From 919c889b7d5aa3e964ad85b3abd3e313a9e356cb Mon Sep 17 00:00:00 2001 From: Nicolas Iooss Date: Sun, 10 Feb 2019 21:38:02 +0100 Subject: [PATCH] Add policy for stubby DNS resolver Stubby is a DNS resolver that encrypts DNS queries and transmits them to a resolver in a TLS channel. It therefore requires less permissions than a traditionnal DNS resolver such as named or unbound (provided by module "bind"). cf. https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby This program is packaged for Arch Linux, Debian, etc. DNS-over-TLS uses TCP port 853, which does not seem to conflict with existing ports. Label it like other DNS ports. init_dbus_chat(stubby_t) is required on systemd-based distributions because stubby's service uses DynamicUser=yes [1]. Without this statement, the following denials are reported by dbus: type=USER_AVC msg=audit(1550007165.936:257): pid=274 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=649 scontext=system_u:system_r:stubby_t tcontext=system_u:system_r:system_dbusd_t tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1550007165.939:258): pid=274 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByUID dest=org.freedesktop.systemd1 spid=649 tpid=1 scontext=system_u:system_r:stubby_t tcontext=system_u:system_r:init_t tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1550007165.939:259): pid=274 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t msg='avc: denied { send_msg } for msgtype=method_return dest=:1.39 spid=1 tpid=649 scontext=system_u:system_r:init_t tcontext=system_u:system_r:stubby_t tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' [1] https://github.com/getdnsapi/stubby/blob/v0.2.5/systemd/stubby.service#L8 --- policy/modules/kernel/corenetwork.te.in | 2 +- policy/modules/services/stubby.fc | 5 +++ policy/modules/services/stubby.if | 1 + policy/modules/services/stubby.te | 51 +++++++++++++++++++++++++ 4 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 policy/modules/services/stubby.fc create mode 100644 policy/modules/services/stubby.if create mode 100644 policy/modules/services/stubby.te diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 221222ab7..af30e17ab 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -121,7 +121,7 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) -network_port(dns, tcp,53,s0, udp,53,s0) +network_port(dns, tcp,53,s0, udp,53,s0, tcp,853,s0) network_port(dropbox, tcp,17500,s0, udp,17500,s0) network_port(efs, tcp,520,s0) network_port(embrace_dp_c, tcp,3198,s0, udp,3198,s0) diff --git a/policy/modules/services/stubby.fc b/policy/modules/services/stubby.fc new file mode 100644 index 000000000..3366b5ba2 --- /dev/null +++ b/policy/modules/services/stubby.fc @@ -0,0 +1,5 @@ +/etc/stubby(/.*)? -- gen_context(system_u:object_r:stubby_etc_t,s0) + +/usr/bin/stubby -- gen_context(system_u:object_r:stubby_exec_t,s0) + +/usr/lib/systemd/system/stubby.*\.service -- gen_context(system_u:object_r:stubby_unit_t,s0) diff --git a/policy/modules/services/stubby.if b/policy/modules/services/stubby.if new file mode 100644 index 000000000..266560b51 --- /dev/null +++ b/policy/modules/services/stubby.if @@ -0,0 +1 @@ +## DNS Privacy stub resolver. diff --git a/policy/modules/services/stubby.te b/policy/modules/services/stubby.te new file mode 100644 index 000000000..d751439ca --- /dev/null +++ b/policy/modules/services/stubby.te @@ -0,0 +1,51 @@ +policy_module(stubby, 1.0.0) + +######################################## +# +# Declarations +# + +type stubby_t; +type stubby_exec_t; +init_daemon_domain(stubby_t, stubby_exec_t) + +type stubby_etc_t; +files_config_file(stubby_etc_t) + +type stubby_unit_t; +init_unit_file(stubby_unit_t) + +######################################## +# +# Local policy +# + +allow stubby_t self:tcp_socket create_stream_socket_perms; +allow stubby_t self:udp_socket create_stream_socket_perms; + +read_files_pattern(stubby_t, stubby_etc_t, stubby_etc_t) + +corenet_tcp_bind_dns_port(stubby_t) +corenet_tcp_bind_generic_node(stubby_t) +corenet_udp_bind_dns_port(stubby_t) +corenet_udp_bind_generic_node(stubby_t) + +# DNS-over-TLS uses TCP port 853 +corenet_tcp_connect_dns_port(stubby_t) +# DNS-over-HTTPS uses TCP port 443 +corenet_tcp_connect_http_port(stubby_t) + +# for /etc/trusted-key.key +files_read_etc_files(stubby_t) + +miscfiles_read_generic_certs(stubby_t) +miscfiles_read_localization(stubby_t) + +sysnet_read_config(stubby_t) + +ifdef(`init_systemd',` + # stubby systemd service uses DynamicUser=yes, which makes it call + # LookupDynamicUserByUID in order to get its own user name. + init_dbus_chat(stubby_t) + dbus_system_bus_client(stubby_t) +')