This repository has been archived by the owner. It is now read-only.

Syncthing Policy Module #26

Merged
merged 1 commit into from Oct 9, 2016

Conversation

Projects
None yet
3 participants
@naftulikay
Contributor

naftulikay commented Aug 21, 2016

Policy governing Syncthing - a file synchronization utility written in Go.

Dependent upon TresysTechnology/refpolicy#37.

@naftulikay naftulikay changed the title from Syncthing Policy to Syncthing Policy Module Aug 21, 2016

@@ -0,0 +1,8 @@
# binary

This comment has been minimized.

@doverride

doverride Aug 21, 2016

Collaborator

These comments aren't needed. Its too obvious.

This comment has been minimized.

@naftulikay

naftulikay Aug 21, 2016

Contributor

Working on it.

# binary
/usr/bin/syncthing -- gen_context(system_u:object_r:syncthing_exec_t,s0)
/usr/local/bin/syncthing -- gen_context(system_u:object_r:syncthing_exec_t,s0)
HOME_DIR/.local/bin/syncthing -- gen_context(system_u:object_r:syncthing_exec_t,s0)

This comment has been minimized.

@doverride

doverride Aug 21, 2016

Collaborator

This is not desired, and probably not needed. The transition happens on /usr/bin/synchting

This comment has been minimized.

@naftulikay

naftulikay Aug 21, 2016

Contributor

There are multiple ways of installing syncthing. I could probably condense /usr/(local/)?bin/syncthing.

Installing Syncthing as a fat binary in your homedir allows Syncthing to automatically update itself outside of package management. While that's a whole different problem, some users might want this for distros that aren't yet packaging it (ie Fedora).

This comment has been minimized.

@doverride

doverride Aug 21, 2016

Collaborator

On 08/21/2016 09:14 PM, Naftuli Tzvi Kay wrote:

@@ -0,0 +1,8 @@
+# binary
+/usr/bin/syncthing -- gen_context(system_u:object_r:syncthing_exec_t,s0)
+/usr/local/bin/syncthing -- gen_context(system_u:object_r:syncthing_exec_t,s0)
+HOME_DIR/.local/bin/syncthing -- gen_context(system_u:object_r:syncthing_exec_t,s0)

There are multiple ways of installing syncthing. I could probably condense /usr/(local/)?bin/syncthing.

Installing Syncthing as a fat binary in your homedir allows Syncthing to automatically update itself outside of package management. While that's a whole different problem, some users might want this for distros that aren't yet packaging it (ie Fedora).

Naw. that would never work this way. Users will not be able to manage
that file in ~/.local/bin. Just drop that.

Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

@@ -0,0 +1,8 @@
# binary
/usr/bin/syncthing -- gen_context(system_u:object_r:syncthing_exec_t,s0)
/usr/local/bin/syncthing -- gen_context(system_u:object_r:syncthing_exec_t,s0)

This comment has been minimized.

@doverride

doverride Aug 21, 2016

Collaborator

/usr/local/bin should probably be made equivalent to /usr/bin instead

# config files
HOME_DIR/\.config/syncthing(/.*)? -d gen_context(unconfined_u:object_r:syncthing_config_home_t,s0)
HOME_DIR/\.config/syncthing(/.*)? -- gen_context(unconfined_u:object_r:syncthing_config_home_t,s0)

This comment has been minimized.

@doverride

doverride Aug 21, 2016

Collaborator

This can be a single entry, also use system_u instead of unconfined_u. genhomedircon has system_u hard-coded and so it would not be smart enough to deal with this even if this would make sense (which it doesnt):

HOME_DIR/\.config/syncthing(/.*)?       gen_context(system_u:object_r:syncthing_config_home_t,s0)

This comment has been minimized.

@naftulikay

naftulikay Aug 21, 2016

Contributor

Okay, updating.

## User domain for the role
## </summary>
## </param>
#

This comment has been minimized.

@doverride

doverride Aug 21, 2016

Collaborator

Indentation issues above

# Policy
domtrans_pattern($2, syncthing_exec_t, syncthing_t)
')

This comment has been minimized.

@doverride

doverride Aug 21, 2016

Collaborator

This interface should provide access to manage and relabel syncthing_config_home_t type content. Else the login shell domain is not allowed to manage and relabel ~/.config/synchting

This comment has been minimized.

@naftulikay

naftulikay Aug 21, 2016

Contributor

@doverride so should I do this:

role $1 types syncthing_config_home_t;
userdom_user_home_dir_filetrans($2, syncthing_config_home_t, dir, "syncthing")

Since syncthing_config_home_t has the user_home_content attribute, it should be able to be r/w by the user.

This comment has been minimized.

@doverride

doverride Aug 22, 2016

Collaborator

On 08/21/2016 11:03 PM, Naftuli Tzvi Kay wrote:

+##

+##
+#
+interface(syncthing_role',
+

  • gen_require(`
  •    attribute_role syncthing_roles;
    
  •    type syncthing_t, syncthing_exec_t, syncthing_config_home_t;
    
  • ')
  • Declarations

  • roleattribute $1 syncthing_roles;
  • Policy

  • domtrans_pattern($2, syncthing_exec_t, syncthing_t)
    +')

@doverride so should I do this:

role $1 types syncthing_config_home_t;
userdom_user_home_dir_filetrans($2, syncthing_config_home_t, dir, "syncthing")

Since syncthing_config_home_t has the user_home_content attribute, it should be able to be r/w by the user.

No, that is a property specific to the RedHat refpolicy fork.

Something like:

allow $2 syncthing_config_home_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 syncthing_config_home_t:file { manage_file_perms
relabel_file_perms };

Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

## Domain to allow access.
## </summary>
## </param>
#

This comment has been minimized.

@doverride

doverride Aug 21, 2016

Collaborator

indentation issues above, but summary is also inaccurate

type syncthing_config_home_t;
userdom_user_home_content(syncthing_config_home_t)

This comment has been minimized.

# file permissions
fs_getattr_xattr_fs(syncthing_t)
userdom_manage_user_home_content(syncthing_t)

This comment has been minimized.

@doverride

doverride Aug 21, 2016

Collaborator

Can you tell us a bit about your decision to allow this?

This comment has been minimized.

@naftulikay

naftulikay Aug 21, 2016

Contributor

Syncthing does not have a well-defined default folder for syncing files ala Dropbox.

I'll probably be using it to sync ~/Music, others will probably want to sync ~/Documents, still others might sync an entirely different home directory or multiple directories at once.

The shared directory it creates by default is ~/Sync, but most users are going to configure it to sync the directories they actually care about.

This comment has been minimized.

@naftulikay

naftulikay Aug 21, 2016

Contributor

If there is a macro that defines "non-security-related home content," I'd happily use that instead.

This comment has been minimized.

@doverride

doverride Aug 21, 2016

Collaborator

Naw in theory, as far as I am concerned, something like this should be fine. Although I would limit this to files and dirs only instead.

But yes besides this you will probably want to make sure that any dirs and files created in ~ will also be supported. That means that you would also need to add type transition rules so that files and dirs created in ~ will be created with an auto type transition from user_home_dir_t to user_home_t

This comment has been minimized.

@doverride

doverride Aug 21, 2016

Collaborator

As for "non-security-related". That interface is exactly that. It only deals with generic user_home_t type content, which in my view should be share-able. It will not allow for example one to sync ~/.ssh because that has a private type.

This comment has been minimized.

@naftulikay

naftulikay Aug 21, 2016

Contributor

That means that you would also need to add type transition rules so that files and dirs created in ~ will be created with an auto type transition from user_home_dir_t to user_home_t

How should I accomplish that? There are quite a few different folders/types which could be created by syncthing_t on start, could be audio_home_t, etc.

This comment has been minimized.

@doverride

doverride Aug 22, 2016

Collaborator

On 08/21/2016 11:07 PM, Naftuli Tzvi Kay wrote:

@@ -0,0 +1,45 @@
+policy_module(syncthing, 1.0.0)
+
+# define types
+type syncthing_t;
+type syncthing_exec_t;
+userdom_user_application_domain(syncthing_t, syncthing_exec_t)
+
+type syncthing_config_home_t;
+userdom_user_home_content(syncthing_config_home_t)
+
+# file permissions
+fs_getattr_xattr_fs(syncthing_t)
+
+userdom_manage_user_home_content(syncthing_t)

That means that you would also need to add type transition rules so that files and dirs created in ~ will be created with an auto type transition from user_home_dir_t to user_home_t

How should I accomplish that? There are quite a few different folders/types which could be created by syncthing_t on start, could be audio_home_t, etc.

Something like:

userdom_manage_user_home_content_dirs(syncthing_t)
userdom_manage_user_home_content_files(syncthing_t)
userdom_home_dir_filetrans_user_home_content_files(syncthing_t)
userdom_home_dir_filetrans_user_home_content_dirs(syncthing_t)

Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

This comment has been minimized.

@doverride

doverride Aug 22, 2016

Collaborator

On 08/21/2016 11:07 PM, Naftuli Tzvi Kay wrote:

@@ -0,0 +1,45 @@
+policy_module(syncthing, 1.0.0)
+
+# define types
+type syncthing_t;
+type syncthing_exec_t;
+userdom_user_application_domain(syncthing_t, syncthing_exec_t)
+
+type syncthing_config_home_t;
+userdom_user_home_content(syncthing_config_home_t)
+
+# file permissions
+fs_getattr_xattr_fs(syncthing_t)
+
+userdom_manage_user_home_content(syncthing_t)

That means that you would also need to add type transition rules so that files and dirs created in ~ will be created with an auto type transition from user_home_dir_t to user_home_t

How should I accomplish that? There are quite a few different folders/types which could be created by syncthing_t on start, could be audio_home_t, etc.

Also audio_home_t is, i suspect, a Redhat refpolicy fork specific
type. Its a fluke in my opinion, should never have been implemented. I
think they implemented that for MPD so that they could restrict mpd
ability to read ~/Audio.

syncthing, in my opinion, should only be able to sync generic user home
content, everything else should be silenty denied.

Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

# networking
userdom_basic_networking(syncthing_t)

This comment has been minimized.

@doverride

doverride Aug 21, 2016

Collaborator

Does the above even exist? If it does then i doubt that it should be used here

This comment has been minimized.

@naftulikay

naftulikay Aug 21, 2016

Contributor

userdom_basic_networking? Might be downstream in Fedora/RedHat land 😞

Can you suggest an alternate?

This comment has been minimized.

@doverride

doverride Aug 22, 2016

Collaborator

On 08/21/2016 11:09 PM, Naftuli Tzvi Kay wrote:

+type syncthing_config_home_t;
+userdom_user_home_content(syncthing_config_home_t)
+
+# file permissions
+fs_getattr_xattr_fs(syncthing_t)
+
+userdom_manage_user_home_content(syncthing_t)
+
+# read randomness
+dev_read_rand(syncthing_t)
+dev_read_urand(syncthing_t)
+
+# networking
+userdom_basic_networking(syncthing_t)
+

userdom_basic_networking? Might be downstream in Fedora/RedHat land 😞

Can you suggest an alternate?

Would need more information about what exactly prompted you to use this
(specific avc denials would be best)

Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

corenet_udp_sendrecv_syncthing_discovery_port(syncthing_t)
# file transitions
syncthing_config_filetrans(syncthing_t)

This comment has been minimized.

@doverride

doverride Aug 21, 2016

Collaborator

Incomplete. This only takes care of automatic file type transitions. It does not actually allow syncthing to manage this content.

This comment has been minimized.

@naftulikay

naftulikay Aug 21, 2016

Contributor

Syncthing is allowed to manage the content via userdom_manage_user_home_content(syncthing_t) above.

This comment has been minimized.

@doverride

doverride Aug 22, 2016

Collaborator

On 08/21/2016 11:09 PM, Naftuli Tzvi Kay wrote:

+sysnet_dns_name_resolve(syncthing_t)
+
+corenet_tcp_bind_generic_node(syncthing_t)
+corenet_udp_bind_generic_node(syncthing_t)
+
+corenet_tcp_bind_syncthing_port(syncthing_t)
+corenet_tcp_sendrecv_syncthing_port(syncthing_t)
+
+corenet_tcp_bind_syncthing_admin_port(syncthing_t)
+corenet_tcp_sendrecv_syncthing_admin_port(syncthing_t)
+
+corenet_udp_bind_syncthing_discovery_port(syncthing_t)
+corenet_udp_sendrecv_syncthing_discovery_port(syncthing_t)
+
+# file transitions
+syncthing_config_filetrans(syncthing_t)

Syncthing is allowed to manage the content via userdom_manage_user_home_content(syncthing_t) above.

No that interface only applies to generic user home content
(user_home_t), and thus not private home content associated with type
syncthing_config_home_t

Try this:

allow syncthing_t syncthing_config_home_t:manage_dir_perms;
allow syncthing_t syncthing_config_home_t:manage_file_perms;

Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

# roles
attribute_role syncthing_roles;
role syncthing_roles types syncthing_t syncthing_config_home_t;

This comment has been minimized.

@doverride

doverride Aug 21, 2016

Collaborator

syncthing_roles need not be associated with syncthing_config_home_t. Since RBAC does not apply to objects.

This comment has been minimized.

@naftulikay

naftulikay Aug 21, 2016

Contributor

Right.

optional_policy(`
gen_require(`
type config_home_t;
type syncthing_config_home_t;

This comment has been minimized.

@doverride

doverride Aug 21, 2016

Collaborator

It is not permitted to directly reference external types (config_home_t)

@doverride

This comment has been minimized.

Collaborator

doverride commented Aug 21, 2016

General note/query. I suspect that you have developed this policy using the RedHat reference policy fork. I might be wrong but if you did, then be aware that reference policy differs quite a bit from RedHat's fork, and that it differs in fundamental way's.

@naftulikay naftulikay force-pushed the naftulikay:feature/syncthing branch from 0777676 to 34247e9 Aug 21, 2016

@naftulikay

This comment has been minimized.

Contributor

naftulikay commented Aug 21, 2016

@doverride I have fixed most of the issues you've mentioned above and amended my commit.

Can you recommend an alternate for userdom_basic_networking? Should I just extract what's defined in there and use that?

Also, I'm combing through the style guide to make sure that everything is in order.

@naftulikay

This comment has been minimized.

Contributor

naftulikay commented Sep 25, 2016

Still getting these denieds, probably due to invalid file transitions:

type=AVC msg=audit(1474779504.096:965): avc:  denied  { create } for  pid=6143 comm="syncthing" name="Sync" scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:user_home_dir_t tclass=dir permissive=1
type=AVC msg=audit(1474779504.096:966): avc:  denied  { create } for  pid=6143 comm="syncthing" name=".stfolder" scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:user_home_dir_t tclass=file permissive=1
type=AVC msg=audit(1474779504.096:966): avc:  denied  { read write open } for  pid=6143 comm="syncthing" path="/home/vagrant/Sync/.stfolder" dev="dm-0" ino=8757928 scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:user_home_dir_t tclass=file permissive=1
type=AVC msg=audit(1474779504.145:967): avc:  denied  { getattr } for  pid=6142 comm="syncthing" path="/home/vagrant/Sync/.stfolder" dev="dm-0" ino=8757928 scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:user_home_dir_t tclass=file permissive=1

As the following user:

$ id
uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant) context=unconfined_u:unconfined_r:unconfined_t

With the following home directory:

$ ls -lhaZ ~
total 36K
drwx------. 8 vagrant vagrant unconfined_u:object_r:user_home_dir_t  230 Sep 25 05:06 .
drwxr-xr-x. 3 root    root    system_u:object_r:home_root_t           21 Aug  1 17:39 ..
-rw-------. 1 vagrant vagrant unconfined_u:object_r:user_home_t     6.4K Sep 25 03:34 .bash_history
-rw-r--r--. 1 vagrant vagrant unconfined_u:object_r:user_home_t       18 May 17 14:22 .bash_logout
-rw-r--r--. 1 vagrant vagrant unconfined_u:object_r:user_home_t      193 May 17 14:22 .bash_profile
-rw-r--r--. 1 vagrant vagrant unconfined_u:object_r:user_home_t      231 May 17 14:22 .bashrc
drwxrwxr-x. 2 vagrant vagrant user_u:object_r:user_home_t            102 Sep  4 05:25 bin
drwx------. 4 vagrant vagrant unconfined_u:object_r:user_home_t       38 Sep 25 04:58 .config
-rw-------. 1 vagrant vagrant unconfined_u:object_r:user_home_t       37 Sep 25 05:06 .lesshst
drwxrwxr-x. 3 vagrant vagrant user_u:object_r:user_home_t             19 Sep  4 05:22 .local
drwxr-----. 3 root    root    unconfined_u:object_r:user_home_t       19 Aug  1 10:40 .pki
drwx------. 2 vagrant root    unconfined_u:object_r:ssh_home_t        29 Aug 30 18:32 .ssh
drwx------. 2 vagrant vagrant system_u:object_r:user_home_dir_t       23 Sep 25 04:58 Sync
-rw-r--r--. 1 vagrant vagrant unconfined_u:object_r:user_home_t        6 Aug  1 10:40 .vbox_version
-rw-------. 1 vagrant vagrant unconfined_u:object_r:user_home_t     3.9K Sep 25 03:27 .viminfo
-rw-r--r--. 1 root    root    unconfined_u:object_r:user_home_t      182 Aug  1 17:42 .wget-hsts

I think it's being caused by Syncthing running in SystemD in user mode ie systemctl --user start syncthing.

@doverride

This comment has been minimized.

Collaborator

doverride commented Sep 25, 2016

On 09/25/2016 07:04 AM, Naftuli Tzvi Kay wrote:

Still getting these denieds, probably due to invalid file transitions:

type=AVC msg=audit(1474779504.096:965): avc:  denied  { create } for  pid=6143 comm="syncthing" name="Sync" scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:user_home_dir_t tclass=dir permissive=1
type=AVC msg=audit(1474779504.096:966): avc:  denied  { create } for  pid=6143 comm="syncthing" name=".stfolder" scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:user_home_dir_t tclass=file permissive=1
type=AVC msg=audit(1474779504.096:966): avc:  denied  { read write open } for  pid=6143 comm="syncthing" path="/home/vagrant/Sync/.stfolder" dev="dm-0" ino=8757928 scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:user_home_dir_t tclass=file permissive=1
type=AVC msg=audit(1474779504.145:967): avc:  denied  { getattr } for  pid=6142 comm="syncthing" path="/home/vagrant/Sync/.stfolder" dev="dm-0" ino=8757928 scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:user_home_dir_t tclass=file permissive=1

Something like this might do it

userdom_user_home_dir_filetrans_user_home_content(syncthing_t, dir)

Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

@doverride

This comment has been minimized.

Collaborator

doverride commented Sep 25, 2016

On 09/25/2016 07:04 AM, Naftuli Tzvi Kay wrote:

Still getting these denieds, probably due to invalid file transitions:

type=AVC msg=audit(1474779504.096:965): avc:  denied  { create } for  pid=6143 comm="syncthing" name="Sync" scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:user_home_dir_t tclass=dir permissive=1
type=AVC msg=audit(1474779504.096:966): avc:  denied  { create } for  pid=6143 comm="syncthing" name=".stfolder" scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:user_home_dir_t tclass=file permissive=1
type=AVC msg=audit(1474779504.096:966): avc:  denied  { read write open } for  pid=6143 comm="syncthing" path="/home/vagrant/Sync/.stfolder" dev="dm-0" ino=8757928 scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:user_home_dir_t tclass=file permissive=1
type=AVC msg=audit(1474779504.145:967): avc:  denied  { getattr } for  pid=6142 comm="syncthing" path="/home/vagrant/Sync/.stfolder" dev="dm-0" ino=8757928 scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:user_home_dir_t tclass=file permissive=1

This is wrong:

+# newly created dirs in home root will transition to user_home_t
+userdom_home_filetrans_user_home_dir(syncthing_t)

Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

@naftulikay

This comment has been minimized.

Contributor

naftulikay commented Sep 25, 2016

Yes, if I run this outside of SystemD as unconfined_u, I get no more denieds and everything seems to work just fine.

@naftulikay

This comment has been minimized.

Contributor

naftulikay commented Sep 25, 2016

Okay, so everything works and I don't have any more denieds coming from syncthing.

The only remaining problem is that when I run Syncthing with SystemD in user mode with the following unit:

Description=Syncthing - Open Source Continuous File Synchronization
Documentation=man:syncthing(1)
After=network.target
Wants=syncthing-inotify.service

[Service]
ExecStart=/usr/local/bin/syncthing -no-browser -no-restart -logflags=0
Restart=on-failure
SuccessExitStatus=3 4
RestartForceExitStatus=3 4

[Install]
WantedBy=default.target

The Syncthing process is running as system_u:

$ ps auxZ | grep syncthing
system_u:system_r:syncthing_t   vagrant   9028  0.2  2.0  29272 20556 ?        Ssl  16:56   0:00 /usr/local/bin/syncthing -no-browser -no-restart -logflags=0

This causes the files that Syncthing creates to have the following contexts:

$ ls -lhZa ~/Sync/ ~/.config/syncthing/
/home/vagrant/.config/syncthing/:
total 20K
drwx------. 3 vagrant vagrant system_u:object_r:user_home_t      122 Sep 25 16:56 .
drwx------. 4 vagrant vagrant unconfined_u:object_r:user_home_t   38 Sep 25 16:56 ..
-rw-r--r--. 1 vagrant vagrant system_u:object_r:user_home_t      619 Sep 25 16:56 cert.pem
-rw-------. 1 vagrant vagrant system_u:object_r:user_home_t     2.9K Sep 25 16:56 config.xml
-rw-r--r--. 1 vagrant vagrant system_u:object_r:user_home_t     1.1K Sep 25 16:56 https-cert.pem
-rw-------. 1 vagrant vagrant system_u:object_r:user_home_t     1.7K Sep 25 16:56 https-key.pem
drwxr-xr-x. 2 vagrant vagrant system_u:object_r:user_home_t       85 Sep 25 16:56 index-v0.14.0.db
-rw-------. 1 vagrant vagrant system_u:object_r:user_home_t      288 Sep 25 16:56 key.pem

/home/vagrant/Sync/:
total 0
drwx------. 2 vagrant vagrant system_u:object_r:user_home_t          23 Sep 25 16:56 .
drwx------. 9 vagrant vagrant unconfined_u:object_r:user_home_dir_t 242 Sep 25 17:01 ..
-rw-r--r--. 1 vagrant vagrant system_u:object_r:user_home_t           0 Sep 25 16:56 .stfolder

It's interesting that SystemD in user mode is running as system_u. Is there something I need to add to my unit to have SystemD exec this as the user's SELinux user and role?

@doverride

This comment has been minimized.

Collaborator

doverride commented Sep 25, 2016

On 09/25/2016 07:04 PM, Naftuli Tzvi Kay wrote:

Okay, so everything works and I don't have any more denieds coming from syncthing.

The only remaining problem is that when I run Syncthing with SystemD in user mode with the following unit:

Description=Syncthing - Open Source Continuous File Synchronization
Documentation=man:syncthing(1)
After=network.target
Wants=syncthing-inotify.service

[Service]
ExecStart=/usr/local/bin/syncthing -no-browser -no-restart -logflags=0
Restart=on-failure
SuccessExitStatus=3 4
RestartForceExitStatus=3 4

[Install]
WantedBy=default.target

The Syncthing process is running as system_u:

$ ps auxZ | grep syncthing
system_u:system_r:syncthing_t   vagrant   9028  0.2  2.0  29272 20556 ?        Ssl  16:56   0:00 /usr/local/bin/syncthing -no-browser -no-restart -logflags=0

This causes the files that Syncthing creates to have the following contexts:

reference policy currently does not support systemd --user, so for now
you can ignore that issue

$ ls -lhZa ~/Sync/ ~/.config/syncthing/
/home/vagrant/.config/syncthing/:
total 20K
drwx------. 3 vagrant vagrant system_u:object_r:user_home_t      122 Sep 25 16:56 .
drwx------. 4 vagrant vagrant unconfined_u:object_r:user_home_t   38 Sep 25 16:56 ..
-rw-r--r--. 1 vagrant vagrant system_u:object_r:user_home_t      619 Sep 25 16:56 cert.pem
-rw-------. 1 vagrant vagrant system_u:object_r:user_home_t     2.9K Sep 25 16:56 config.xml
-rw-r--r--. 1 vagrant vagrant system_u:object_r:user_home_t     1.1K Sep 25 16:56 https-cert.pem
-rw-------. 1 vagrant vagrant system_u:object_r:user_home_t     1.7K Sep 25 16:56 https-key.pem
drwxr-xr-x. 2 vagrant vagrant system_u:object_r:user_home_t       85 Sep 25 16:56 index-v0.14.0.db
-rw-------. 1 vagrant vagrant system_u:object_r:user_home_t      288 Sep 25 16:56 key.pem

/home/vagrant/Sync/:
total 0
drwx------. 2 vagrant vagrant system_u:object_r:user_home_t          23 Sep 25 16:56 .
drwx------. 9 vagrant vagrant unconfined_u:object_r:user_home_dir_t 242 Sep 25 17:01 ..
-rw-r--r--. 1 vagrant vagrant system_u:object_r:user_home_t           0 Sep 25 16:56 .stfolder

It's interesting that SystemD in user mode is running as system_u. Is there something I need to add to my unit to have SystemD exec this as the user's SELinux user and role?

Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

gen_require(`
type NetworkManager_var_run_t;
')
search_dirs_pattern(syncthing_t, NetworkManager_var_run_t, NetworkManager_var_run_t)

This comment has been minimized.

@naftulikay

naftulikay Sep 25, 2016

Contributor

@doverride Would you like me to submit this change upstream to the NetworkManager interface? IIRC I shouldn't be doing gen_require et al here.

@doverride

This comment has been minimized.

Collaborator

doverride commented Sep 25, 2016

On 09/25/2016 07:11 PM, Naftuli Tzvi Kay wrote:

rfkrocktk commented on this pull request.

+kernel_read_kernel_sysctls(syncthing_t)
+
+kernel_read_system_state(syncthing_t)
+kernel_read_net_sysctls(syncthing_t)
+
+sysnet_dns_name_resolve(syncthing_t)
remove sysnet_dns_name_resolve(syncthing_t) since
auth_use_nsswitch(syncthing_t) make it redundant

+auth_use_nsswitch(syncthing_t) # /etc/nsswitch.conf
+
+networkmanager_read_pid_files(syncthing_t)
+
+# TODO no rule allows searching this dir type
+gen_require(`

  • type NetworkManager_var_run_t;
    +')
    +search_dirs_pattern(syncthing_t, NetworkManager_var_run_t, NetworkManager_var_run_t)

@doverride Would you like me to submit this change upstream to the NetworkManager interface? IIRC I shouldn't be doing gen_require et al here.

networkmanager_read_pid_files(synchting_t) makes
search_dirs_pattern(syncthing_t, NetworkManager_var_run_t,
NetworkManager_var_run_t) redundant.

so remove:

+# TODO no rule allows searching this dir type
+gen_require(`

  • type NetworkManager_var_run_t;
    +')
    +search_dirs_pattern(syncthing_t, NetworkManager_var_run_t,
    NetworkManager_var_run_t)

also make networkmanager_read_pid_files(syncthing_t) optional:

optional_policy(`
# temporary hack: this is for /run/NetworkManager/resolv.conf and
should be made part of sysnet_dns_name_resolve()
networkmanager_read_pid_files(syncthing_t)
')

Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

@@ -0,0 +1,3 @@
/usr/(local/)?bin/syncthing -- gen_context(system_u:object_r:syncthing_exec_t,s0)

This comment has been minimized.

@doverride

doverride Sep 25, 2016

Collaborator

/usr/bin/syncthing -- gen_context(system_u:object_r:syncthing_exec_t,s0)

# Policy
domtrans_pattern($2, syncthing_exec_t, syncthing_t)
syncthing_relabel_home_config_files($2)

This comment has been minimized.

@doverride

doverride Sep 25, 2016

Collaborator

use this instead:

allow $2 syncthing_config_home_t:file { manage_file_perms relabel_file_perms };
allow $2 syncthing_config_home_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 syncthing_config_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };

# should only ever be execed non-root, but can be started by systemd --user as a service
init_daemon_domain(syncthing_t, syncthing_exec_t)
userdom_user_application_domain(syncthing_t, syncthing_exec_t)
userdom_use_user_ptys(syncthing_t)

This comment has been minimized.

@doverride

doverride Sep 25, 2016

Collaborator

use userdom_use_user_terminals(syncthing_t) instead or preferably userdom_use_inherited_user_terminals(syncthing_t) if that is available

This comment has been minimized.

@naftulikay

naftulikay Sep 26, 2016

Contributor

userdom_use_inherited_user_terminals doesn't exist in refpolicy.

I'm not sure how crucial this permission is to the runtime of Syncthing. Due to the warning present in userdom_use_user_terminals, I am hesitant about this permission:

##  However, this also allows the applications to spy
##  on user sessions or inject information into the
##  user session.  Thus, this access should likely
##  not be allowed for non-interactive domains.

Is this access okay for a daemon-like program running in the background?

userdom_read_user_home_content_files(syncthing_t)
userdom_read_user_home_content_symlinks(syncthing_t)

This comment has been minimized.

@doverride

doverride Sep 25, 2016

Collaborator

line 27 to 32 are redundant (already taken care of on like 23 to 25)

# self rules
allow syncthing_t self:process getsched;
allow syncthing_t self:fifo_file { read write };

This comment has been minimized.

@doverride

doverride Sep 25, 2016

Collaborator

use allow syncthing_t self:fifo_file rw_fifo_file_perms; instead

allow syncthing_t self:udp_socket create_socket_perms;
allow syncthing_t syncthing_exec_t:file execute_no_trans; # presumably allowed to restart itself

This comment has been minimized.

@doverride

doverride Sep 25, 2016

Collaborator

use: can_exec(syncthing_t, syncthing_exec_t) instead

kernel_read_system_state(syncthing_t)
kernel_read_net_sysctls(syncthing_t)
sysnet_dns_name_resolve(syncthing_t)

This comment has been minimized.

@doverride

doverride Sep 25, 2016

Collaborator

remove line 78

auth_use_nsswitch(syncthing_t) # /etc/nsswitch.conf
networkmanager_read_pid_files(syncthing_t)

This comment has been minimized.

@doverride

doverride Sep 25, 2016

Collaborator

should be optional:

optional_policy(`
# temporary hack until we make this part of sysnet_dns_name_resolve
networkmanager_read_pid_files(syncthing_t)
')

gen_require(`
type NetworkManager_var_run_t;
')
search_dirs_pattern(syncthing_t, NetworkManager_var_run_t, NetworkManager_var_run_t)

This comment has been minimized.

@doverride

doverride Sep 25, 2016

Collaborator

line 83 to 87 can be removed (is already allowed with the networkmanager_read_pid_files() call

This comment has been minimized.

@naftulikay

naftulikay Sep 26, 2016

Contributor

If I remove these lines, I see:

type=AVC msg=audit(1474865450.349:1770): avc:  denied  { search } for  pid=12157 comm="syncthing" name="NetworkManager" dev="tmpfs" ino=16441 scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:NetworkManager_var_run_t tclass=dir permissive=1

The definition of this interface is:

interface(`networkmanager_read_pid_files',`
    gen_require(`
        type NetworkManager_var_run_t;
    ')

    files_search_pids($1)
    allow $1 NetworkManager_var_run_t:file read_file_perms;
')
search_dirs_pattern(syncthing_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
# file transitions
userdom_user_home_dir_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")

This comment has been minimized.

@doverride

doverride Sep 25, 2016

Collaborator

fix style issues

This comment has been minimized.

@naftulikay

naftulikay Sep 26, 2016

Contributor

@doverride can you link me to the styles wiki on this topic?

@doverride

This comment has been minimized.

Collaborator

doverride commented Sep 26, 2016

On 09/26/2016 07:00 AM, Naftuli Tzvi Kay wrote:

rfkrocktk commented on this pull request.

+kernel_read_kernel_sysctls(syncthing_t)
+
+kernel_read_system_state(syncthing_t)
+kernel_read_net_sysctls(syncthing_t)
+
+sysnet_dns_name_resolve(syncthing_t)
+auth_use_nsswitch(syncthing_t) # /etc/nsswitch.conf
+
+networkmanager_read_pid_files(syncthing_t)
+
+# TODO no rule allows searching this dir type
+gen_require(`

  • type NetworkManager_var_run_t;
    +')
    +search_dirs_pattern(syncthing_t, NetworkManager_var_run_t, NetworkManager_var_run_t)

If I remove these lines, I see:

type=AVC msg=audit(1474865450.349:1770): avc:  denied  { search } for  pid=12157 comm="syncthing" name="NetworkManager" dev="tmpfs" ino=16441 scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:NetworkManager_var_run_t tclass=dir permissive=1

The definition of this interface is:

interface(`networkmanager_read_pid_files',`
  gen_require(`
      type NetworkManager_var_run_t;
  ')

  files_search_pids($1)
  allow $1 NetworkManager_var_run_t:file read_file_perms;
')

That should have been:

files_search_pids($1)
read_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)

So that interface should be adjusted

Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

@doverride

This comment has been minimized.

Collaborator

doverride commented Sep 26, 2016

On 09/26/2016 08:16 AM, Naftuli Tzvi Kay wrote:

rfkrocktk commented on this pull request.

@@ -0,0 +1,90 @@
+policy_module(syncthing, 1.0.0)
+
+# Declarations
+attribute_role syncthing_roles;
+role syncthing_roles types syncthing_t;
+
+type syncthing_t;
+type syncthing_exec_t;
+# should only ever be execed non-root, but can be started by systemd --user as a service
+init_daemon_domain(syncthing_t, syncthing_exec_t)
+userdom_user_application_domain(syncthing_t, syncthing_exec_t)
+userdom_use_user_ptys(syncthing_t)

userdom_use_inherited_user_terminals doesn't exist in refpolicy.

I'm not sure how crucial this permission is to the runtime of Syncthing. Due to the warning present in userdom_use_user_terminals, I am hesitant about this permission:

try userdom_use_user_term() or userdom_use_inherited_user_term()

no need to hesitarw this makes it so that if you run syncthing manually
from a tty/pty that it can print to it

##    However, this also allows the applications to spy
##    on user sessions or inject information into the
##    user session.  Thus, this access should likely
##    not be allowed for non-interactive domains.

Is this access okay for a daemon-like program running in the background?

Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

@doverride

This comment has been minimized.

Collaborator

doverride commented Sep 26, 2016

On 09/26/2016 08:19 AM, Dominick Grift wrote:

On 09/26/2016 08:16 AM, Naftuli Tzvi Kay wrote:

rfkrocktk commented on this pull request.

@@ -0,0 +1,90 @@
+policy_module(syncthing, 1.0.0)
+
+# Declarations
+attribute_role syncthing_roles;
+role syncthing_roles types syncthing_t;
+
+type syncthing_t;
+type syncthing_exec_t;
+# should only ever be execed non-root, but can be started by systemd --user as a service
+init_daemon_domain(syncthing_t, syncthing_exec_t)
+userdom_user_application_domain(syncthing_t, syncthing_exec_t)
+userdom_use_user_ptys(syncthing_t)

userdom_use_inherited_user_terminals doesn't exist in refpolicy.

I'm not sure how crucial this permission is to the runtime of Syncthing. Due to the warning present in userdom_use_user_terminals, I am hesitant about this permission:

try userdom_use_user_term() or userdom_use_inherited_user_term()

no need to hesitarw this makes it so that if you run syncthing manually
from a tty/pty that it can print to it

##   However, this also allows the applications to spy
##   on user sessions or inject information into the
##   user session.  Thus, this access should likely
##   not be allowed for non-interactive domains.

Is this access okay for a daemon-like program running in the background?

Whoops i misread.

userdom_use_user_terminals() should be okay to use. Even though it is a
daemon, one should also be able to run it manually i suspect (syncthing
... &)

Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

@doverride

This comment has been minimized.

Collaborator

doverride commented Sep 26, 2016

On 09/26/2016 08:47 PM, Naftuli Tzvi Kay wrote:

rfkrocktk commented on this pull request.

+kernel_read_system_state(syncthing_t)
+kernel_read_net_sysctls(syncthing_t)
+
+sysnet_dns_name_resolve(syncthing_t)
+auth_use_nsswitch(syncthing_t) # /etc/nsswitch.conf
+
+networkmanager_read_pid_files(syncthing_t)
+
+# TODO no rule allows searching this dir type
+gen_require(`

  • type NetworkManager_var_run_t;
    +')
    +search_dirs_pattern(syncthing_t, NetworkManager_var_run_t, NetworkManager_var_run_t)

+# file transitions
+userdom_user_home_dir_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")

@doverride can you link me to the styles wiki on this topic?

https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide
https://github.com/TresysTechnology/refpolicy/wiki/InterfaceNaming

Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

@naftulikay

This comment has been minimized.

Contributor

naftulikay commented Sep 26, 2016

@doverride I have updated according to the style guide. Please let me know if there are any other changes. I'm still getting a denied due to the NetworkManager bug in the policy, but I can submit a PR for that.

@doverride

This comment has been minimized.

Collaborator

doverride commented Sep 27, 2016

policy_module(syncthing, 1.0.0)

########################################
#
# Declarations
#

attribute_role syncthing_roles;
role syncthing_roles types syncthing_t;

type syncthing_t;
type syncthing_exec_t;
init_daemon_domain(syncthing_t, syncthing_exec_t)
userdom_user_application_domain(syncthing_t, syncthing_exec_t)

type syncthing_config_home_t;
userdom_user_home_content(syncthing_config_home_t)

########################################
#
# Declarations
#

allow syncthing_t self:process getsched;
allow syncthing_t self:fifo_file rw_fifo_file_perms;
allow syncthing_t self:tcp_socket { listen accept };

can_exec(syncthing_t, syncthing_exec_t)

kernel_read_kernel_sysctls(syncthing_t)
kernel_read_net_sysctls(syncthing_t)
kernel_read_system_state(syncthing_t)

corenet_tcp_sendrecv_generic_if(syncthing_t)
corenet_udp_sendrecv_generic_if(syncthing_t)

corenet_tcp_bind_generic_node(syncthing_t)
corenet_tcp_sendrecv_generic_node(syncthing_t)
corenet_tcp_sendrecv_all_ports(syncthing_t)

corenet_udp_bind_generic_node(syncthing_t)
corenet_udp_sendrecv_generic_node(syncthing_t)
corenet_udp_sendrecv_all_ports(syncthing_t)

corenet_tcp_connect_all_ports(syncthing_t)

corenet_tcp_bind_syncthing_port(syncthing_t)
corenet_udp_bind_syncthing_discovery_port(syncthing_t)
corenet_tcp_bind_syncthing_admin_port(syncthing_t)

dev_read_rand(syncthing_t)
dev_read_urand(syncthing_t)

fs_getattr_xattr_fs(syncthing_t)

auth_use_nsswitch(syncthing_t)

miscfiles_read_generic_certs(syncthing_t)
miscfiles_read_localization(syncthing_t)

userdom_manage_user_home_content_files(syncthing_t)
userdom_manage_user_home_content_dirs(syncthing_t)
userdom_manage_user_home_content_symlinks(syncthing_t)
userdom_user_home_dir_filetrans_user_home_content(syncthing_t, dir)

# newly created files in ~/.config/syncthing/ will transition to syncthing_config_home_t
userdom_user_home_dir_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")

userdom_use_user_terminals(syncthing_t)

optional_policy(`
    # temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
    networkmanager_read_pid_files(syncthing_t)
')
@doverride

This comment has been minimized.

Collaborator

doverride commented Sep 27, 2016

## <summary>Application that lets you synchronize your files across multiple devices.</summary>

########################################
## <summary>
##  Role access for Syncthing
## </summary>
## <param name="role">
##  <summary>
##  Role allowed access
##  </summary>
## </param>
## <param name="domain">
##  <summary>
##  User domain for the role
##  </summary>
## </param>
#
interface(`syncthing_role', `

    gen_require(`
        attribute_role syncthing_roles;
        type syncthing_t, syncthing_exec_t, syncthing_config_home_t;
    ')

    roleattribute $1 syncthing_roles;

    domtrans_pattern($2, syncthing_exec_t, syncthing_t)

    allow $2 syncthing_config_home_t:file { manage_file_perms relabel_file_perms };
    allow $2 syncthing_config_home_t:dir { manage_dir_perms relabel_dir_perms };
    allow $2 syncthing_config_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
')
@doverride

This comment has been minimized.

Collaborator

doverride commented Sep 27, 2016

If you make it look like the above then i think it should be pretty good. You should indeed also send a PR for adjusted networkmanager_read_var_run_files()

Once you made these changes then please ask @pebenito to look at it and if possible commit it

@doverride

This comment has been minimized.

Collaborator

doverride commented Sep 27, 2016

There is at least one thing missing though. Syncthing is currently not allowed to read its own synchthing_config_home_t files.

@doverride

This comment has been minimized.

Collaborator

doverride commented Sep 27, 2016

oh now i see... this is wrong

userdom_user_home_dir_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")

The above would only apply to ~/syncthing, but that is not accurate. Instead it should apply to ~/.config/syncthing

So you instead want something like:

userdom_user_home_content_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")

naftulikay added a commit to naftulikay/refpolicy-contrib that referenced this pull request Sep 27, 2016

Fix NetworkManager Read Pid Files Macro
Bug found in pull TresysTechnology#26 - permissions aren't granted for searching
the NetworkManager_var_run_t directory, only to reading its files.

@naftulikay naftulikay force-pushed the naftulikay:feature/syncthing branch from 20b06ec to 2c8a149 Sep 27, 2016

@naftulikay

This comment has been minimized.

Contributor

naftulikay commented Sep 27, 2016

@doverride I have submitted my PR for the NetworkManager fix at #27.

oh now i see... this is wrong

userdom_user_home_dir_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")

The above would only apply to ~/syncthing, but that is not accurate. Instead it should apply to ~/.config/syncthing

So you instead want something like:

userdom_user_home_content_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")

@doverride above, did you mean I should use:

userdom_user_home_content_filetrans(syncthing_t, syncthing_config_home_t, dir, ".config/syncthing")

or am I misunderstanding? For now I have updated my PR verbatim with what you posted.

@naftulikay naftulikay force-pushed the naftulikay:feature/syncthing branch from 2c8a149 to fd67fe1 Sep 28, 2016

Syncthing Policy
Policy governing Syncthing - a file synchronization utility
written in Go.

@naftulikay naftulikay force-pushed the naftulikay:feature/syncthing branch from fd67fe1 to 2898174 Sep 29, 2016

@naftulikay

This comment has been minimized.

Contributor

naftulikay commented Sep 30, 2016

@pebenito This is almost ready for merge. I need to test the full workflow again, but it's just about there. If there's anything that sticks out, please let me know and I'll explain or fix.

@pebenito

This comment has been minimized.

Contributor

pebenito commented Oct 1, 2016

I don't see anything more than @doverride has already noted.

@naftulikay

This comment has been minimized.

Contributor

naftulikay commented Oct 2, 2016

@doverride @pebenito I have tested the full workflow of this PR, and everything checks out. Please merge refpolicy#37 if everything looks good, and then merge this PR as well.

Please let me know if any other changes are necessary.

@pebenito pebenito merged commit 2898174 into TresysTechnology:master Oct 9, 2016

@naftulikay naftulikay deleted the naftulikay:feature/syncthing branch Oct 13, 2016

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.