murmurd: SELinux policy for CentOS 7

[fuero]

Here's an SELinux policy to start with:

Install static murmurd to /opt/murmur. Install packages selinux-policy-devel, setools-console, and policycoreutils-python:

yum install -y selinux-policy-devel setools-console policycoreutils-python

Place the files murmur.fc and murmur.te below in a directory and change into it.

Compile and install the module:

make -f /usr/share/selinux/devel/Makefile murmur.pp
semodule -i murmur.pp
# Init Murmur port type
semanage port -a -t murmur_port_t -p udp 64738
semanage port -a -t murmur_port_t -p tcp 64738
restorecon -R /opt/murmur

murmur.fc

/opt/murmur/murmur.x86          --      gen_context(system_u:object_r:murmur_exec_t,s0)
/var/lib/murmur(/.*)?           gen_context(system_u:object_r:murmur_var_lib_t,s0)
/var/log/murmur(/.*)?           gen_context(system_u:object_r:murmur_log_t,s0)

murmur.te

policy_module(murmur, 1.0.0)

require {
        type avahi_t;
        type proc_t;
        type proc_net_t;
        type system_dbusd_t;
        type system_dbusd_var_run_t;
        type cert_t;

        class dbus all_dbus_perms;
}

type murmur_t;
type murmur_exec_t;
type murmur_port_t;
type murmur_log_t;
type murmur_var_lib_t;
type murmur_var_run_t;

init_daemon_domain(murmur_t, murmur_exec_t)

logging_log_file(murmur_log_t)

files_type(murmur_var_lib_t)
files_pid_file(murmur_var_run_t)

########################################
#
# murmur local policy
#
allow avahi_t murmur_t:dbus all_dbus_perms;
allow murmur_t avahi_t:dbus all_dbus_perms;

allow murmur_t proc_net_t:file read;
allow murmur_t proc_t:file { read open };

allow murmur_t self:process { execstack execmem setsched };
allow murmur_t self:tcp_socket all_tcp_socket_perms;
allow murmur_t self:udp_socket all_udp_socket_perms;
allow murmur_t murmur_port_t:udp_socket { name_bind };
allow murmur_t murmur_port_t:tcp_socket { name_bind };

allow murmur_t self:unix_dgram_socket create_socket_perms;
allow murmur_t self:unix_stream_socket create_stream_socket_perms;
allow murmur_t self:netlink_route_socket all_netlink_route_socket_perms;
allow murmur_t self:fifo_file rw_fifo_file_perms;

allow murmur_t cert_t:dir list_dir_perms;
allow murmur_t cert_t:file read_file_perms;
allow murmur_t cert_t:lnk_file read_lnk_file_perms;
allow murmur_t system_dbusd_t:dbus send_msg;
allow murmur_t system_dbusd_t:unix_stream_socket connectto;
allow murmur_t system_dbusd_var_run_t:dir search;
allow murmur_t system_dbusd_var_run_t:sock_file write;

fs_getattr_xattr_fs(murmur_t)

corenet_port(murmur_port_t)
corenet_tcp_bind_generic_node(murmur_t)
corenet_udp_bind_generic_node(murmur_t)

files_rw_generic_tmp_dir(murmur_t)
files_manage_generic_tmp_files(murmur_t)
manage_dirs_pattern(murmur_t, murmur_log_t, murmur_log_t)
manage_files_pattern(murmur_t, murmur_log_t, murmur_log_t)
manage_lnk_files_pattern(murmur_t, murmur_log_t, murmur_log_t)
logging_log_filetrans(murmur_t, murmur_log_t, { dir file lnk_file })

manage_dirs_pattern(murmur_t, murmur_var_lib_t, murmur_var_lib_t)
manage_files_pattern(murmur_t, murmur_var_lib_t, murmur_var_lib_t)
manage_lnk_files_pattern(murmur_t, murmur_var_lib_t, murmur_var_lib_t)
files_var_lib_filetrans(murmur_t, murmur_var_lib_t, { dir file lnk_file })

manage_dirs_pattern(murmur_t, murmur_var_run_t, murmur_var_run_t)
manage_files_pattern(murmur_t, murmur_var_run_t, murmur_var_run_t)
manage_lnk_files_pattern(murmur_t, murmur_var_run_t, murmur_var_run_t)
files_pid_filetrans(murmur_t, murmur_var_run_t, { dir file lnk_file })

domain_use_interactive_fds(murmur_t)

files_read_etc_files(murmur_t)

miscfiles_read_localization(murmur_t)

To refine this policy (see http://danwalsh.livejournal.com/32430.html) use

semanage permissive -a murmur_t
audit2allow -a

[hacst]

Since we don't handle any centos/rhel packaging for mumble how would we go about using this contribution? Are such policies something platform independent we could with our (source) releases? Are they platform specific and are only useful to the specific distro maintainers?

[fuero]

I put it here because the suggestion in the CentOS installation instruction on the wiki to simply disable SELinux bugs me.

AFAIK the policy is distribution specific, but should cover all RHEL clones (CentOS, Scientific Linux, Fedora, etc.) As RHEL(/CentOS/...) is pretty much the only Linux variant I know of that ships with SELinux enabled, it's the only one that matters in this regard.

[hacst]

Might the wiki be the place to put this then?

[mkrautz]

The hardest part about shipping it in Mumble itself would be that murmur_port_t would need to be dynamic to support virtual servers properly... I am not well-versed enough in SELinux to know if that's even possible...

[lwh]

Just packaging it as a reference would be useful, even if its not enabled

[gsauthof]

In reply to fuero's last comment:

• Fedora isn't a RHEL clone
• Fedora also ships with SELinux enabled, by default

Fedora also packages murmur - but the default Fedora SELinux policy doesn't cover murmur - i.e. murmur then runs unconfined.

Although, it is confined by some systemd security mechanisms (that are orthogonal to SELinux):

PrivateDevices=true
PrivateTmp=true
ProtectSystem=full
ProtectHome=true

(cf. /usr/lib/systemd/system/murmur.service)

Thus, perhaps this could also be a better approach for running murmur on CentOS/RHEL - i.e. change the recommendation in the mumble wiki to something like: don't disable SELinux but run murmur unconfined plus systemd-style security (if available in the systemd versions CentOS/RHEL 7 uses).

I guess if you want to secure murmur with SELinux the most promising way is to get the murmur SELinux policy integrated upstream, i.e. in Fedora. In a second step one could then 'backport' the Fedora murmur package via EPEL to CentOS/RHEL.

[gsauthof]

@mkrautz, with SELinux the ports are usually dynamically mapped. That means that a type like - say - ssh_port_t or murmur_port_t is just a place-holder for a concrete port mapping. Thus, you can change that port-mapping at runtime without having to change/re-compile/re-load the policy file - cf. semanage-port(8).

The port mapping can include one or many ports, i.e. it is a list of ports/port-ranges.