Re: [refpolicy] policy & patch for bitlbee

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Devin Carraway <selinux-list@devin.com>
To: Daniel J Walsh <dwalsh@redhat.com>
Cc: selinux@tycho.nsa.gov
Subject: Re: [refpolicy] policy & patch for bitlbee
Date: Sun, 26 Aug 2007 15:45:16 -0700	[thread overview]
Message-ID: <20070826224516.GA32414@atlantic.devin.com> (raw)
In-Reply-To: <46D00510.80608@redhat.com>


[-- Attachment #1.1: Type: text/plain, Size: 642 bytes --]

On Sat, Aug 25, 2007 at 06:31:44AM -0400, Daniel J Walsh wrote:
> So I would remove
[...]
> type bitlbee_share_t;
> files_type(bitlbee_share_t)

After talking a bit about this on #selinux, I went ahead with your suggestion
to remove bitlbee_share_t, and allow a usr_t read.  I kept bitlbee_conf_t,
since it can have an authentication secret in it.

Here's an updated version.  It adds (and uses) an interface
bitlbee_read_config() to permit reading bitlbee_conf_t.

Thanks again.

-- 
Devin  \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2

[-- Attachment #1.2: bitlbee.te --]
[-- Type: text/plain, Size: 2714 bytes --]

policy_module(bitlbee, 1.0.0)

# $Id: bitlbee.te 673 2007-08-11 21:03:48Z aqua $
# 
# (Draft) SELinux policy for the bitlbee IM gateway server, using refpolicy
# 
# Devin Carraway <devin@debian.org>

gen_require(`
	type tcpd_t;
')

########################################
#
# Declarations
#

type bitlbee_t;
type bitlbee_exec_t;

# bitlbee is usually run from inetd, but also can be run standalone
init_daemon_domain(bitlbee_t, bitlbee_exec_t)

type bitlbee_conf_t;
files_config_file(bitlbee_conf_t)

type bitlbee_share_t;
files_type(bitlbee_share_t)

type bitlbee_var_t;
files_type(bitlbee_var_t)

########################################
#
# Local policy
#
#

# normally started from inetd using tcpwrappers, so use those entry points
domain_auto_trans(tcpd_t, bitlbee_exec_t, bitlbee_t)
inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t);

# allow library loading
libs_legacy_use_shared_libs(bitlbee_t)
libs_use_ld_so(bitlbee_t)

# it needs read-only access to etc_t and to its own systemwide configuration
files_read_etc_files(bitlbee_t)
bitlbee_read_config(bitlbee_t)

# grant read-only access to the user help files
files_read_usr_files(bitlbee_t)

# user account information is read and edited at runtime; give the usual
# r/w access to bitlbee_var_t
files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
allow bitlbee_t bitlbee_var_t:dir rw_dir_perms;
allow bitlbee_t bitlbee_var_t:file manage_file_perms;

# read-only access to /var/run
files_search_pids(bitlbee_t)

# bitlbee's own network sockets (UDP, TCP and unix domain sockets)
allow bitlbee_t self:udp_socket { create_socket_perms };
allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
allow bitlbee_t self:unix_stream_socket { create_stream_socket_perms };
corenet_udp_sendrecv_generic_if(bitlbee_t)
corenet_udp_sendrecv_generic_node(bitlbee_t)
corenet_udp_sendrecv_lo_node(bitlbee_t)
corenet_tcp_sendrecv_generic_if(bitlbee_t)
corenet_tcp_sendrecv_generic_node(bitlbee_t)
corenet_tcp_sendrecv_lo_node(bitlbee_t)
corenet_all_recvfrom_unlabeled(bitlbee_t)

# Permit DNS requests
corenet_udp_sendrecv_dns_port(bitlbee_t)

# Allow bitlbee to connect to jabber servers
corenet_tcp_connect_jabber_client_port(bitlbee_t)
corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)

# to AIM servers:
corenet_tcp_connect_aol_port(bitlbee_t)
corenet_tcp_sendrecv_aol_port(bitlbee_t)

# and to MMCC (Yahoo IM) servers:
corenet_tcp_connect_mmcc_port(bitlbee_t)
corenet_tcp_sendrecv_mmcc_port(bitlbee_t)

# and to MSNP (MSN Messenger) servers:
corenet_tcp_connect_msnp_port(bitlbee_t)
corenet_tcp_sendrecv_msnp_port(bitlbee_t)


[-- Attachment #1.3: bitlbee.if --]
[-- Type: text/plain, Size: 461 bytes --]

## <summary>Bitlbee service</summary>

########################################
## <summary>
##     Read bitlbee configuration files
## </summary>
## <param name="domain">
##     <summary>
##         Domain allowed accesss.
##     </summary>
## </param>
#
interface(`bitlbee_read_config',`
	gen_require(`
		type bitlbee_conf_t;
	')

	files_search_etc($1)
	allow $1 bitlbee_conf_t:dir { getattr read search };
	allow $1 bitlbee_conf_t:file { read getattr };
')


[-- Attachment #1.4: bitlbee.fc --]
[-- Type: text/plain, Size: 211 bytes --]

/usr/sbin/bitlbee	--	gen_context(system_u:object_r:bitlbee_exec_t,s0)
/etc/bitlbee(/.*)?		gen_context(system_u:object_r:bitlbee_conf_t,s0)
/var/lib/bitlbee(/.*)?		gen_context(system_u:object_r:bitlbee_var_t,s0)

[-- Attachment #1.5: bitlbee-network-ports.patch --]
[-- Type: text/x-diff, Size: 1030 bytes --]

Index: policy/modules/kernel/corenetwork.te.in
===================================================================
--- policy/modules/kernel/corenetwork.te.in	(revision 2399)
+++ policy/modules/kernel/corenetwork.te.in	(working copy)
@@ -67,6 +67,7 @@
 network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
 network_port(amavisd_recv, tcp,10024,s0)
 network_port(amavisd_send, tcp,10025,s0)
+network_port(aol, tcp,5190,s0, udp,5190,s0)
 network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
 network_port(auth, tcp,113,s0)
@@ -112,6 +113,8 @@
 type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
 network_port(lmtp, tcp,24,s0, udp,24,s0)
 network_port(mail, tcp,2000,s0)
+network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+network_port(msnp, tcp,1863,s0, udp,1863,s0)
 network_port(monopd, tcp,1234,s0)
 network_port(mysqld, tcp,3306,s0)
 network_port(nessus, tcp,1241,s0)

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

next prev parent reply	other threads:[~2007-08-26 22:45 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-08-19  4:57 [refpolicy] policy & patch for bitlbee Devin Carraway
2007-08-25 10:31 ` Daniel J Walsh
2007-08-25 21:00   ` Devin Carraway
2007-08-26 22:45   ` Devin Carraway [this message]
2007-09-17 14:44     ` Christopher J. PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20070826224516.GA32414@atlantic.devin.com \
    --to=selinux-list@devin.com \
    --cc=dwalsh@redhat.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.