aboutgitcodebugslistschat
path: root/contrib/selinux/pasta.te
blob: 0ceda063fc4045ca1e7cba3a3eea798577ec8bcb (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
# SPDX-License-Identifier: GPL-2.0-or-later
#
# PASTA - Pack A Subtle Tap Abstraction
#  for network namespace/tap device mode
#
# contrib/selinux/pasta.te - SELinux profile: Type Enforcement for pasta
#
# Copyright (c) 2022 Red Hat GmbH
# Author: Stefano Brivio <sbrivio@redhat.com>

policy_module(pasta, 0.1)

require {
	type unconfined_t;
	role unconfined_r;
	class process transition;

	type bin_t;
	type user_home_t;
	type user_home_dir_t;
	type fs_t;
	type tmp_t;
	type tmpfs_t;
	type root_t;
	type nsfs_t;

	class file { ioctl getattr setattr create read write unlink open relabelto execute_no_trans map execute };
	class dir { getattr search read write add_name remove_name mounton watch };
	class chr_file { append read write open getattr ioctl };
	class filesystem { getattr mount unmount };
	class lnk_file read;

	type console_device_t;
	type user_devpts_t;
	type devlog_t;
	type syslogd_t;
	type var_run_t;
	class unix_dgram_socket { create connect sendto };

	type net_conf_t;
	type proc_net_t;
	type node_t;
	class tcp_socket { create accept listen name_bind name_connect };
	class udp_socket { create accept listen name_bind };
	class icmp_socket { bind create name_bind node_bind setopt read write };
	class sock_file { create unlink write };
	class unix_stream_socket connectto;

	type ifconfig_var_run_t;
	class netlink_route_socket { bind create nlmsg_read nlmsg_write setopt };
	type tun_tap_device_t;
	type sysctl_net_t;
	class tun_socket create;
	type user_tty_device_t;

	attribute port_type;
	type port_t;
	type http_port_t;
	type ssh_port_t;
	type reserved_port_t;
	type dns_port_t;
	type dhcpc_port_t;
	type chronyd_port_t;
	type llmnr_port_t;

	type hostname_exec_t;
	type system_dbusd_var_run_t;
	type system_dbusd_t;
	type systemd_hostnamed_t;
	type systemd_systemctl_exec_t;
	type passwd_file_t;
	type sssd_public_t;
	type sssd_var_lib_t;
	class dbus send_msg;
	class system module_request;
	class system status;

	type kernel_t;
	class process setpgid;
	type shell_exec_t;
	type ifconfig_exec_t;
	type netutils_exec_t;
	type ping_exec_t;
	type ifconfig_t;
	type netutils_t;
	type ping_t;
	type init_t;

	class capability { sys_tty_config setuid setgid };
	class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin };
	class user_namespace create;
}

type pasta_t;
domain_type(pasta_t);
type pasta_exec_t;
files_type(pasta_exec_t);
type pasta_log_t;
logging_log_file(pasta_log_t);
type pasta_pid_t;
files_pid_file(pasta_pid_t);

type pasta_port_t;
typeattribute pasta_port_t port_type;

role unconfined_r types pasta_t;

allow pasta_t pasta_exec_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ;
type_transition unconfined_t pasta_exec_t : process pasta_t;
allow unconfined_t pasta_t : process transition ;

init_daemon_domain(pasta_t, pasta_exec_t)

allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource setuid setgid };
allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service };
allow pasta_t self:user_namespace create;

allow pasta_t passwd_file_t:file read_file_perms;
sssd_search_lib(pasta_t)

domain_auto_trans(pasta_t, bin_t, unconfined_t);
domain_auto_trans(pasta_t, shell_exec_t, unconfined_t);
domain_auto_trans(pasta_t, ifconfig_exec_t, ifconfig_t);
domain_auto_trans(pasta_t, netutils_exec_t, netutils_t);
domain_auto_trans(pasta_t, ping_exec_t, ping_t);

allow pasta_t nsfs_t:file { open read };

allow pasta_t user_home_t:dir getattr;
allow pasta_t user_home_t:file { open read getattr setattr };
allow pasta_t user_home_dir_t:dir { search getattr open add_name read write };
allow pasta_t user_home_dir_t:file { create open read write };
allow pasta_t tmp_t:dir { add_name mounton remove_name write };
allow pasta_t tmpfs_t:filesystem mount;
allow pasta_t fs_t:filesystem unmount;
allow pasta_t root_t:dir mounton;
manage_files_pattern(pasta_t, pasta_pid_t, pasta_pid_t)
files_pid_filetrans(pasta_t, pasta_pid_t, file)

allow pasta_t console_device_t:chr_file { open write getattr ioctl };
allow pasta_t user_devpts_t:chr_file { getattr read write ioctl };
logging_send_syslog_msg(pasta_t)
allow syslogd_t self:cap_userns sys_ptrace;

allow pasta_t proc_net_t:file { open read };
allow pasta_t net_conf_t:file { open read };
allow pasta_t self:netlink_route_socket { bind create nlmsg_read nlmsg_write setopt read write };
kernel_search_network_sysctl(pasta_t)

allow pasta_t tmp_t:sock_file { create unlink write };

allow pasta_t self:tcp_socket create_stream_socket_perms;
corenet_tcp_sendrecv_generic_node(pasta_t)
corenet_tcp_bind_generic_node(pasta_t)
allow pasta_t pasta_port_t:tcp_socket { name_bind name_connect };
allow pasta_t pasta_port_t:udp_socket { name_bind };
allow pasta_t http_port_t:tcp_socket { name_bind name_connect };
allow pasta_t chronyd_port_t:udp_socket name_bind;
allow pasta_t dhcpc_port_t:udp_socket name_bind;
allow pasta_t dns_port_t:tcp_socket name_bind;
allow pasta_t dns_port_t:udp_socket name_bind;
allow pasta_t ssh_port_t:tcp_socket name_bind;
allow pasta_t self:udp_socket create_stream_socket_perms;
allow pasta_t reserved_port_t:udp_socket name_bind;
allow pasta_t llmnr_port_t:tcp_socket name_bind;
allow pasta_t llmnr_port_t:udp_socket name_bind;
corenet_udp_sendrecv_generic_node(pasta_t)
corenet_udp_bind_generic_node(pasta_t)
allow pasta_t node_t:icmp_socket { name_bind node_bind };
allow pasta_t self:icmp_socket { bind create setopt read write };

allow pasta_t init_t:dir search;
allow pasta_t init_t:file { getattr open read };
allow pasta_t init_t:lnk_file read;
allow pasta_t init_t:unix_stream_socket connectto;
allow pasta_t init_t:dbus send_msg;
allow pasta_t init_t:system status;
allow pasta_t unconfined_t:dir search;
allow pasta_t unconfined_t:file read;
allow pasta_t unconfined_t:lnk_file read;
allow pasta_t passwd_file_t:file { getattr open read };
allow pasta_t self:process { setpgid setcap };
allow pasta_t shell_exec_t:file { execute execute_no_trans map };

allow pasta_t sssd_var_lib_t:dir search;
allow pasta_t sssd_public_t:dir search;
allow pasta_t hostname_exec_t:file { execute execute_no_trans getattr open read map };
allow pasta_t system_dbusd_t:unix_stream_socket connectto;
allow pasta_t system_dbusd_t:dbus send_msg;
allow pasta_t system_dbusd_var_run_t:dir search;
allow pasta_t system_dbusd_var_run_t:sock_file write;
allow pasta_t systemd_hostnamed_t:dbus send_msg;
allow pasta_t systemd_systemctl_exec_t:file { execute execute_no_trans getattr open read map };

allow pasta_t ifconfig_var_run_t:dir { read search watch };
allow pasta_t self:tun_socket create;
allow pasta_t tun_tap_device_t:chr_file { ioctl open read write };
allow pasta_t sysctl_net_t:dir search;
allow pasta_t sysctl_net_t:file { open write };
allow pasta_t kernel_t:system module_request;

allow pasta_t nsfs_t:file read;

allow pasta_t proc_t:dir mounton;
allow pasta_t proc_t:filesystem mount;
allow pasta_t net_conf_t:lnk_file read;
allow pasta_t proc_net_t:lnk_file read;

allow pasta_t unconfined_t:process { noatsecure rlimitinh siginh };
allow pasta_t ifconfig_t:process { noatsecure rlimitinh siginh };
allow pasta_t netutils_t:process { noatsecure rlimitinh siginh };
allow pasta_t ping_t:process { noatsecure rlimitinh siginh };
allow pasta_t user_tty_device_t:chr_file { append read write };