP Client
+.sp
+The DHCP client policy works around the \fIdhcpc_t\fP domain. It is usually
+executed from within an init script, and interacts with the network subsystems
+in the Linux kernel in order to obtain an IP address and manage the network
+configuration of the system.
+.sp
+Some DHCP clients also have the ability to call additional scripts when an IP
+address is obtained (or released), allowing administrators to automate certain
+tasks on the system further. Within the SELinux policy, we (Gentoo) try to
+handle the hooks through the \fIdhcp_script_t\fP domain.
+.SS Ifconfig
+.sp
+The \fIifconfig\fP command (and associated \fIifconfig_t\fP domain) is used to manually
+set the IP address and other network configurations of the system.
+.SH BOOLEANS
+.sp
+No booleans are managed through this module.
+.SH DOMAINS
+.INDENT 0.0
+.TP
+.B dhcpc_t
+The main domain for the DHCP client
+.TP
+.B dhcpc_script_t
+The domain in which the hooks (pre\- and post processing of DHCP operations)
+run
+.TP
+.B ifconfig_t
+The domain for manual IP address handling (for instance through the
+\fIifconfig\fP or \fIip\fP commands)
+.UNINDENT
+.SH POLICY
+.sp
+The following interfaces can be used to enhance the default policy with
+sysnetwork\-related provileges. More details on these interfaces can be found in the
+interface HTML documentation, we will not list all available interfaces here.
+.SS Domain interaction
+.sp
+The most interesting definition in the policy is the \fBsysnet_dhcpc_script_entry\fP
+interface. It allows for the DHCP script domain (\fIdhcpc_script_t\fP) to
+execute a particular type (second argument) and transition to a given domain
+(first argument).
+.sp
+For instance, to allow a DHCP hook to execute any portage commands:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+sysnet_dhcpc_script_entry(portage_t, portage_exec_t)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+It is generally preferred to transition a DHCP hook script as fast as possible
+to a specific domain rather than enhancing the \fIdhcpc_script_t\fP domain with
+additional privileges.
+.SH BUGS
+.sp
+No specific bugs known.
+.SH SEE ALSO
+.INDENT 0.0
+.IP \(bu 2
+Gentoo and SELinux at \fI\%https://wiki.gentoo.org/wiki/SELinux\fP
+.IP \(bu 2
+Gentoo Hardened SELinux Project at
+\fI\%https://wiki.gentoo.org/wiki/Project:Hardened\fP
+.UNINDENT
+.SH AUTHOR
+Sven Vermeulen <swift@gentoo.org>
+.\" Generated by docutils manpage writer.
+.

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index fdf1915..e38e238 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -143,7 +143,7 @@ ifdef(`distro_debian',`
 /lib/upstart(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
 ifdef(`distro_gentoo',`
-/lib/dhcpcd/dhcpcd-run-hooks	--	gen_context(system_u:object_r:bin_t,s0)
+#/lib/dhcpcd/dhcpcd-run-hooks	--	gen_context(system_u:object_r:bin_t,s0)
 
 /lib/rcscripts/addons(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /lib/rcscripts/sh(/.*)?			gen_context(system_u:object_r:bin_t,s0)

diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index a809d61..d9b674e 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -81,6 +81,7 @@ ifdef(`distro_debian',`
 ')
 
 ifdef(`distro_gentoo',`
+/lib/dhcpcd/dhcpcd-run-hooks	--	gen_context(system_u:object_r:dhcpc_script_exec_t,s0)
 /var/run/dhcpcd\.sock	-s	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
 /var/run/dhcpcd\.unpriv\.sock	-s	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
 ')

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 2cea692..86313b6 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -796,3 +796,32 @@ interface(`sysnet_use_portmap',`
 
 	sysnet_read_config($1)
 ')
+
+# This should be after an ifdef distro_gentoo but that is not allowed in an if file
+
+########################################
+## <summary>
+##	Make the specified program domain
+##	accessable from the DHCP hooks/scripts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process to transition to.
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	The type of the file used as an entrypoint to this domain.
+##	</summary>
+## </param>
+#
+interface(`sysnet_dhcpc_script_entry',`
+	gen_require(`
+		type dhcpc_script_t;
+		attribute_role dhcpc_roles;
+	')
+
+	role dhcpc_roles types $1;
+
+	domtrans_pattern(dhcpc_script_t, $2, $1)
+')

diff --git a/policy/modules/system/sysnetwork.rst b/policy/modules/system/sysnetwork.rst
new file mode 100644
index 0000000..13e0c34
--- /dev/null
+++ b/policy/modules/system/sysnetwork.rst
@@ -0,0 +1,91 @@
+==================
+sysnetwork_selinux
+==================
+
+-------------------------------------------
+SELinux policy module for system networking
+-------------------------------------------
+
+:Author:        Sven Vermeulen <swift@gentoo.org>
+:Date:          2014-11-28
+:Manual section:        8
+:Manual group:          SELinux
+
+DESCRIPTION
+===========
+
+The **sysnetwork** SELinux module supports the following core networking
+domains: DHCP client and ifconfig.
+
+DHCP Client
+-----------
+
+The DHCP client policy works around the *dhcpc_t* domain. It is usually
+executed from within an init script, and interacts with the network subsystems
+in the Linux kernel in order to obtain an IP address and manage the network
+configuration of the system.
+
+Some DHCP clients also have the ability to call additional scripts when an IP
+address is obtained (or released), allowing administrators to automate certain
+tasks on the system further. Within the SELinux policy, we (Gentoo) try to
+handle the hooks through the *dhcp_script_t* domain.
+
+Ifconfig
+--------
+
+The *ifconfig* command (and associated *ifconfig_t* domain) is used to manually
+set the IP address and other network configurations of the system.
+
+BOOLEANS
+========
+
+No booleans are managed through this module.
+
+DOMAINS
+=======
+
+dhcpc_t
+  The main domain for the DHCP client
+
+dhcpc_script_t
+  The domain in which the hooks (pre- and post processing of DHCP operations)
+  run
+
+ifconfig_t
+  The domain for manual IP address handling (for instance through the
+  *ifconfig* or *ip* commands)
+
+POLICY
+======
+
+The following interfaces can be used to enhance the default policy with
+sysnetwork-related provileges. More details on these interfaces can be found in the
+interface HTML documentation, we will not list all available interfaces here.
+
+Domain interaction
+------------------
+
+The most interesting definition in the policy is the ``sysnet_dhcpc_script_entry``
+interface. It allows for the DHCP script domain (*dhcpc_script_t*) to
+execute a particular type (second argument) and transition to a given domain
+(first argument).
+
+For instance, to allow a DHCP hook to execute any portage commands::
+
+  sysnet_dhcpc_script_entry(portage_t, portage_exec_t)
+
+It is generally preferred to transition a DHCP hook script as fast as possible
+to a specific domain rather than enhancing the *dhcpc_script_t* domain with
+additional privileges.
+
+BUGS
+====
+
+No specific bugs known.
+
+SEE ALSO
+========
+
+* Gentoo and SELinux at https://wiki.gentoo.org/wiki/SELinux
+* Gentoo Hardened SELinux Project at
+  https://wiki.gentoo.org/wiki/Project:Hardened

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 9f6affc..b65117e 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -422,4 +422,62 @@ ifdef(`distro_gentoo',`
 	optional_policy(`
 		resolvconf_client_domain(dhcpc_t)
 	')
+
+	#########################################
+	#
+	# dhcpc_script_t
+	#
+
+	# The purpose of the dhcpc_script_t domain is to handle the post-processing of 
+	# the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and I would
+	# assume others do as well. With the dhcpc_script_t domain we can isolate the
+	# privileges of the DHCP client itself from the hooks / flexibility that the developers
+	# introduced.
+
+	type dhcpc_script_t;
+	domain_type(dhcpc_script_t)
+	role dhcpc_roles types dhcpc_script_t;
+
+	type dhcpc_script_exec_t;
+	domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t)
+
+	type dhcpc_script_tmp_t;
+	files_tmp_file(dhcpc_script_tmp_t)
+
+	########################################
+	#
+	# dhcpc script policy
+	#
+
+	allow dhcpc_script_t self:fifo_file rw_fifo_file_perms;
+
+	manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t, dhcpc_script_tmp_t)
+	files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir })
+
+	manage_files_pattern(dhcpc_script_t, dhcpc_var_run_t, dhcpc_var_run_t)
+	files_pid_filetrans(dhcpc_script_t, dhcpc_var_run_t, { file dir })
+
+	kernel_read_network_state(dhcpc_script_t)
+	kernel_read_system_state(dhcpc_script_t)
+
+	corecmd_exec_bin(dhcpc_script_t)
+	corecmd_exec_shell(dhcpc_script_t)
+
+	files_read_etc_files(dhcpc_script_t)
+
+	init_use_script_fds(dhcpc_script_t)
+	init_use_script_ptys(dhcpc_script_t)
+
+	# Perhaps sysnet_domtrans_dhcpc_script could be used instead and positioned in the dhcpc_t section
+	domtrans_pattern(dhcpc_t, dhcpc_script_exec_t, dhcpc_script_t)
+
+	sysnet_manage_config(dhcpc_script_t)
+
+	optional_policy(`
+		hostname_run(dhcpc_script_t, dhcpc_roles)
+	')
+
+	optional_policy(`
+		ntp_manage_config(dhcpc_script_t)
+	')
 ')