-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathtailscaled.te
198 lines (157 loc) · 9.19 KB
/
tailscaled.te
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
policy_module(tailscaled, 1.0.0)
# References,
# https://wiki.gentoo.org/wiki/SELinux/Tutorials/Creating_a_daemon_domain
# https://wiki.gentoo.org/wiki/SELinux/Tutorials/How_does_a_process_get_into_a_certain_context
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/writing-a-custom-selinux-policy_using-selinux
# https://selinuxproject.org/page/ObjectClassesPerms
# https://selinuxproject.org/page/NB_Domain_and_Object_Transitions
# https://danwalsh.livejournal.com/51435.html
# https://fedoraproject.org/wiki/SELinux/Unsound_or_dangerous_SELinux_policy_practices
gen_require(`
type devpts_t;
type sshd_key_t;
')
########################################
#
# Declarations
#
type tailscaled_t;
type tailscaled_exec_t;
# Create a domain for tailscaled service started by init - defined in system/init.if
init_daemon_domain(tailscaled_t, tailscaled_exec_t)
# Make the type tailscaled_exec_t usable as an entry point for the domain tailscaled_exec_t - defined in kernel/domain.if
domain_entry_file(tailscaled_t, tailscaled_exec_t)
# Type for systemd unit file type
type tailscaled_unit_file_t;
# Creates the file type used for Tailscale systemd unit files - defined in system/systemd.if
systemd_unit_file(tailscaled_unit_file_t)
# Type for /var/lib/tailscale directory file type
type tailscale_var_lib_t;
files_type(tailscale_var_lib_t)
# Type for /var/run/tailscale directory file type
type tailscale_var_run_t;
files_type(tailscale_var_run_t)
########################################
#
# tailscaled local policy
#
# Section 1 - Stars here
# Covers policy for interaction between tailscale binaries and its files
# Allow tailscaled in tailscaled_t context to execute itself to run another instance
# This is required when the child is execve'd with the parameter "be-child"
allow tailscaled_t tailscaled_exec_t:file execute_no_trans;
# Allow tailscaled_t to manage /var/lib/tailscale and the files in it which has a context of tailscale_var_lib_t
manage_dirs_pattern(tailscaled_t, tailscale_var_lib_t, tailscale_var_lib_t)
manage_files_pattern(tailscaled_t, tailscale_var_lib_t, tailscale_var_lib_t)
# Allow tailscaled_t to manage /var/run/tailscale and the regular files, symlinks and socket files which has a context of tailscale_var_run_t
manage_files_pattern(tailscaled_t, tailscale_var_run_t, tailscale_var_run_t)
manage_dirs_pattern(tailscaled_t, tailscale_var_run_t, tailscale_var_run_t)
manage_sock_files_pattern(tailscaled_t, tailscale_var_run_t, tailscale_var_run_t)
manage_lnk_files_pattern(tailscaled_t, tailscale_var_run_t, tailscale_var_run_t)
# Section 1 - Ends here
# Section 2 - Starts here
# Covers policy for capabilities given to tailscale
allow tailscaled_t self:process { transition setexec setsched };
# allow $1 self:process { setsched siginh noatsecure rlimitinh setexec transition };
# Allow tailscaled_t to use net_admin capabilities. Required when the daemon starts
allow tailscaled_t self:capability { net_admin };
# Allow tailscaled_t to use sensitive DAC capabilities. Required when SSH is attempted
allow tailscaled_t self:capability { dac_read_search dac_override };
# Allow tailscaled_t to configure tty devices. Required when login is being setup after SSH
allow tailscaled_t self:capability { sys_tty_config };
# Allow tailscaled_t to setgid. Required when login is being setup after SSH
allow tailscaled_t self:capability { setgid };
# Allow tailscaled_t capabilities required when login is setup after SSH and before shell is spawned
allow tailscaled_t self:capability { setuid chown fowner fsetid };
# Section 2 - Ends here
# Section 3 - Starts here
# Covers policy for permissions given to tailscale to read, write and execute binaries
# Allow tailscaled_t to execute iptables in the iptables domain - defined in system/iptables.if
iptables_domtrans(tailscaled_t)
# Allow tailscaled_t to execute ifconfig in the ifconfig domain - defined in system/sysnetwork.if
sysnet_domtrans_ifconfig(tailscaled_t)
# Allow tailscaled_t to list all the processes on the system - defined in support/misc_patterns.spt
# Ref - https://danwalsh.livejournal.com/51435.html
ps_process_pattern(tailscaled_t, domain)
# Allow tailscaled_t to execute generic programs in bin directory without a domain transition - defined in kernel/corecommands.if
corecmd_exec_bin(tailscaled_t)
# Allow tailscaled_t to read the network state information - defined in kernel/kernel.if
kernel_read_network_state(tailscaled_t)
# Allow tailscaled_t to read network sysctls - defined in kernel/kernel.if
kernel_read_net_sysctls(tailscaled_t)
# Allow tailscaled_t to read hardware state information from /sysfs - defined in kernel/devices.if
dev_read_sysfs(tailscaled_t)
# Allow tailscaled_t to read generic SSL certificates - defined in system/miscfiles.if
miscfiles_read_generic_certs(tailscaled_t)
# Section 3 - Ends here
# Section 4 - Starts here
# Covers policy for permissions given to tailscale to create sockets, read and write data to sockets
# Allow tailscaled_t to read DBUS pid files - defined in contrib/dbus.if
dbus_read_pid_files(tailscaled_t)
# Allow tailscaled_t to send a message on the system DBUS - defined in contrib/dbus.if
dbus_send_system_bus(tailscaled_t)
# Allow tailscaled_t to connect to session bus types with a unix stream socket - defined in contrib/dbus.if
dbus_stream_connect_system_dbusd(tailscaled_t)
# Allow tailscaled_t to send and receive messages from NetworkManager over DBUS - defined in contrib/networkmanager.if
networkmanager_dbus_chat(tailscaled_t)
# Allow tailscaled_t to search the contents of kernel module directories
files_search_kernel_modules(tailscaled_t)
# Allow tailscaled_t to read dependencies of kernel modules - defined in system/modutils.if
modutils_read_module_deps_files(tailscaled_t)
# Allow tailscaled_t to read the configuration options used when loading modules - defined in system/modutils.if
modutils_read_module_config(tailscaled_t)
# Allow tailscaled_t to execute insmod in the kmod domain to load a module (tun) - defined in system/modutils.if
modutils_domtrans_kmod(tailscaled_t)
# Allow tailscaled_t to request the kernel to load a module (tun) - defined in kernel/kernel.if
kernel_request_load_module(tailscaled_t)
# Allow tailscaled_t to create tun socket
allow tailscaled_t self:tun_socket create;
# Allow tailscaled_t to read and write to TUN/TAP virtual network device - defined in kernel/corenetwork.if
corenet_rw_tun_tap_dev(tailscaled_t)
# Allow tailscaled_t to create sockets to use for the netlink families - generic and route
# These rules are part of wireguard as well. Ref - wireguard.te
allow tailscaled_t self:netlink_generic_socket create_socket_perms;
allow tailscaled_t self:netlink_route_socket create_netlink_socket_perms;
# Allow tailscale daemon to create different types of sockets
allow tailscaled_t self:tcp_socket create_stream_socket_perms;
allow tailscaled_t self:udp_socket create_socket_perms;
allow tailscaled_t self:unix_dgram_socket create_socket_perms;
allow tailscaled_t self:rawip_socket create_socket_perms;
# Allow tailscaled_t to bind to generic TCP ports - defined in kernel/corenetwork.if
corenet_tcp_bind_generic_port(tailscaled_t)
# Allow tailscaled_t to make outgoing http connections - defined in kernel/corenetwork.if
corenet_tcp_connect_http_port(tailscaled_t)
# Allow tailscaled_t to send messages to Send messages to kernel unix datagram sockets - defined in kernel/kernel.if
kernel_dgram_send(tailscaled_t)
# Section 4 - Ends here
# Section 5 - Starts here
# Covers policy for login over SSH to succeed
# Allow tailscaled in tailscaled_t context to execute /usr/bin/login which has a context of login_exec_t
can_exec(tailscaled_t, login_exec_t)
# Make tailscaled_t context an entry point for auth login programs like /usr/bin/login
auth_login_entry_type(tailscaled_t)
# Make tailscaled_t a domain that is used for a login program (/usr/bin/login) - defined in system/authlogin.if
auth_login_pgm_domain(tailscaled_t)
# Allow tailscaled_t to get attributes of user home directories - defined in system/userdom.if
userdom_getattr_user_home_dirs(tailscaled_t)
# Allow tailscaled_t to search user home directories - defined in system/userdom.if
userdom_search_user_home_dirs(tailscaled_t)
# Allow tailscaled_t to read /etc/passwd password file - defined in system/authlogin.if
auth_read_passwd_file(tailscaled_t)
# Allow tailscaled_t to read /etc/shadow password file - defined in system/authlogin.if
auth_read_shadow(tailscaled_t)
# Access tailscaled_t to read ssh key files
allow tailscaled_t sshd_key_t:file read_file_perms;
# Allow tailscaled_t to read and write the pty multiplexor (/dev/ptmx) - defined in kernel/terminal.if
term_use_ptmx(tailscaled_t)
# Transform tailscaled_t into a pty type used by a login programs, like sshd - defined in kernel/terminal.if
term_login_pty(tailscaled_t)
# Allow tailscaled_t to read and write to a generic pty type
allow tailscaled_t devpts_t:chr_file { read write_chr_file_perms setattr relabel_chr_file_perms };
# Allow tailscaled_t to transition to the unconfined domain by executing a shell - defined in roles/unconfineduser.if
# This is required when the user that logs in over SSH, is unconfined (which is a typical use case in most cases)
# Used in ssh.te, remotelogin.te, etc.
optional_policy(`
unconfined_shell_domtrans(tailscaled_t)
')
# Section 5 - Ends here