Add a policy for ejabberd.

[bowlofeggs]

This pull request may depend on OwlCyberDefense/refpolicy#114 being fixed to work effectively, but I wanted to go ahead and get the code upstream. I've also send a PR with this code to Fedora's contrib policy:

fedora-selinux/selinux-policy-contrib#8

Signed-off-by: Randy Barlow [email protected]

[cgzones]

just some thoughts, although i do not have any experience with ejabberd

[cgzones]

better regex might be /var/lib/ejabberd(/.*)?; there shouldn't be files in /var/lib

[cgzones]

these two line can be combined into admin_process_pattern($1, ejabberd_t)

[cgzones]

these three line should be replaced by init_startstop_service($1, $2, ejabberd_t, ejabberd_initrc_exec_t, ejabberd_unit_t) for restarting the service as root

[cgzones]

gen_require should not be used: class ones are not necessary and the net_conf_t should be include in a macro call

[cgzones]

macro calls describing a type, like this, should be next to the type definition

[cgzones]

this is only needed when the entrypoint of the domain is a shell script.
As ejabberd_t's entrypoint is /usr/bin/ejabberdctl this should not be necessary

[bowlofeggs]

/usr/bin/ejabberdctl is a shell script. Does that make this necessary?

[cgzones]

dev_list_sysfs(ejabberd_t) is superseded by dev_read_sysfs(ejabberd_t)

[cgzones]

in my opinion application should not be able to create /var/lib entries, the package manager or installation script should handle this
so this might be replaced by files_search_var_lib

[cgzones]

this is a fedora specific interface, maybe logging_send_syslog_msg could fit

[cgzones]

this is superseded by files_type(ejabberd_var_lib_t)

[ghost]

On Sun, Apr 09, 2017 at 11:17:25AM -0700, Randy Barlow wrote: bowlofeggs commented on this pull request. > +systemd_unit_file(ejabberd_unit_file_t) + +domain_type(ejabberd_t) +domain_entry_file(ejabberd_t, ejabberd_exec_t) + +logging_log_file(ejabberd_var_log_t) + + +# What will we allow +allow ejabberd_t net_conf_t:lnk_file read; + +allow ejabberd_t self:tcp_socket { accept bind connect create getattr getopt listen read setopt write }; +allow ejabberd_t self:udp_socket { bind connect create getattr getopt read setopt write }; +allow ejabberd_t self:unix_dgram_socket { connect create getopt setopt write }; + +auth_read_passwd(ejabberd_t) ejabberd has a built-in PAM module for authentication, which is why it is trying to read the /etc/passwd file.

Reading /etc/passwd is very common for nss, and is part of auth_use_nsswith() which you should use for ejabberd_t if you arent already

…

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: #57 (comment)

-- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift

[ghost]

On Sun, Apr 09, 2017 at 11:18:33AM -0700, Randy Barlow wrote: bowlofeggs commented on this pull request. > +logging_log_file(ejabberd_var_log_t) + + +# What will we allow +allow ejabberd_t net_conf_t:lnk_file read; + +allow ejabberd_t self:tcp_socket { accept bind connect create getattr getopt listen read setopt write }; +allow ejabberd_t self:udp_socket { bind connect create getattr getopt read setopt write }; +allow ejabberd_t self:unix_dgram_socket { connect create getopt setopt write }; + +auth_read_passwd(ejabberd_t) + +corecmd_exec_bin(ejabberd_t) +corecmd_exec_shell(ejabberd_t) +corecmd_mmap_bin_files(ejabberd_t) +corecmd_shell_entry_type(ejabberd_t) /usr/bin/ejabberdctl is a shell script. Does that make this necessary?

Unlikely, remove corecmd_shell_entry_type(ejabberd_t) and then if you see any related avc denials enclose them.

…

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: #57 (comment)

-- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift

[bowlofeggs]

@cgzones and @doverride,

Thanks for all the helpful tips! As you can probably tell, this is my first SELinux policy so I lack a lot of familiarity with all the macros. I believe I now have all of your suggestions in place, and I've sent this same policy to the Fedora-specific policy with the exception of keeping the Fedora-specific logging statement in that one.

The Fedora version of this seems to work well on my ejabberd system.

Let me know if there are other changes I should make, and thanks again!

[pebenito]

One question about rules, otherwise it needs some style cleanup. https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide

[pebenito]

Does this work without networkmanager (is networkmanager a hard dependency?)

[bowlofeggs]

Hello @pebenito,

I don't believe that networkmanager is a hard dependency of ejabberd. It sounds like @doverride is recommending that I use sysnet_read_config() instead, so I'll make that change.

[ghost]

On 04/27/2017 12:09 AM, Chris PeBenito wrote: pebenito requested changes on this pull request. One question about rules, otherwise it needs some style cleanup. https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide > + +files_search_var_lib(ejabberd_t, ejabberd_var_lib_t, dir) + +kernel_dgram_send(ejabberd_t)

This is journal logging should probably be part of logging_send_syslog_msg()

+ +logging_send_syslog_msg(ejabberd_t) +logging_log_filetrans(ejabberd_t, ejabberd_var_log_t, { dir file }) + +manage_dirs_pattern(ejabberd_t, ejabberd_var_lib_t, ejabberd_var_lib_t) +manage_dirs_pattern(ejabberd_t, ejabberd_var_log_t, ejabberd_var_log_t) +manage_files_pattern(ejabberd_t, ejabberd_var_lib_t, ejabberd_var_lib_t) +manage_files_pattern(ejabberd_t, ejabberd_var_log_t, ejabberd_var_log_t) + +miscfiles_read_generic_certs(ejabberd_t) + +networkmanager_read_pid_files(ejabberd_t) Does this work without networkmanager (is networkmanager a hard dependency?)

its reading /run/NetworkManager/resolv.conf which should be part of sysnet_read_config() i suppose

…

-- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift

[bowlofeggs]

I have made the requested changes:

$ git diff
diff --git a/ejabberd.te b/ejabberd.te
index 4e4088b..966bb0d 100644
--- a/ejabberd.te
+++ b/ejabberd.te
@@ -42,8 +42,6 @@ dev_read_sysfs(ejabberd_t)
 
 files_search_var_lib(ejabberd_t, ejabberd_var_lib_t, dir)
 
-kernel_dgram_send(ejabberd_t)
-
 logging_send_syslog_msg(ejabberd_t)
 logging_log_filetrans(ejabberd_t, ejabberd_var_log_t, { dir file })
 
@@ -54,4 +52,4 @@ manage_files_pattern(ejabberd_t, ejabberd_var_log_t, ejabberd_var_log_t)
 
 miscfiles_read_generic_certs(ejabberd_t)
 
-networkmanager_read_pid_files(ejabberd_t)
+sysnet_read_config(ejabberd_t)

[bowlofeggs]

@doverride I think dropping the kernel_dgram_send() might not work. At least, it doesn't work on my Fedora Rawhide system as ejabberd hangs during startup, and audit2allow show this:

sudo audit2allow -Rbl

require {
        type ejabberd_t;
}

#============= ejabberd_t ==============
kernel_dgram_send(ejabberd_t)

Thus, I am going to add it back.

[ghost]

On Sun, Apr 30, 2017 at 09:34:08AM -0700, Randy Barlow wrote: @doverride I think dropping the ```kernel_dgram_send()``` might not work. At least, it doesn't work on my Fedora Rawhide system as ejabberd hangs during startup, and ```audit2allow``` show this: ``` sudo audit2allow -Rbl require { type ejabberd_t; } #============= ejabberd_t ============== kernel_dgram_send(ejabberd_t) ``` Thus, I am going to add it back.

Okay, I suspect that this is (should be) part of logging_send_syslog_msg() but if fedora/refpolicy does not include this access as part of that interface then i supose you'd have to add it in manually.

…

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: #57 (comment)

-- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift

[bowlofeggs]

@doverride if we are confident that it is part of logging_send_syslog_msg() in refpol, I'm happy to switch it back but I don't have a setup I can use to verify that it works.

[ghost]

On Sun, Apr 30, 2017 at 09:44:03AM -0700, Randy Barlow wrote: @doverride if we are confident that it is part of ```logging_send_syslog_msg()``` in refpol, I'm happy to add it back but I don't have a setup I can use to verify that it works.

I was not suggesting that it *is* part of logging_send_syslog_msg(), instead i was merely thinking out loud that this access should * ideally be* part of logging_send_syslog_msg()

…

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: #57 (comment)

-- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift

[bowlofeggs]

Ah. Thanks for the review!

[pebenito]

Closing stale PR. Please reopen when/if you will be providing updates.

[bowlofeggs]

@pebenito I wasn't aware that updates were required from me. From my perspective, I thought I was just waiting for further review or a merge. Can you clarify what I should do to get this merged?

[pebenito]

Mainly stylistic fixes needed.

[pebenito]

Missing module summary tag

[pebenito]

Indents should be tabs

[pebenito]

Needs to be ordered and commented per the Style Guide, including the header comment blocks like in other modules. Also module version 1.0.0.

[pebenito]

Please review the existing permission set macros to see if they can be used instead of the verbose permission lists here.