* [refpolicy] [ irc patch 1/1] Extend IRC client policy to support irssi.
@ 2010-03-22 11:48 Dominick Grift
0 siblings, 0 replies; only message in thread
From: Dominick Grift @ 2010-03-22 11:48 UTC (permalink / raw)
To: refpolicy
I have been enjoying my Irssi policy for some years now, and while i was merging my irssi policy
into the irc module of my custom policy based off of refpolicy i decided to give it another go and submit it.
Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 65ece18... 45203f4... M policy/modules/apps/irc.fc
:100644 100644 4f9dc90... b712758... M policy/modules/apps/irc.if
:100644 100644 789e684... e4535f8... M policy/modules/apps/irc.te
policy/modules/apps/irc.fc | 15 ++++++++---
policy/modules/apps/irc.if | 19 ++++++++++++++
policy/modules/apps/irc.te | 60 +++++++++++++++++++++++++++++++++++++++----
3 files changed, 84 insertions(+), 10 deletions(-)
diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc
index 65ece18..45203f4 100644
--- a/policy/modules/apps/irc.fc
+++ b/policy/modules/apps/irc.fc
@@ -1,11 +1,18 @@
#
# /home
#
-HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
+HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
+HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0)
+
+#
+# /etc
+#
+/etc/irssi\.conf -- gen_context(system_u:object_r:irc_etc_t,s0)
#
# /usr
#
-/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
-/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
-/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/irssi -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
index 4f9dc90..b712758 100644
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@@ -18,6 +18,7 @@
interface(`irc_role',`
gen_require(`
type irc_t, irc_exec_t;
+ type irc_home_t, irc_tmp_t;
')
role $1 types irc_t;
@@ -28,4 +29,22 @@ interface(`irc_role',`
# allow ps to show irc
ps_process_pattern($2, irc_t)
allow $2 irc_t:process signal;
+
+ manage_dirs_pattern($2, irc_home_t, irc_home_t)
+ manage_files_pattern($2, irc_home_t, irc_home_t)
+ manage_lnk_files_pattern($2, irc_home_t, irc_home_t)
+
+ manage_dirs_pattern($2, irc_tmp_t, irc_tmp_t)
+ manage_files_pattern($2, irc_tmp_t, irc_tmp_t)
+ manage_fifo_files_pattern($2, irc_tmp_t, irc_tmp_t)
+ manage_sock_files_pattern($2, irc_tmp_t, irc_tmp_t)
+
+ relabel_dirs_pattern($2, irc_home_t, irc_home_t)
+ relabel_files_pattern($2, irc_home_t, irc_home_t)
+ relabel_lnk_files_pattern($2, irc_home_t, irc_home_t)
+
+ relabel_dirs_pattern($2, irc_tmp_t, irc_tmp_t)
+ relabel_files_pattern($2, irc_tmp_t, irc_tmp_t)
+ relabel_fifo_files_pattern($2, irc_tmp_t, irc_tmp_t)
+ relabel_sock_files_pattern($2, irc_tmp_t, irc_tmp_t)
')
diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
index 789e684..e4535f8 100644
--- a/policy/modules/apps/irc.te
+++ b/policy/modules/apps/irc.te
@@ -6,6 +6,22 @@ policy_module(irc, 2.1.0)
# Declarations
#
+## <desc>
+## <p>
+## Allow IRC clients to connect to
+## any ports.
+## </p>
+## </desc>
+gen_tunable(irc_connect_any, false)
+
+## <desc>
+## <p>
+## Allow IRC clients to bind to
+## generic ports.
+## </p>
+## </desc>
+gen_tunable(irc_tcp_server, false)
+
type irc_t;
type irc_exec_t;
typealias irc_t alias { user_irc_t staff_irc_t sysadm_irc_t };
@@ -13,6 +29,9 @@ typealias irc_t alias { auditadm_irc_t secadm_irc_t };
application_domain(irc_t, irc_exec_t)
ubac_constrained(irc_t)
+type irc_etc_t;
+files_config_file(irc_etc_t)
+
type irc_home_t;
typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t };
typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
@@ -21,21 +40,28 @@ userdom_user_home_content(irc_home_t)
type irc_tmp_t;
typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
-userdom_user_home_content(irc_tmp_t)
+files_tmp_file(irc_tmp_t)
+ubac_constrained(irc_tmp_t)
########################################
#
# Local policy
#
-allow irc_t self:unix_stream_socket create_stream_socket_perms;
-allow irc_t self:tcp_socket create_socket_perms;
+allow irc_t self:process { signal sigkill };
+allow irc_t self:fifo_file rw_fifo_file_perms;
+allow irc_t self:netlink_route_socket create_netlink_socket_perms;
+allow irc_t self:tcp_socket create_stream_socket_perms;
allow irc_t self:udp_socket create_socket_perms;
+allow irc_t self:unix_stream_socket create_stream_socket_perms;
+
+allow irc_t irc_etc_t:file read_file_perms;
manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
manage_files_pattern(irc_t, irc_home_t, irc_home_t)
manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file })
+userdom_search_user_home_dirs(irc_t)
# access files under /tmp
manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
@@ -47,6 +73,9 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
kernel_read_proc_symlinks(irc_t)
+corecmd_search_bin(irc_t)
+corecmd_read_bin_symlinks(irc_t)
+
corenet_all_recvfrom_unlabeled(irc_t)
corenet_all_recvfrom_netlabel(irc_t)
corenet_tcp_sendrecv_generic_if(irc_t)
@@ -55,10 +84,15 @@ corenet_tcp_sendrecv_generic_node(irc_t)
corenet_udp_sendrecv_generic_node(irc_t)
corenet_tcp_sendrecv_all_ports(irc_t)
corenet_udp_sendrecv_all_ports(irc_t)
+# Privoxy
+corenet_tcp_connect_http_cache_port(irc_t)
+corenet_sendrecv_http_cache_client_packets(irc_t)
+corenet_tcp_connect_ircd_port(irc_t)
corenet_sendrecv_ircd_client_packets(irc_t)
-# cjp: this seems excessive:
-corenet_tcp_connect_all_ports(irc_t)
-corenet_sendrecv_all_client_packets(irc_t)
+
+dev_read_urand(irc_t)
+# irssi-otr genkey.
+dev_read_rand(irc_t)
domain_use_interactive_fds(irc_t)
@@ -87,6 +121,16 @@ sysnet_read_config(irc_t)
# Write to the user domain tty.
userdom_use_user_terminals(irc_t)
+tunable_policy(`irc_connect_any',`
+ corenet_tcp_connect_all_ports(irc_t)
+ corenet_sendrecv_all_client_packets(irc_t)
+')
+
+tunable_policy(`irc_tcp_server',`
+ corenet_tcp_bind_generic_port(irc_t)
+ corenet_sendrecv_generic_server_packets(irc_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(irc_t)
fs_manage_nfs_files(irc_t)
@@ -100,5 +144,9 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ automount_dontaudit_getattr_tmp_dirs(irc_t)
+')
+
+optional_policy(`
nis_use_ypbind(irc_t)
')
--
1.7.0.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100322/c555f5c8/attachment-0001.bin
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2010-03-22 11:48 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-03-22 11:48 [refpolicy] [ irc patch 1/1] Extend IRC client policy to support irssi Dominick Grift
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.