Code review (#83)

* Quick code review: - Add (and document) the `allow_springboot_rewrite_logs` boolean. - Add the `peer:recv` permission on self when Sprinboot apps are allowed to connect to Springboot app. * Adding icons to README
lhqg · May 18, 2024 · 6c72ea3 · 6c72ea3
1 parent 13cd9c3
commit 6c72ea3
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 24 deletions.
diff --git a/.github/workflows/validate_selinux_compile.yml b/.github/workflows/validate_selinux_compile.yml
@@ -34,15 +34,15 @@ jobs:
 
  steps:
  - uses: actions/checkout@v3
- - uses: hubertqc/selinux_compile@centos7
+ - uses: lhqg/selinux_compile@centos7
 
  compile_centos8:
  name: Validate SELinux code (CentOS 8)
  runs-on: ubuntu-latest
 
  steps:
  - uses: actions/checkout@v3
- - uses: hubertqc/selinux_compile@centos8
+ - uses: lhqg/selinux_compile@centos8
 
  compile_centos9:
  name: Validate SELinux code (CentOS 9)
@@ -51,47 +51,47 @@ jobs:
 
  steps:
  - uses: actions/checkout@v3
- - uses: hubertqc/selinux_compile@centos9
+ - uses: lhqg/selinux_compile@centos9
 
  compile_fedora36:
  name: Validate SELinux code (Fedora 36)
  runs-on: ubuntu-latest
 
  steps:
  - uses: actions/checkout@v3
- - uses: hubertqc/selinux_compile@fedora36
+ - uses: lhqg/selinux_compile@fedora36
 
  compile_fedora37:
  name: Validate SELinux code (Fedora 37)
  runs-on: ubuntu-latest
 
  steps:
  - uses: actions/checkout@v3
- - uses: hubertqc/selinux_compile@fedora37
+ - uses: lhqg/selinux_compile@fedora37
 
  compile_fedora38:
  name: Validate SELinux code (Fedora 38)
  runs-on: ubuntu-latest
 
  steps:
  - uses: actions/checkout@v3
- - uses: hubertqc/selinux_compile@fedora38
+ - uses: lhqg/selinux_compile@fedora38
 
  compile_fedora39:
  name: Validate SELinux code (Fedora 39)
  runs-on: ubuntu-latest
 
  steps:
  - uses: actions/checkout@v3
- - uses: hubertqc/selinux_compile@fedora39
+ - uses: lhqg/selinux_compile@fedora39
 
  compile_fedora40:
  name: Validate SELinux code (Fedora 40)
  runs-on: ubuntu-latest
 
  steps:
  - uses: actions/checkout@v3
- - uses: hubertqc/selinux_compile@fedora40
+ - uses: lhqg/selinux_compile@fedora40
 
  semodule_info:
  name: Get SELinux module informations

diff --git a/README.md b/README.md
@@ -1,3 +1,11 @@
+![GitHub Release (latest SemVer)](https://img.shields.io/github/v/release/hubertqc/selinux_springboot)
+[![License](https://img.shields.io/badge/License-GPLv2-blue.svg)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.html)
+[![GitHub Issues](https://img.shields.io/github/issues/hubertqc/selinux_springboot)](https://github.com/hubertqc/selinux_springboot/issues)
+[![GitHub PR](https://img.shields.io/github/issues-pr/hubertqc/selinux_springboot)](https://github.com/hubertqc/selinux_springboot/pulls)
+[![GitHub commit activity](https://img.shields.io/github/commit-activity/y/hubertqc/selinux_springboot)](https://github.com/hubertqc/selinux_springboot/commits/main)
+[![GitHub Last commit](https://img.shields.io/github/last-commit/hubertqc/selinux_springboot)](https://github.com/hubertqc/selinux_springboot/commits/main)
+![GitHub Downloads](https://img.shields.io/github/downloads/hubertqc/selinux_springboot/total)
+
 # SELinux policy module for Springboot applications
 
 <https://github.com/hubertqc/selinux_springboot>
@@ -156,13 +164,19 @@ Springboot application to offload arbitrary code and use it.
 
 #### allow_springboot_purge_logs (default: `false`)
 
-When switched to `true`n, this boolean allows the Springboot application to delete its log
-files. It can be useful for log file rotation, but it can also be useful for attackers who
-would like to clean after themselves and remove traces of their actions...
+When switched to `true`, this boolean allows the Springboot application to delete its log
+files. It can be useful for "in Java app" logging framework initiated log file rotation.
+But it can also be useful for attackers who would like to clean after themselves and remove traces of their actions...
+
+#### allow_springboot_rewrite_logs (default: `false`)
+
+When switched to `true`, this boolean allows the Springboot application to rewrite its own
+log files. It can prove useful when the logging framework cannot work in "append only" mode".
+But it can also be useful for attackers who would like to clean after themselves and remove traces of their actions...
 
 #### allow_webadm_read_springboot_files (default: `false`)
 
-Users running with the `webadm_r`SELinux role and`webadm_t`domain are granted the
+Users running with the `webadm_r` SELinux role and`webadm_t` domain are granted the
 permissions to browse the directories of the Springboot application and the permission to
 stop and start the Springboot application **systemd** services, as well as querying their
 status.
@@ -264,6 +278,13 @@ is also supported.
 
 ### Running multiple Springboot applications on the same host
 
+#### Without isolation
+
+Nothing special needs to be done.
+Care must be taken to name each Springboot apps properly and to properly use systemd/systemctl to manage each one.
+
+#### With isolation between the Springboot apps
+
 TO DO
 
 ## Related projects

diff --git a/se_module/springboot.te b/se_module/springboot.te
@@ -24,7 +24,7 @@
 #
 ############################################################################
 
-policy_module(springboot, 1.3.1)
+policy_module(springboot, 1.3.2)
 
 ########################################
 #
@@ -114,6 +114,7 @@ bool allow_springboot_connectto_mongodb false;
 
 bool allow_springboot_dynamic_libs false;
 bool allow_springboot_purge_logs false;
+bool allow_springboot_rewrite_logs false;
 bool allow_webadm_read_springboot_files false;
 bool allow_sysadm_write_springboot_files false;
 bool allow_sysadm_manage_springboot_auth_files false;
@@ -277,6 +278,7 @@ if (allow_springboot_connectto_http) {
 
 if (allow_springboot_connectto_self) {
  allow springboot_t springboot_port_t:tcp_socket name_connect;
+ allow springboot_t springboot_t:peer recv;
 }
 
 if (allow_springboot_connectto_ldap) {
@@ -292,7 +294,6 @@ if (allow_springboot_connectto_smtp) {
  allow springboot_t sendmail_t:peer recv;
 }
 
-
 if (allow_springboot_connectto_oracle) {
  allow springboot_t oracle_port_t:tcp_socket name_connect;
 }
@@ -341,9 +342,9 @@ allow springboot_t springboot_bin_t:file exec_file_perms;
 allow springboot_t springboot_lib_t:file map;
 
 if (allow_springboot_dynamic_libs) {
- allow springboot_t springboot_dynlib_t:dir { create_dir_perms rw_dir_perms };
- allow springboot_t springboot_dynlib_t:file manage_file_perms;
- allow springboot_t springboot_dynlib_t:file exec_file_perms;
+ allow springboot_t springboot_dynlib_t:dir  { create_dir_perms rw_dir_perms };
+ allow springboot_t springboot_dynlib_t:file  manage_file_perms;
+ allow springboot_t springboot_dynlib_t:file  exec_file_perms;
  allow springboot_t springboot_dynlib_t:lnk_file manage_lnk_file_perms;
 
  filetrans_add_pattern(springboot_t, springboot_dynlib_t, springboot_dynlib_t, { dir file lnk_file } )
@@ -385,21 +386,25 @@ allow springboot_t springboot_log_t:file { create_file_perms append_file_perms
 logging_log_filetrans(springboot_t, springboot_log_t, { file dir } )
 
 if (allow_springboot_purge_logs) {
- allow springboot_t springboot_log_t:dir rw_dir_perms;
+ allow springboot_t springboot_log_t:dir del_entry_dir_perms;
  allow springboot_t springboot_log_t:file delete_file_perms;
 }
 
+if (allow_springboot_rewrite_logs) {
+ allow springboot_t springboot_log_t:file write_file_perms;
+}
+
+
 dontaudit springboot_t domain:dir getattr;
 dontaudit springboot_t domain:file getattr;
 
-
 #
 ## Permissions for Sys admins (sysadm_t)
 #
 
-allow sysadm_t springboot_file_type:dir list_dir_perms;
+allow sysadm_t springboot_file_type:dir  list_dir_perms;
 allow sysadm_t springboot_file_type:notdevfile_class_set getattr;
-allow sysadm_t springboot_file_type:lnk_file read_lnk_file_perms;
+allow sysadm_t springboot_file_type:lnk_file  read_lnk_file_perms;
 
 allow sysadm_t springboot_bin_t:file exec_file_perms;
 
@@ -437,11 +442,11 @@ if (allow_sysadm_manage_springboot_auth_files) {
 ## Permissions for Web admins (webadm_t)
 #
 
-allow webadm_t springboot_file_type:dir list_dir_perms;
+allow webadm_t springboot_file_type:dir  list_dir_perms;
 allow webadm_t springboot_file_type:notdevfile_class_set getattr;
-allow webadm_t springboot_file_type:lnk_file read_lnk_file_perms;
+allow webadm_t springboot_file_type:lnk_file  read_lnk_file_perms;
 
-allow webadm_t springboot_unit_file_t:file read_file_perms;
+allow webadm_t springboot_unit_file_t:file  read_file_perms;
 allow webadm_t springboot_unit_file_t:service { stop start status };
 
 if (allow_webadm_read_springboot_files) {