[refpolicy] new policy pyicqt

[refpolicy] new policy pyicqt

[Stefan Schulze Frielinghaus]

Hi all,

attached is a new policy for the ICQ transport PyICQt. I lost track of
head development ... guess the following lines are redundant now

libs_use_ld_so(pyicqt_t)
libs_use_shared_libs(pyicqt_t)
libs_read_lib_files(pyicqt_t)

and can be changed to

libs_read_lib_files(pyicqt_t)

I tested the policy on CentOS 5 for a couple of months with ejabberd so
hope everything is fine tested ;-)

cheers
Stefan
-------------- next part --------------
/etc/pyicq-t(/.*)?			gen_context(system_u:object_r:pyicqt_conf_t,s0)

/usr/share/pyicq-t/PyICQt\.py	--	gen_context(system_u:object_r:pyicqt_exec_t,s0)

/var/log/pyicq-t\.log		--	gen_context(system_u:object_r:pyicqt_log_t,s0)

/var/run/pyicq-t(/.*)?			gen_context(system_u:object_r:pyicqt_var_run_t,s0)

/var/spool/pyicq-t(/.*)?		gen_context(system_u:object_r:pyicqt_spool_t,s0)
-------------- next part --------------
## <summary>PyICQt is an ICQ transport for XMPP server.</summary>
-------------- next part --------------

policy_module(pyicqt, 1.0.0)

########################################
#
# Declarations
#

type pyicqt_t;
type pyicqt_exec_t;
init_daemon_domain(pyicqt_t,pyicqt_exec_t)

type pyicqt_conf_t;
files_config_file(pyicqt_conf_t)

type pyicqt_spool_t;
files_type(pyicqt_spool_t)

type pyicqt_var_run_t;
files_pid_file(pyicqt_var_run_t)

type pyicqt_log_t;
logging_log_file(pyicqt_log_t)

########################################
#
# PyICQt policy
#

allow pyicqt_t self:fifo_file { read write };
allow pyicqt_t self:tcp_socket create_socket_perms;
allow pyicqt_t self:udp_socket create_socket_perms;

read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t)

manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)

manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t)

libs_use_ld_so(pyicqt_t)
libs_use_shared_libs(pyicqt_t)
libs_read_lib_files(pyicqt_t)

files_read_usr_files(pyicqt_t)
files_search_spool(pyicqt_t)

# /etc/nsswitch.conf
files_read_etc_files(pyicqt_t)
# /etc/resolv.conf
sysnet_read_config(pyicqt_t)

dev_read_urand(pyicqt_t)

corecmd_exec_bin(pyicqt_t)

kernel_read_system_state(pyicqt_t)

miscfiles_read_localization(pyicqt_t)

corenet_tcp_connect_generic_port(pyicqt_t)
corenet_sendrecv_unlabeled_packets(pyicqt_t)

[refpolicy] new policy pyicqt

[Dominick Grift]

On Sun, Oct 25, 2009 at 12:59:23PM +0100, Stefan Schulze Frielinghaus wrote:
> Hi all,
Hello i have made some comments in-line.
> 
> attached is a new policy for the ICQ transport PyICQt. I lost track of
> head development ... guess the following lines are redundant now
> 
> libs_use_ld_so(pyicqt_t)
> libs_use_shared_libs(pyicqt_t)
> libs_read_lib_files(pyicqt_t)
> 
> and can be changed to
> 
> libs_read_lib_files(pyicqt_t)
> 
> I tested the policy on CentOS 5 for a couple of months with ejabberd so
> hope everything is fine tested ;-)
> 
> cheers
> Stefan

> /etc/pyicq-t(/.*)?			gen_context(system_u:object_r:pyicqt_conf_t,s0)
> 
> /usr/share/pyicq-t/PyICQt\.py	--	gen_context(system_u:object_r:pyicqt_exec_t,s0)
> 
> /var/log/pyicq-t\.log		--	gen_context(system_u:object_r:pyicqt_log_t,s0)
> 
> /var/run/pyicq-t(/.*)?			gen_context(system_u:object_r:pyicqt_var_run_t,s0)
> 
> /var/spool/pyicq-t(/.*)?		gen_context(system_u:object_r:pyicqt_spool_t,s0)

> ## <summary>PyICQt is an ICQ transport for XMPP server.</summary>

> 
> policy_module(pyicqt, 1.0.0)
> 
> ########################################
> #
> # Declarations
> #
> 
> type pyicqt_t;
> type pyicqt_exec_t;
> init_daemon_domain(pyicqt_t,pyicqt_exec_t)
> 
> type pyicqt_conf_t;
> files_config_file(pyicqt_conf_t)
> 
> type pyicqt_spool_t;
> files_type(pyicqt_spool_t)
> 
> type pyicqt_var_run_t;
> files_pid_file(pyicqt_var_run_t)
> 
> type pyicqt_log_t;
> logging_log_file(pyicqt_log_t)
> 
> ########################################
> #
> # PyICQt policy
> #
> 
> allow pyicqt_t self:fifo_file { read write };
allow pyicqt_t self:fifo_files rw_fifo_file_perms;
> allow pyicqt_t self:tcp_socket create_socket_perms;
> allow pyicqt_t self:udp_socket create_socket_perms;
> 
> read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t)
> 
> manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
> manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
files_spool_filetrans(pyicqt_t, pyicqt_spool_t, { dir file })
> 
> manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t)
files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file)
> 
> libs_use_ld_so(pyicqt_t)
> libs_use_shared_libs(pyicqt_t)
> libs_read_lib_files(pyicqt_t)

libs ... deprecated upstream

> files_read_usr_files(pyicqt_t)
> files_search_spool(pyicqt_t)

files_search_spool (likely) included with files_spool_filetrans (not sure)
> 
> # /etc/nsswitch.conf
> files_read_etc_files(pyicqt_t)
> # /etc/resolv.conf
> sysnet_read_config(pyicqt_t)
> 
> dev_read_urand(pyicqt_t)
> 
> corecmd_exec_bin(pyicqt_t)
> 
> kernel_read_system_state(pyicqt_t)
> 
> miscfiles_read_localization(pyicqt_t)
> 
> corenet_tcp_connect_generic_port(pyicqt_t)
> corenet_sendrecv_unlabeled_packets(pyicqt_t)

for compatibility:
corenet_all_recvfrom_unlabeled(pyicqt_t)
corenet_all_recvfrom_netlabel(pyicqt_t)
corenet_tcp_sendrecv_generic_if(pyicqt_t)
corenet_tcp_sendrecv_generic_node(pyicqt_t)
corenet_sendrecv_generic_client_packets(pyicqt_t)

Other:
Some style issues: example files_read_etc_files is below files_read_usr_files (not in alphabetical order)
pyicqt.if does not have a description.
You declared pyicqt_var_log_t but nowhere in personal policy pyicqt_t interacts with it.

> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20091025/5b13d2c2/attachment.bin 

[refpolicy] new policy pyicqt

[Stefan Schulze Frielinghaus]

On Sun, 2009-10-25 at 15:48 +0100, Dominick Grift wrote:
[...] 
> allow pyicqt_t self:fifo_files rw_fifo_file_perms;

I only included read/write perms because the app didn't complain on all
the other permissions which rw_fifo_file_perms will include. But if it
is common to use the set of permissions I will change this.

[...] 
> files_spool_filetrans(pyicqt_t, pyicqt_spool_t, { dir file })

Why should we introduce this rule? PyICQt only writes into a directory
labeled as pyicqt_spool_t and therefore all new files will inherit the
type.

[...] 
> files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file)

Same again here. Why? PyICQt writes to /var/run/pyicq-t which is labeled
as pyicqt_var_run_t and therefore all new files will inherit this type.

[...] 
> libs ... deprecated upstream

And what interface do we use instead? I guess I need to include a rule
to read lib_t files, right?

[...] 
> > corenet_tcp_connect_generic_port(pyicqt_t)
> > corenet_sendrecv_unlabeled_packets(pyicqt_t)
> 
> for compatibility:
> corenet_all_recvfrom_unlabeled(pyicqt_t)
> corenet_all_recvfrom_netlabel(pyicqt_t)
> corenet_tcp_sendrecv_generic_if(pyicqt_t)
> corenet_tcp_sendrecv_generic_node(pyicqt_t)
> corenet_sendrecv_generic_client_packets(pyicqt_t)

Yep. Will include those. I only included the two interfaces above
because PyICQt didn't complain for other rules. But if they are
mandatory for compatibility I will include them.

> Other:
> Some style issues: example files_read_etc_files is below files_read_usr_files (not in alphabetical order)

Is alphabetic order important? I can change this no problem. But my
actual intention was to group the two interface calls
for /etc/{nsswitch.conf,resolv.conf}.

> pyicqt.if does not have a description.

Yep. But isn't a summary line sufficient?

> You declared pyicqt_var_log_t but nowhere in personal policy pyicqt_t interacts with it.

Uh good point. I will fix that after the other points above are cleared.

[refpolicy] new policy pyicqt

[Dominick Grift]

On Sun, 2009-10-25 at 16:09 +0100, Stefan Schulze Frielinghaus wrote:
> On Sun, 2009-10-25 at 15:48 +0100, Dominick Grift wrote:
> [...] 
> > allow pyicqt_t self:fifo_files rw_fifo_file_perms;
> 
> I only included read/write perms because the app didn't complain on all
> the other permissions which rw_fifo_file_perms will include. But if it
> is common to use the set of permissions I will change this.

> [...] 
> > files_spool_filetrans(pyicqt_t, pyicqt_spool_t, { dir file })
> 
> Why should we introduce this rule? PyICQt only writes into a directory
> labeled as pyicqt_spool_t and therefore all new files will inherit the
> type.

So are you saying that /var/spool/pyicq-t gets installed by the package?
> 
> [...] 
> > files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file)
> 
> Same again here. Why? PyICQt writes to /var/run/pyicq-t which is labeled
> as pyicqt_var_run_t and therefore all new files will inherit this type.

So /var/run/pyicq-t gets installed by the package?

> 
> [...] 
> > libs ... deprecated upstream
> 
> And what interface do we use instead? I guess I need to include a rule
> to read lib_t files, right?
> 
> [...] 
> > > corenet_tcp_connect_generic_port(pyicqt_t)
> > > corenet_sendrecv_unlabeled_packets(pyicqt_t)
> > 
> > for compatibility:
> > corenet_all_recvfrom_unlabeled(pyicqt_t)
> > corenet_all_recvfrom_netlabel(pyicqt_t)
> > corenet_tcp_sendrecv_generic_if(pyicqt_t)
> > corenet_tcp_sendrecv_generic_node(pyicqt_t)
> > corenet_sendrecv_generic_client_packets(pyicqt_t)
> 
> Yep. Will include those. I only included the two interfaces above
> because PyICQt didn't complain for other rules. But if they are
> mandatory for compatibility I will include them.
> 
> > Other:
> > Some style issues: example files_read_etc_files is below files_read_usr_files (not in alphabetical order)
> 
> Is alphabetic order important? I can change this no problem. But my
> actual intention was to group the two interface calls
> for /etc/{nsswitch.conf,resolv.conf}.

See http://oss.tresys.com/projects/refpolicy/wiki/StyleGuide
> 
> > pyicqt.if does not have a description.
> 
> Yep. But isn't a summary line sufficient?
> 
> > You declared pyicqt_var_log_t but nowhere in personal policy pyicqt_t interacts with it.
> 
> Uh good point. I will fix that after the other points above are cleared.
> 

[refpolicy] new policy pyicqt

[Stefan Schulze Frielinghaus]

On Sun, 2009-10-25 at 17:30 +0100, Dominick Grift wrote:
> On Sun, 2009-10-25 at 16:09 +0100, Stefan Schulze Frielinghaus wrote:
> > On Sun, 2009-10-25 at 15:48 +0100, Dominick Grift wrote:
> > [...] 
> > > allow pyicqt_t self:fifo_files rw_fifo_file_perms;
> > 
> > I only included read/write perms because the app didn't complain on all
> > the other permissions which rw_fifo_file_perms will include. But if it
> > is common to use the set of permissions I will change this.
> 
> > [...] 
> > > files_spool_filetrans(pyicqt_t, pyicqt_spool_t, { dir file })
> > 
> > Why should we introduce this rule? PyICQt only writes into a directory
> > labeled as pyicqt_spool_t and therefore all new files will inherit the
> > type.
> 
> So are you saying that /var/spool/pyicq-t gets installed by the package?

PyICQt is installed by default on Fedora to run as non root user. So,
yes, /var/{run,spool}/pyicq-t is installed by the RPM package. But I
think I know what you mean. What happens if another distro runs PyICQt
as root and uses /var/run as the base pidfile directory. I will include
this rule to make sure that other distributions won't run into trouble.

[...] 
> > > files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file)
> > 
> > Same again here. Why? PyICQt writes to /var/run/pyicq-t which is labeled
> > as pyicqt_var_run_t and therefore all new files will inherit this type.
> 
> So /var/run/pyicq-t gets installed by the package?

Same as above.

[...]
> See http://oss.tresys.com/projects/refpolicy/wiki/StyleGuide

Hey, cool, wasn't aware of such a style guide. Thanks for the link and
the policy review. I will work on the suggestions and submit a new
policy.

[refpolicy] new policy pyicqt

[Stefan Schulze Frielinghaus]

On Sun, 2009-10-25 at 22:14 +0100, Stefan Schulze Frielinghaus wrote: 
> I will work on the suggestions and submit a new
> policy.

And attached is a new version. Hope everything is alright now.

cheers
Stefan

PS: Just for the records. I created the type pyicqt_conf_t because the
config file contains a clear text password.
-------------- next part --------------
/etc/pyicq-t(/.*)?			gen_context(system_u:object_r:pyicqt_conf_t,s0)

/usr/share/pyicq-t/PyICQt\.py	--	gen_context(system_u:object_r:pyicqt_exec_t,s0)

/var/run/pyicq-t(/.*)?			gen_context(system_u:object_r:pyicqt_var_run_t,s0)

/var/spool/pyicq-t(/.*)?		gen_context(system_u:object_r:pyicqt_spool_t,s0)
-------------- next part --------------
## <summary>PyICQt is an ICQ transport for XMPP server.</summary>
-------------- next part --------------

policy_module(pyicqt, 1.0.0)

########################################
#
# Declarations
#

type pyicqt_t;
type pyicqt_exec_t;
init_daemon_domain(pyicqt_t, pyicqt_exec_t)

type pyicqt_conf_t;
files_config_file(pyicqt_conf_t)

type pyicqt_spool_t;
files_type(pyicqt_spool_t)

type pyicqt_var_run_t;
files_pid_file(pyicqt_var_run_t)

########################################
#
# PyICQt policy
#

allow pyicqt_t self:fifo_file rw_fifo_file_perms;
allow pyicqt_t self:tcp_socket create_socket_perms;
allow pyicqt_t self:udp_socket create_socket_perms;

read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t)

manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)

manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t)

kernel_read_system_state(pyicqt_t)

corecmd_exec_bin(pyicqt_t)

corenet_all_recvfrom_unlabeled(pyicqt_t)
corenet_all_recvfrom_netlabel(pyicqt_t)
corenet_tcp_connect_generic_port(pyicqt_t)
corenet_tcp_sendrecv_generic_if(pyicqt_t)
corenet_tcp_sendrecv_generic_node(pyicqt_t)
corenet_sendrecv_generic_client_packets(pyicqt_t)
corenet_sendrecv_unlabeled_packets(pyicqt_t)

dev_read_urand(pyicqt_t)

files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file)
files_read_etc_files(pyicqt_t)
files_read_usr_files(pyicqt_t)
files_spool_filetrans(pyicqt_t, pyicqt_spool_t, { dir file })

libs_read_lib_files(pyicqt_t)
libs_use_ld_so(pyicqt_t)
libs_use_shared_libs(pyicqt_t)

miscfiles_read_localization(pyicqt_t)

sysnet_read_config(pyicqt_t)