919c889b7d
Stubby is a DNS resolver that encrypts DNS queries and transmits them to a resolver in a TLS channel. It therefore requires less permissions than a traditionnal DNS resolver such as named or unbound (provided by module "bind"). cf. https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby This program is packaged for Arch Linux, Debian, etc. DNS-over-TLS uses TCP port 853, which does not seem to conflict with existing ports. Label it like other DNS ports. init_dbus_chat(stubby_t) is required on systemd-based distributions because stubby's service uses DynamicUser=yes [1]. Without this statement, the following denials are reported by dbus: type=USER_AVC msg=audit(1550007165.936:257): pid=274 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=649 scontext=system_u:system_r:stubby_t tcontext=system_u:system_r:system_dbusd_t tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1550007165.939:258): pid=274 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByUID dest=org.freedesktop.systemd1 spid=649 tpid=1 scontext=system_u:system_r:stubby_t tcontext=system_u:system_r:init_t tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1550007165.939:259): pid=274 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t msg='avc: denied { send_msg } for msgtype=method_return dest=:1.39 spid=1 tpid=649 scontext=system_u:system_r:init_t tcontext=system_u:system_r:stubby_t tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' [1] https://github.com/getdnsapi/stubby/blob/v0.2.5/systemd/stubby.service#L8
52 lines
1.2 KiB
Plaintext
52 lines
1.2 KiB
Plaintext
policy_module(stubby, 1.0.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type stubby_t;
|
|
type stubby_exec_t;
|
|
init_daemon_domain(stubby_t, stubby_exec_t)
|
|
|
|
type stubby_etc_t;
|
|
files_config_file(stubby_etc_t)
|
|
|
|
type stubby_unit_t;
|
|
init_unit_file(stubby_unit_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
allow stubby_t self:tcp_socket create_stream_socket_perms;
|
|
allow stubby_t self:udp_socket create_stream_socket_perms;
|
|
|
|
read_files_pattern(stubby_t, stubby_etc_t, stubby_etc_t)
|
|
|
|
corenet_tcp_bind_dns_port(stubby_t)
|
|
corenet_tcp_bind_generic_node(stubby_t)
|
|
corenet_udp_bind_dns_port(stubby_t)
|
|
corenet_udp_bind_generic_node(stubby_t)
|
|
|
|
# DNS-over-TLS uses TCP port 853
|
|
corenet_tcp_connect_dns_port(stubby_t)
|
|
# DNS-over-HTTPS uses TCP port 443
|
|
corenet_tcp_connect_http_port(stubby_t)
|
|
|
|
# for /etc/trusted-key.key
|
|
files_read_etc_files(stubby_t)
|
|
|
|
miscfiles_read_generic_certs(stubby_t)
|
|
miscfiles_read_localization(stubby_t)
|
|
|
|
sysnet_read_config(stubby_t)
|
|
|
|
ifdef(`init_systemd',`
|
|
# stubby systemd service uses DynamicUser=yes, which makes it call
|
|
# LookupDynamicUserByUID in order to get its own user name.
|
|
init_dbus_chat(stubby_t)
|
|
dbus_system_bus_client(stubby_t)
|
|
')
|