Stubby is a DNS resolver that encrypts DNS queries and transmits them to
a resolver in a TLS channel. It therefore requires less permissions than
a traditionnal DNS resolver such as named or unbound (provided by module
"bind").
cf. https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby
This program is packaged for Arch Linux, Debian, etc.
DNS-over-TLS uses TCP port 853, which does not seem to conflict with
existing ports. Label it like other DNS ports.
init_dbus_chat(stubby_t) is required on systemd-based distributions
because stubby's service uses DynamicUser=yes [1]. Without this
statement, the following denials are reported by dbus:
type=USER_AVC msg=audit(1550007165.936:257): pid=274 uid=81
auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
msg='avc: denied { send_msg } for msgtype=method_call
interface=org.freedesktop.DBus member=Hello
dest=org.freedesktop.DBus spid=649
scontext=system_u:system_r:stubby_t
tcontext=system_u:system_r:system_dbusd_t tclass=dbus permissive=1
exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1550007165.939:258): pid=274 uid=81
auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
msg='avc: denied { send_msg } for msgtype=method_call
interface=org.freedesktop.systemd1.Manager
member=LookupDynamicUserByUID dest=org.freedesktop.systemd1 spid=649
tpid=1 scontext=system_u:system_r:stubby_t
tcontext=system_u:system_r:init_t tclass=dbus permissive=1
exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1550007165.939:259): pid=274 uid=81
auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
msg='avc: denied { send_msg } for msgtype=method_return dest=:1.39
spid=1 tpid=649 scontext=system_u:system_r:init_t
tcontext=system_u:system_r:stubby_t tclass=dbus permissive=1
exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
[1] https://github.com/getdnsapi/stubby/blob/v0.2.5/systemd/stubby.service#L8
Add additional entries to support the kernel SCTP implementation
introduced in kernel 4.16
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.
This patch does not add or remove permissions from any rules.
Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.
Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.
This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
The dropbox application has a feature called "LAN Sync" which works on
TCP & UDP port 17500. Marking this port as dropbox_port_t (instead of
the currently default unreserved_port_t) allows for more fine-grained
access control to this resource.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
