RepoMirrors/selinux-refpolicy
1
0
Fork 0
mirror of https://github.com/SELinuxProject/refpolicy synced 2025-03-25 04:26:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
919c889b7d
selinux-refpolicy/policy/modules/kernel
History
Nicolas Iooss 919c889b7d
Add policy for stubby DNS resolver 
Stubby is a DNS resolver that encrypts DNS queries and transmits them to
a resolver in a TLS channel. It therefore requires less permissions than
a traditionnal DNS resolver such as named or unbound (provided by module
"bind").

cf. https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby

This program is packaged for Arch Linux, Debian, etc.

DNS-over-TLS uses TCP port 853, which does not seem to conflict with
existing ports. Label it like other DNS ports.

init_dbus_chat(stubby_t) is required on systemd-based distributions
because stubby's service uses DynamicUser=yes [1]. Without this
statement, the following denials are reported by dbus:

    type=USER_AVC msg=audit(1550007165.936:257): pid=274 uid=81
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.DBus member=Hello
    dest=org.freedesktop.DBus spid=649
    scontext=system_u:system_r:stubby_t
    tcontext=system_u:system_r:system_dbusd_t tclass=dbus permissive=1
    exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

    type=USER_AVC msg=audit(1550007165.939:258): pid=274 uid=81
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.systemd1.Manager
    member=LookupDynamicUserByUID dest=org.freedesktop.systemd1 spid=649
    tpid=1 scontext=system_u:system_r:stubby_t
    tcontext=system_u:system_r:init_t tclass=dbus permissive=1
    exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

    type=USER_AVC msg=audit(1550007165.939:259): pid=274 uid=81
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.39
    spid=1 tpid=649 scontext=system_u:system_r:init_t
    tcontext=system_u:system_r:stubby_t tclass=dbus permissive=1
    exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

[1] https://github.com/getdnsapi/stubby/blob/v0.2.5/systemd/stubby.service#L8
2019-02-17 22:16:33 +01:00
..
corecommands.fc more misc stuff 2019-02-01 14:16:57 -05:00
corecommands.if Add new mmap permission set and pattern support macros. 2017-12-13 18:58:34 -05:00
corecommands.te Bump module versions for release. 2019-02-01 15:03:42 -05:00
corenetwork.fc Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker. 2017-02-04 15:19:35 -05:00
corenetwork.if.in Remove undeclared identifiers from interfaces 2018-04-12 18:44:50 -04:00
corenetwork.if.m4 refpolicy: Infiniband pkeys and endports 2017-05-24 19:23:18 -04:00
corenetwork.te.in Add policy for stubby DNS resolver 2019-02-17 22:16:33 +01:00
corenetwork.te.m4 refpolicy: Infiniband pkeys and endports 2017-05-24 19:23:18 -04:00
devices.fc vhost: Add /dev/vhost-scsi device of type vhost_device_t. 2018-07-15 16:43:45 -04:00
devices.if devices: introduce dev_dontaudit_read_sysfs 2019-01-23 18:40:57 -05:00
devices.te Bump module versions for release. 2019-02-01 15:03:42 -05:00
domain.fc remove extra level of directory 2006-07-12 20:32:27 +00:00
domain.if Add new mmap permission set and pattern support macros. 2017-12-13 18:58:34 -05:00
domain.te Bump module versions for release. 2019-02-01 15:03:42 -05:00
files.fc Move the use of initrc_var_run_t from files.fc to init.fc 2018-04-12 18:44:50 -04:00
files.if files: introduce files_dontaudit_read_etc_files 2019-01-23 18:40:57 -05:00
files.te Bump module versions for release. 2019-02-01 15:03:42 -05:00
filesystem.fc Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker. 2017-02-04 15:19:35 -05:00
filesystem.if fs_mmap_rw_hugetlbfs_files is a more appropriate name for the interface 2019-01-26 21:50:12 +03:00
filesystem.te Bump module versions for release. 2019-02-01 15:03:42 -05:00
kernel.fc Add fc for /sys/kernel/debug as debugfs_t 2015-05-06 09:49:40 -04:00
kernel.if kernel: introduce kernel_dontaudit_read_kernel_sysctl 2019-01-23 18:40:57 -05:00
kernel.te Bump module versions for release. 2019-02-01 15:03:42 -05:00
mcs.fc remove extra level of directory 2006-07-12 20:32:27 +00:00
mcs.if remove trailing whitespaces 2016-12-06 13:45:13 +01:00
mcs.te Bump module versions for release. 2013-04-24 16:14:52 -04:00
metadata.xml remove extra level of directory 2006-07-12 20:32:27 +00:00
mls.fc remove extra level of directory 2006-07-12 20:32:27 +00:00
mls.if Remove unused translate permission in context userspace class. 2018-10-13 13:39:18 -04:00
mls.te Bump module versions for release. 2019-02-01 15:03:42 -05:00
selinux.fc remove extra level of directory 2006-07-12 20:32:27 +00:00
selinux.if selinux: compute_access_vector requires creating netlink_selinux_sockets 2018-07-10 17:25:11 -04:00
selinux.te Bump module versions for release. 2019-02-01 15:03:42 -05:00
storage.fc storage: Add fcontexts for NVMe disks 2017-12-13 18:19:29 -05:00
storage.if Fix interface descriptions when duplicate ones are found 2016-01-19 00:17:34 +01:00
storage.te Bump module versions for release. 2018-01-14 14:08:09 -05:00
terminal.fc Move use of user_devpts_t from terminal.fc to userdomain.fc 2018-04-12 18:44:50 -04:00
terminal.if terminal: Rename term_create_devpts. 2017-09-11 20:03:58 -04:00
terminal.te Bump module versions for release. 2018-07-01 11:02:33 -04:00
ubac.fc trunk: add missing ubac module. 2008-11-05 16:11:27 +00:00
ubac.if Improve the documentation of ubac_constrained(). 2010-03-02 11:28:44 -05:00
ubac.te Whitespace change: drop unnecessary blank line at the start of .te files. 2010-06-10 08:16:35 -04:00