* [PATCH 1/4] contrib/selinux: Drop duplicate init_daemon_domain() rule
2023-03-06 23:28 [PATCH 0/4] Further adjustments for SELinux policy files Stefano Brivio
@ 2023-03-06 23:28 ` Stefano Brivio
2023-03-06 23:28 ` [PATCH 2/4] contrib/selinux: Let passt write to stdout and stderr when it starts Stefano Brivio
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Stefano Brivio @ 2023-03-06 23:28 UTC (permalink / raw)
To: passt-dev; +Cc: Laine Stump, Andrea Bolognani
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
contrib/selinux/passt.te | 1 -
1 file changed, 1 deletion(-)
diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te
index 7fa4fb9..593b346 100644
--- a/contrib/selinux/passt.te
+++ b/contrib/selinux/passt.te
@@ -57,7 +57,6 @@ type passt_t;
domain_type(passt_t);
type passt_exec_t;
files_type(passt_exec_t);
-init_daemon_domain(passt_t, passt_exec_t)
type passt_log_t;
logging_log_file(passt_log_t);
type passt_etc_t;
--
@@ -57,7 +57,6 @@ type passt_t;
domain_type(passt_t);
type passt_exec_t;
files_type(passt_exec_t);
-init_daemon_domain(passt_t, passt_exec_t)
type passt_log_t;
logging_log_file(passt_log_t);
type passt_etc_t;
--
2.39.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/4] contrib/selinux: Let passt write to stdout and stderr when it starts
2023-03-06 23:28 [PATCH 0/4] Further adjustments for SELinux policy files Stefano Brivio
2023-03-06 23:28 ` [PATCH 1/4] contrib/selinux: Drop duplicate init_daemon_domain() rule Stefano Brivio
@ 2023-03-06 23:28 ` Stefano Brivio
2023-03-06 23:28 ` [PATCH 3/4] contrib/selinux: Allow binding and connecting to all UDP and TCP ports Stefano Brivio
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Stefano Brivio @ 2023-03-06 23:28 UTC (permalink / raw)
To: passt-dev; +Cc: Laine Stump, Andrea Bolognani
Otherwise, it's unusable as stand-alone tool, or in foreground mode,
and it's also impossible to get output from --help or --version,
because for SELinux it's just a daemon.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
contrib/selinux/passt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te
index 593b346..6cd61f1 100644
--- a/contrib/selinux/passt.te
+++ b/contrib/selinux/passt.te
@@ -72,6 +72,7 @@ type_transition unconfined_t passt_exec_t : process passt_t;
allow unconfined_t passt_t : process transition ;
init_daemon_domain(passt_t, passt_exec_t)
+term_use_all_inherited_terms(passt_t)
allow passt_t bin_t:file { execute execute_no_trans map };
allow passt_t user_home_dir_t:dir { search add_name write };
--
@@ -72,6 +72,7 @@ type_transition unconfined_t passt_exec_t : process passt_t;
allow unconfined_t passt_t : process transition ;
init_daemon_domain(passt_t, passt_exec_t)
+term_use_all_inherited_terms(passt_t)
allow passt_t bin_t:file { execute execute_no_trans map };
allow passt_t user_home_dir_t:dir { search add_name write };
--
2.39.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 3/4] contrib/selinux: Allow binding and connecting to all UDP and TCP ports
2023-03-06 23:28 [PATCH 0/4] Further adjustments for SELinux policy files Stefano Brivio
2023-03-06 23:28 ` [PATCH 1/4] contrib/selinux: Drop duplicate init_daemon_domain() rule Stefano Brivio
2023-03-06 23:28 ` [PATCH 2/4] contrib/selinux: Let passt write to stdout and stderr when it starts Stefano Brivio
@ 2023-03-06 23:28 ` Stefano Brivio
2023-03-06 23:28 ` [PATCH 4/4] contrib/selinux: Let interface users set paths for log, PID, socket files Stefano Brivio
2023-03-08 21:05 ` [PATCH 0/4] Further adjustments for SELinux policy files Laine Stump
4 siblings, 0 replies; 6+ messages in thread
From: Stefano Brivio @ 2023-03-06 23:28 UTC (permalink / raw)
To: passt-dev; +Cc: Laine Stump, Andrea Bolognani
Laine reports that with a simple:
<portForward proto='tcp'>
<range start='2022' to='22'/>
</portForward>
in libvirt's domain XML, passt won't start as it fails to bind
arbitrary ports. That was actually the intention behind passt_port_t:
the user or system administrator should have explicitly configured
allowed ports on a given machine. But it's probably not realistic, so
just allow any port to be bound and forwarded.
Also fix up some missing operations on sockets.
Reported-by: Laine Stump <laine@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
contrib/selinux/passt.te | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)
diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te
index 6cd61f1..438155d 100644
--- a/contrib/selinux/passt.te
+++ b/contrib/selinux/passt.te
@@ -62,9 +62,6 @@ logging_log_file(passt_log_t);
type passt_etc_t;
files_config_file(passt_etc_t);
-type passt_port_t;
-typeattribute passt_port_t port_type;
-
role unconfined_r types passt_t;
allow passt_t passt_exec_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ;
@@ -100,16 +97,22 @@ allow passt_t net_conf_t:lnk_file read;
allow passt_t tmp_t:sock_file { create unlink write };
allow passt_t self:netlink_route_socket { bind create nlmsg_read read write setopt };
-allow passt_t self:tcp_socket create_stream_socket_perms;
-corenet_tcp_sendrecv_generic_node(passt_t)
-corenet_tcp_bind_generic_node(passt_t)
-allow passt_t passt_port_t:tcp_socket { name_bind name_connect };
-allow passt_t http_port_t:tcp_socket { name_bind name_connect };
-allow passt_t self:udp_socket create_stream_socket_perms;
-corenet_udp_sendrecv_generic_node(passt_t)
-corenet_udp_bind_generic_node(passt_t)
-allow passt_t passt_port_t:udp_socket { name_bind };
+corenet_tcp_bind_all_nodes(passt_t)
+corenet_udp_bind_all_nodes(passt_t)
+
+corenet_tcp_bind_all_ports(passt_t)
+corenet_udp_bind_all_ports(passt_t)
+
+corenet_tcp_connect_all_ports(passt_t)
+
+corenet_tcp_sendrecv_all_ports(passt_t)
+corenet_udp_sendrecv_all_ports(passt_t)
+
allow passt_t node_t:icmp_socket { name_bind node_bind };
+allow passt_t port_t:icmp_socket name_bind;
+
+allow passt_t self:tcp_socket { create getopt setopt connect bind listen accept shutdown read write };
+allow passt_t self:udp_socket { create getopt setopt connect bind read write };
allow passt_t self:icmp_socket { bind create setopt read write };
allow passt_t user_tmp_t:dir { add_name write };
--
@@ -62,9 +62,6 @@ logging_log_file(passt_log_t);
type passt_etc_t;
files_config_file(passt_etc_t);
-type passt_port_t;
-typeattribute passt_port_t port_type;
-
role unconfined_r types passt_t;
allow passt_t passt_exec_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ;
@@ -100,16 +97,22 @@ allow passt_t net_conf_t:lnk_file read;
allow passt_t tmp_t:sock_file { create unlink write };
allow passt_t self:netlink_route_socket { bind create nlmsg_read read write setopt };
-allow passt_t self:tcp_socket create_stream_socket_perms;
-corenet_tcp_sendrecv_generic_node(passt_t)
-corenet_tcp_bind_generic_node(passt_t)
-allow passt_t passt_port_t:tcp_socket { name_bind name_connect };
-allow passt_t http_port_t:tcp_socket { name_bind name_connect };
-allow passt_t self:udp_socket create_stream_socket_perms;
-corenet_udp_sendrecv_generic_node(passt_t)
-corenet_udp_bind_generic_node(passt_t)
-allow passt_t passt_port_t:udp_socket { name_bind };
+corenet_tcp_bind_all_nodes(passt_t)
+corenet_udp_bind_all_nodes(passt_t)
+
+corenet_tcp_bind_all_ports(passt_t)
+corenet_udp_bind_all_ports(passt_t)
+
+corenet_tcp_connect_all_ports(passt_t)
+
+corenet_tcp_sendrecv_all_ports(passt_t)
+corenet_udp_sendrecv_all_ports(passt_t)
+
allow passt_t node_t:icmp_socket { name_bind node_bind };
+allow passt_t port_t:icmp_socket name_bind;
+
+allow passt_t self:tcp_socket { create getopt setopt connect bind listen accept shutdown read write };
+allow passt_t self:udp_socket { create getopt setopt connect bind read write };
allow passt_t self:icmp_socket { bind create setopt read write };
allow passt_t user_tmp_t:dir { add_name write };
--
2.39.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 4/4] contrib/selinux: Let interface users set paths for log, PID, socket files
2023-03-06 23:28 [PATCH 0/4] Further adjustments for SELinux policy files Stefano Brivio
` (2 preceding siblings ...)
2023-03-06 23:28 ` [PATCH 3/4] contrib/selinux: Allow binding and connecting to all UDP and TCP ports Stefano Brivio
@ 2023-03-06 23:28 ` Stefano Brivio
2023-03-08 21:05 ` [PATCH 0/4] Further adjustments for SELinux policy files Laine Stump
4 siblings, 0 replies; 6+ messages in thread
From: Stefano Brivio @ 2023-03-06 23:28 UTC (permalink / raw)
To: passt-dev; +Cc: Laine Stump, Andrea Bolognani
Even libvirt itself will configure passt to write log, PID and socket
files to different locations depending on whether the domain is
started as root (/var/log/libvirt/...) or as a regular user
(/var/log/<PID>/libvirt/...), and user_tmp_t would only cover the
latter.
Create interfaces for log and PID files, so that callers can specify
different file contexts for those, and modify the interface for the
UNIX socket file to allow different paths as well.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
contrib/selinux/passt.if | 26 +++++++++++++++++++++++++-
1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/contrib/selinux/passt.if b/contrib/selinux/passt.if
index 893395b..6a6105c 100644
--- a/contrib/selinux/passt.if
+++ b/contrib/selinux/passt.if
@@ -30,8 +30,32 @@ interface(`passt_socket',`
type passt_t;
')
- allow $1 user_tmp_t:sock_file write;
+ allow $1 $2:sock_file write;
allow $1 passt_t:unix_stream_socket connectto;
+
+ allow passt_t $2:sock_file { create read write unlink };
+')
+
+interface(`passt_logfile',`
+ gen_require(`
+ type passt_t;
+ ')
+
+ logging_log_file($1);
+ allow passt_t $1:dir { search write add_name };
+ allow passt_t $1:file { create open read write };
+')
+
+interface(`passt_pidfile',`
+ gen_require(`
+ type passt_t;
+ ')
+
+ allow $1 $2:file { open read unlink };
+
+ files_pid_file($2);
+ allow passt_t $2:dir { search write add_name };
+ allow passt_t $2:file { create open write };
')
interface(`passt_kill',`
--
@@ -30,8 +30,32 @@ interface(`passt_socket',`
type passt_t;
')
- allow $1 user_tmp_t:sock_file write;
+ allow $1 $2:sock_file write;
allow $1 passt_t:unix_stream_socket connectto;
+
+ allow passt_t $2:sock_file { create read write unlink };
+')
+
+interface(`passt_logfile',`
+ gen_require(`
+ type passt_t;
+ ')
+
+ logging_log_file($1);
+ allow passt_t $1:dir { search write add_name };
+ allow passt_t $1:file { create open read write };
+')
+
+interface(`passt_pidfile',`
+ gen_require(`
+ type passt_t;
+ ')
+
+ allow $1 $2:file { open read unlink };
+
+ files_pid_file($2);
+ allow passt_t $2:dir { search write add_name };
+ allow passt_t $2:file { create open write };
')
interface(`passt_kill',`
--
2.39.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 0/4] Further adjustments for SELinux policy files
2023-03-06 23:28 [PATCH 0/4] Further adjustments for SELinux policy files Stefano Brivio
` (3 preceding siblings ...)
2023-03-06 23:28 ` [PATCH 4/4] contrib/selinux: Let interface users set paths for log, PID, socket files Stefano Brivio
@ 2023-03-08 21:05 ` Laine Stump
4 siblings, 0 replies; 6+ messages in thread
From: Laine Stump @ 2023-03-08 21:05 UTC (permalink / raw)
To: passt-dev; +Cc: Andrea Bolognani, Stefano Brivio
On 3/6/23 6:28 PM, Stefano Brivio wrote:
> This series addresses a number of issues or inconveniences shown by
> further testing against libvirt, essentially a 9.1.0 version patched
> up to fix the current breakage by starting passt in the "passt_t"
> domain.
>
> Stefano Brivio (4):
> contrib/selinux: Drop duplicate init_daemon_domain() rule
> contrib/selinux: Let passt write to stdout and stderr when it starts
> contrib/selinux: Allow binding and connecting to all UDP and TCP ports
> contrib/selinux: Let interface users set paths for log, PID, socket
> files
>
> contrib/selinux/passt.if | 26 +++++++++++++++++++++++++-
> contrib/selinux/passt.te | 29 ++++++++++++++++-------------
> 2 files changed, 41 insertions(+), 14 deletions(-)
>
Tested-by: Laine Stump <laine@redhat.com>
Reviewed-by: Laine Stump <laine@redhat.com> (for what it's worth)
I was going to send this along with a link to my latest libvirt patches
that properly set the selinux context for passt when it is run, but am
having trouble with my sendmail setup so I haven't yet been able to post
them :-/
^ permalink raw reply [flat|nested] 6+ messages in thread