From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [ irc patch 1/1] Extend the IRC domain to include IRSSI.
Date: Tue, 22 Jun 2010 21:36:32 +0200 [thread overview]
Message-ID: <20100622193622.GA26980@localhost.localdomain> (raw)
The tabs in irc.fc are weird because of Eclipse.
We can remove the irc_home_t stuff from irc.if once userdom_user_home_content is fixed to handle it.
Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 65ece18... 200a6cd... M policy/modules/apps/irc.fc
:100644 100644 4f9dc90... a638de0... M policy/modules/apps/irc.if
:100644 100644 66beb80... b1526ce... M policy/modules/apps/irc.te
policy/modules/apps/irc.fc | 18 ++++++-------
policy/modules/apps/irc.if | 29 ++++++++++++++++++---
policy/modules/apps/irc.te | 59 +++++++++++++++++++++++++++++++++++--------
3 files changed, 80 insertions(+), 26 deletions(-)
diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc
index 65ece18..200a6cd 100644
--- a/policy/modules/apps/irc.fc
+++ b/policy/modules/apps/irc.fc
@@ -1,11 +1,9 @@
-#
-# /home
-#
-HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
+HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
+HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0)
-#
-# /usr
-#
-/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
-/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
-/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
+/etc/irssi.conf -- gen_context(system_u:object_r:irc_etc_t,s0)
+
+/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/irssi -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
index 4f9dc90..a638de0 100644
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@@ -1,4 +1,4 @@
-## <summary>IRC client policy</summary>
+## <summary>IRC clients.</summary>
########################################
## <summary>
@@ -17,15 +17,34 @@
#
interface(`irc_role',`
gen_require(`
- type irc_t, irc_exec_t;
+ type irc_t, irc_exec_t, irc_tmp_t;
+ type irc_home_t;
')
role $1 types irc_t;
- # Transition from the user domain to the derived domain.
domtrans_pattern($2, irc_exec_t, irc_t)
- # allow ps to show irc
ps_process_pattern($2, irc_t)
- allow $2 irc_t:process signal;
+ allow $2 irc_t:process { ptrace signal_perms };
+
+ manage_dirs_pattern($2, irc_home_t, irc_home_t)
+ manage_files_pattern($2, irc_home_t, irc_home_t)
+ manage_lnk_files_pattern($2, irc_home_t, irc_home_t)
+
+ relabel_dirs_pattern($2, irc_home_t, irc_home_t)
+ relabel_files_pattern($2, irc_home_t, irc_home_t)
+ relabel_lnk_files_pattern($2, irc_home_t, irc_home_t)
+
+ manage_dirs_pattern($2, irc_tmp_t, irc_tmp_t)
+ manage_files_pattern($2, irc_tmp_t, irc_tmp_t)
+ manage_lnk_files_pattern($2, irc_tmp_t, irc_tmp_t)
+ manage_fifo_files_pattern($2, irc_tmp_t, irc_tmp_t)
+ manage_sock_files_pattern($2, irc_tmp_t, irc_tmp_t)
+
+ relabel_dirs_pattern($2, irc_tmp_t, irc_tmp_t)
+ relabel_files_pattern($2, irc_tmp_t, irc_tmp_t)
+ relabel_lnk_files_pattern($2, irc_tmp_t, irc_tmp_t)
+ relabel_fifo_files_pattern($2, irc_tmp_t, irc_tmp_t)
+ relabel_sock_files_pattern($2, irc_tmp_t, irc_tmp_t)
')
diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
index 66beb80..b1526ce 100644
--- a/policy/modules/apps/irc.te
+++ b/policy/modules/apps/irc.te
@@ -5,6 +5,14 @@ policy_module(irc, 2.1.0)
# Declarations
#
+## <desc>
+## <p>
+## Allow IRC Clients to connect to any TCP port,
+## and to bind TCP sockets to any unreserved port.
+## </p>
+## </desc>
+gen_tunable(irc_can_network, false)
+
type irc_t;
type irc_exec_t;
typealias irc_t alias { user_irc_t staff_irc_t sysadm_irc_t };
@@ -12,6 +20,9 @@ typealias irc_t alias { auditadm_irc_t secadm_irc_t };
application_domain(irc_t, irc_exec_t)
ubac_constrained(irc_t)
+type irc_etc_t;
+files_config_file(irc_etc_t)
+
type irc_home_t;
typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t };
typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
@@ -20,23 +31,28 @@ userdom_user_home_content(irc_home_t)
type irc_tmp_t;
typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
-userdom_user_home_content(irc_tmp_t)
+files_tmp_file(irc_tmp_t)
+ubac_constrained(irc_tmp_t)
########################################
#
# Local policy
#
+allow irc_t self:process { signal sigkill };
+allow irc_t self:fifo_file rw_fifo_file_perms;
+allow irc_t self:netlink_route_socket create_netlink_socket_perms;
allow irc_t self:unix_stream_socket create_stream_socket_perms;
-allow irc_t self:tcp_socket create_socket_perms;
+allow irc_t self:tcp_socket create_stream_socket_perms;
allow irc_t self:udp_socket create_socket_perms;
+allow irc_t irc_etc_t:file read_file_perms;
+
manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
manage_files_pattern(irc_t, irc_home_t, irc_home_t)
manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file })
-# access files under /tmp
manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
@@ -44,7 +60,9 @@ manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
-kernel_read_proc_symlinks(irc_t)
+kernel_read_system_state(irc_t)
+
+corecmd_read_bin_symlinks(irc_t)
corenet_all_recvfrom_unlabeled(irc_t)
corenet_all_recvfrom_netlabel(irc_t)
@@ -52,12 +70,19 @@ corenet_tcp_sendrecv_generic_if(irc_t)
corenet_udp_sendrecv_generic_if(irc_t)
corenet_tcp_sendrecv_generic_node(irc_t)
corenet_udp_sendrecv_generic_node(irc_t)
+corenet_tcp_bind_generic_node(irc_t)
+corenet_udp_bind_generic_node(irc_t)
corenet_tcp_sendrecv_all_ports(irc_t)
corenet_udp_sendrecv_all_ports(irc_t)
+corenet_tcp_connect_ircd_port(irc_t)
corenet_sendrecv_ircd_client_packets(irc_t)
-# cjp: this seems excessive:
-corenet_tcp_connect_all_ports(irc_t)
-corenet_sendrecv_all_client_packets(irc_t)
+corenet_tcp_connect_http_cache_port(irc_t)
+corenet_sendrecv_http_cache_client_packets(irc_t)
+corenet_tcp_connect_gatekeeper_port(irc_t)
+corenet_sendrecv_gatekeeper_client_packets(irc_t)
+
+dev_read_urand(irc_t)
+dev_read_rand(irc_t)
domain_use_interactive_fds(irc_t)
@@ -70,22 +95,26 @@ fs_getattr_xattr_fs(irc_t)
fs_search_auto_mountpoints(irc_t)
term_use_controlling_term(irc_t)
-term_list_ptys(irc_t)
-# allow utmp access
init_read_utmp(irc_t)
init_dontaudit_lock_utmp(irc_t)
+miscfiles_read_certs(irc_t)
miscfiles_read_localization(irc_t)
-# Inherit and use descriptors from newrole.
seutil_use_newrole_fds(irc_t)
sysnet_read_config(irc_t)
-# Write to the user domain tty.
userdom_use_user_terminals(irc_t)
+tunable_policy(`irc_can_network',`
+ corenet_tcp_bind_all_unreserved_ports(irc_t)
+ corenet_sendrecv_all_server_packets(irc_t)
+ corenet_tcp_connect_all_ports(irc_t)
+ corenet_sendrecv_all_client_packets(irc_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(irc_t)
fs_manage_nfs_files(irc_t)
@@ -99,5 +128,13 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ automount_dontaudit_getattr_tmp_dirs(irc_t)
+')
+
+optional_policy(`
nis_use_ypbind(irc_t)
')
+
+optional_policy(`
+ nscd_socket_use(irc_t)
+')
--
1.7.0.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100622/88c96ac1/attachment.bin
next reply other threads:[~2010-06-22 19:36 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-22 19:36 Dominick Grift [this message]
2010-06-22 19:49 ` [refpolicy] [ irc patch 1/1] Extend the IRC domain to include IRSSI Christopher J. PeBenito
2010-06-22 21:14 ` Dominick Grift
2010-06-23 8:55 ` Dominick Grift
2010-06-23 12:15 ` Christopher J. PeBenito
2010-06-23 12:28 ` Dominick Grift
2010-06-23 13:49 ` Christopher J. PeBenito
2010-06-23 13:50 ` Christopher J. PeBenito
2010-06-23 14:18 ` Dominick Grift
2010-06-23 12:35 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100622193622.GA26980@localhost.localdomain \
--to=domg472@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.