[refpolicy] policy & patch for bitlbee

[Devin Carraway <selinux-list@devin.com>]

[-- Attachment #1.1: Type: text/plain, Size: 621 bytes --]

Here's a policy module for BitlBee, a service which acts as a gateway for IRC
clients to various IM networks.

The patch adds three new ports to the corenetwork list, for the AIM, Yahoo
Messenger and MSN Messenger ports.  I drew the port names from the IANA
"registered por numbers' list at http://www.iana.org/assignments/port-numbers .

It's my first attempt at writing a policy module clean enough for publication;
feedback/criticism would be welcome.

Devin

-- 
Devin  \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2

[-- Attachment #1.2: bitlbee.te --]
[-- Type: text/plain, Size: 2855 bytes --]

policy_module(bitlbee, 1.0.0)

# $Id: bitlbee.te 673 2007-08-11 21:03:48Z aqua $
# 
# (Draft) SELinux policy for the bitlbee IM gateway server, using refpolicy
# 
# Devin Carraway <devin@debian.org>


########################################
#
# Declarations
#

type bitlbee_t;
type bitlbee_exec_t;

# bitlbee is usually run from inetd, but also can be run standalone
init_daemon_domain(bitlbee_t, bitlbee_exec_t)

type bitlbee_conf_t;
files_config_file(bitlbee_conf_t)

type bitlbee_share_t;
files_type(bitlbee_share_t)

type bitlbee_var_t;
files_type(bitlbee_var_t)

########################################
#
# Local policy
#
#

# normally started from inetd using tcpwrappers, so use those entry points
domain_auto_trans(tcpd_t, bitlbee_exec_t, bitlbee_t)
inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t);

# allow library loading
libs_legacy_use_shared_libs(bitlbee_t)
libs_use_ld_so(bitlbee_t)

# it needs read-only access to its systemwide configuration in /etc/bitlbee
files_read_etc_files(bitlbee_t)
allow bitlbee_t bitlbee_conf_t:dir r_dir_perms;
allow bitlbee_t bitlbee_conf_t:file r_file_perms;

# grant read-only access to the user help files
allow bitlbee_t usr_t:dir { search };
allow bitlbee_t bitlbee_share_t:dir r_dir_perms;
allow bitlbee_t bitlbee_share_t:file r_file_perms;

# user account information is read and edited at runtime; give the usual
# r/w access to bitlbee_var_t
files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
allow bitlbee_t bitlbee_var_t:dir rw_dir_perms;
allow bitlbee_t bitlbee_var_t:file manage_file_perms;

# read-only access to /var/run
files_search_pids(bitlbee_t)

# bitlbee's own network sockets (UDP, TCP and unix domain sockets)
allow bitlbee_t self:udp_socket { create_socket_perms };
allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
allow bitlbee_t self:unix_stream_socket { create_stream_socket_perms };
corenet_udp_sendrecv_generic_if(bitlbee_t)
corenet_udp_sendrecv_generic_node(bitlbee_t)
corenet_udp_sendrecv_lo_node(bitlbee_t)
corenet_tcp_sendrecv_generic_if(bitlbee_t)
corenet_tcp_sendrecv_generic_node(bitlbee_t)
corenet_tcp_sendrecv_lo_node(bitlbee_t)
corenet_all_recvfrom_unlabeled(bitlbee_t)

# Permit DNS requests
corenet_udp_sendrecv_dns_port(bitlbee_t)

# Allow bitlbee to connect to jabber servers
corenet_tcp_connect_jabber_client_port(bitlbee_t)
corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)

# to AIM servers:
corenet_tcp_connect_aol_port(bitlbee_t)
corenet_tcp_sendrecv_aol_port(bitlbee_t)

# and to MMCC (Yahoo IM) servers:
corenet_tcp_connect_mmcc_port(bitlbee_t)
corenet_tcp_sendrecv_mmcc_port(bitlbee_t)

# and to MSNP (MSN Messenger) servers:
corenet_tcp_connect_msnp_port(bitlbee_t)
corenet_tcp_sendrecv_msnp_port(bitlbee_t)


[-- Attachment #1.3: bitlbee.fc --]
[-- Type: text/plain, Size: 286 bytes --]

/usr/sbin/bitlbee	--	gen_context(system_u:object_r:bitlbee_exec_t,s0)
/etc/bitlbee(/.*)?		gen_context(system_u:object_r:bitlbee_conf_t,s0)
/var/lib/bitlbee(/.*)?		gen_context(system_u:object_r:bitlbee_var_t,s0)
/usr/share/bitlbee(/.*)?	gen_context(system_u:object_r:bitlbee_share_t,s0)

[-- Attachment #1.4: bitlbee.if --]
[-- Type: text/plain, Size: 38 bytes --]

## <summary>Bitlbee service</summary>

[-- Attachment #1.5: bitlbee-network-ports.patch --]
[-- Type: text/x-diff, Size: 1030 bytes --]

Index: policy/modules/kernel/corenetwork.te.in
===================================================================
--- policy/modules/kernel/corenetwork.te.in	(revision 2388)
+++ policy/modules/kernel/corenetwork.te.in	(working copy)
@@ -67,6 +67,7 @@
 network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
 network_port(amavisd_recv, tcp,10024,s0)
 network_port(amavisd_send, tcp,10025,s0)
+network_port(aol, tcp,5190,s0, udp,5190,s0)
 network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
 network_port(auth, tcp,113,s0)
@@ -112,6 +113,8 @@
 type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
 network_port(lmtp, tcp,24,s0, udp,24,s0)
 network_port(mail, tcp,2000,s0)
+network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+network_port(msnp, tcp,1863,s0, udp,1863,s0)
 network_port(monopd, tcp,1234,s0)
 network_port(mysqld, tcp,3306,s0)
 network_port(nessus, tcp,1241,s0)

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]