[refpolicy] [ irc patch 1/1] Extend the IRC domain to include IRSSI.

[refpolicy] [ irc patch 1/1] Extend the IRC domain to include IRSSI.

[Dominick Grift]

The tabs in irc.fc are weird because of Eclipse.
We can remove the irc_home_t stuff from irc.if once userdom_user_home_content is fixed to handle it.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 65ece18... 200a6cd... M	policy/modules/apps/irc.fc
:100644 100644 4f9dc90... a638de0... M	policy/modules/apps/irc.if
:100644 100644 66beb80... b1526ce... M	policy/modules/apps/irc.te
 policy/modules/apps/irc.fc |   18 ++++++-------
 policy/modules/apps/irc.if |   29 ++++++++++++++++++---
 policy/modules/apps/irc.te |   59 +++++++++++++++++++++++++++++++++++--------
 3 files changed, 80 insertions(+), 26 deletions(-)

diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc
index 65ece18..200a6cd 100644
--- a/policy/modules/apps/irc.fc
+++ b/policy/modules/apps/irc.fc
@@ -1,11 +1,9 @@
-#
-# /home
-#
-HOME_DIR/\.ircmotd	--	gen_context(system_u:object_r:irc_home_t,s0)
+HOME_DIR/\.ircmotd			--	gen_context(system_u:object_r:irc_home_t,s0)
+HOME_DIR/\.irssi(/.*)?			gen_context(system_u:object_r:irc_home_t,s0)
 
-#
-# /usr
-#
-/usr/bin/[st]irc	--	gen_context(system_u:object_r:irc_exec_t,s0)
-/usr/bin/ircII		--	gen_context(system_u:object_r:irc_exec_t,s0)
-/usr/bin/tinyirc	--	gen_context(system_u:object_r:irc_exec_t,s0)
+/etc/irssi.conf				--	gen_context(system_u:object_r:irc_etc_t,s0)
+
+/usr/bin/[st]irc			--	gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/ircII				--	gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/irssi				--	gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/tinyirc			--	gen_context(system_u:object_r:irc_exec_t,s0)
diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
index 4f9dc90..a638de0 100644
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@@ -1,4 +1,4 @@
-## <summary>IRC client policy</summary>
+## <summary>IRC clients.</summary>
 
 ########################################
 ## <summary>
@@ -17,15 +17,34 @@
 #
 interface(`irc_role',`
 	gen_require(`
-		type irc_t, irc_exec_t;
+		type irc_t, irc_exec_t, irc_tmp_t;
+		type irc_home_t;
 	')
 
 	role $1 types irc_t;
 
-	# Transition from the user domain to the derived domain.
 	domtrans_pattern($2, irc_exec_t, irc_t)
 
-	# allow ps to show irc
 	ps_process_pattern($2, irc_t)
-	allow $2 irc_t:process signal;
+	allow $2 irc_t:process { ptrace signal_perms };
+
+	manage_dirs_pattern($2, irc_home_t, irc_home_t)
+	manage_files_pattern($2, irc_home_t, irc_home_t)
+	manage_lnk_files_pattern($2, irc_home_t, irc_home_t)
+
+	relabel_dirs_pattern($2, irc_home_t, irc_home_t)
+	relabel_files_pattern($2, irc_home_t, irc_home_t)
+	relabel_lnk_files_pattern($2, irc_home_t, irc_home_t)
+
+	manage_dirs_pattern($2, irc_tmp_t, irc_tmp_t)
+	manage_files_pattern($2, irc_tmp_t, irc_tmp_t)
+	manage_lnk_files_pattern($2, irc_tmp_t, irc_tmp_t)
+	manage_fifo_files_pattern($2, irc_tmp_t, irc_tmp_t)
+	manage_sock_files_pattern($2, irc_tmp_t, irc_tmp_t)
+
+	relabel_dirs_pattern($2, irc_tmp_t, irc_tmp_t)
+	relabel_files_pattern($2, irc_tmp_t, irc_tmp_t)
+	relabel_lnk_files_pattern($2, irc_tmp_t, irc_tmp_t)
+	relabel_fifo_files_pattern($2, irc_tmp_t, irc_tmp_t)
+	relabel_sock_files_pattern($2, irc_tmp_t, irc_tmp_t)
 ')
diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
index 66beb80..b1526ce 100644
--- a/policy/modules/apps/irc.te
+++ b/policy/modules/apps/irc.te
@@ -5,6 +5,14 @@ policy_module(irc, 2.1.0)
 # Declarations
 #
 
+## <desc>
+##	<p>
+##	Allow IRC Clients to connect to any TCP port,
+##	and to bind TCP sockets to any unreserved port.
+##	</p>
+## </desc>
+gen_tunable(irc_can_network, false)
+
 type irc_t;
 type irc_exec_t;
 typealias irc_t alias { user_irc_t staff_irc_t sysadm_irc_t };
@@ -12,6 +20,9 @@ typealias irc_t alias { auditadm_irc_t secadm_irc_t };
 application_domain(irc_t, irc_exec_t)
 ubac_constrained(irc_t)
 
+type irc_etc_t;
+files_config_file(irc_etc_t)
+
 type irc_home_t;
 typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t };
 typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
@@ -20,23 +31,28 @@ userdom_user_home_content(irc_home_t)
 type irc_tmp_t;
 typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
 typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
-userdom_user_home_content(irc_tmp_t)
+files_tmp_file(irc_tmp_t)
+ubac_constrained(irc_tmp_t)
 
 ########################################
 #
 # Local policy
 #
 
+allow irc_t self:process { signal sigkill };
+allow irc_t self:fifo_file rw_fifo_file_perms;
+allow irc_t self:netlink_route_socket create_netlink_socket_perms;
 allow irc_t self:unix_stream_socket create_stream_socket_perms;
-allow irc_t self:tcp_socket create_socket_perms;
+allow irc_t self:tcp_socket create_stream_socket_perms;
 allow irc_t self:udp_socket create_socket_perms;
 
+allow irc_t irc_etc_t:file read_file_perms;
+
 manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
 manage_files_pattern(irc_t, irc_home_t, irc_home_t)
 manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
 userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file })
 
-# access files under /tmp
 manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
 manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
 manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
@@ -44,7 +60,9 @@ manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
 manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
 files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
 
-kernel_read_proc_symlinks(irc_t)
+kernel_read_system_state(irc_t)
+
+corecmd_read_bin_symlinks(irc_t)
 
 corenet_all_recvfrom_unlabeled(irc_t)
 corenet_all_recvfrom_netlabel(irc_t)
@@ -52,12 +70,19 @@ corenet_tcp_sendrecv_generic_if(irc_t)
 corenet_udp_sendrecv_generic_if(irc_t)
 corenet_tcp_sendrecv_generic_node(irc_t)
 corenet_udp_sendrecv_generic_node(irc_t)
+corenet_tcp_bind_generic_node(irc_t)
+corenet_udp_bind_generic_node(irc_t)
 corenet_tcp_sendrecv_all_ports(irc_t)
 corenet_udp_sendrecv_all_ports(irc_t)
+corenet_tcp_connect_ircd_port(irc_t)
 corenet_sendrecv_ircd_client_packets(irc_t)
-# cjp: this seems excessive:
-corenet_tcp_connect_all_ports(irc_t)
-corenet_sendrecv_all_client_packets(irc_t)
+corenet_tcp_connect_http_cache_port(irc_t)
+corenet_sendrecv_http_cache_client_packets(irc_t)
+corenet_tcp_connect_gatekeeper_port(irc_t)
+corenet_sendrecv_gatekeeper_client_packets(irc_t)
+
+dev_read_urand(irc_t)
+dev_read_rand(irc_t)
 
 domain_use_interactive_fds(irc_t)
 
@@ -70,22 +95,26 @@ fs_getattr_xattr_fs(irc_t)
 fs_search_auto_mountpoints(irc_t)
 
 term_use_controlling_term(irc_t)
-term_list_ptys(irc_t)
 
-# allow utmp access
 init_read_utmp(irc_t)
 init_dontaudit_lock_utmp(irc_t)
 
+miscfiles_read_certs(irc_t)
 miscfiles_read_localization(irc_t)
 
-# Inherit and use descriptors from newrole.
 seutil_use_newrole_fds(irc_t)
 
 sysnet_read_config(irc_t)
 
-# Write to the user domain tty.
 userdom_use_user_terminals(irc_t)
 
+tunable_policy(`irc_can_network',`
+	corenet_tcp_bind_all_unreserved_ports(irc_t)
+	corenet_sendrecv_all_server_packets(irc_t)
+	corenet_tcp_connect_all_ports(irc_t)
+	corenet_sendrecv_all_client_packets(irc_t)
+')
+
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(irc_t)
 	fs_manage_nfs_files(irc_t)
@@ -99,5 +128,13 @@ tunable_policy(`use_samba_home_dirs',`
 ')
 
 optional_policy(`
+	automount_dontaudit_getattr_tmp_dirs(irc_t)
+')
+
+optional_policy(`
 	nis_use_ypbind(irc_t)
 ')
+
+optional_policy(`
+	nscd_socket_use(irc_t)
+')
-- 
1.7.0.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100622/88c96ac1/attachment.bin 

[refpolicy] [ irc patch 1/1] Extend the IRC domain to include IRSSI.

[Christopher J. PeBenito]

On Tue, 2010-06-22 at 21:36 +0200, Dominick Grift wrote:
> The tabs in irc.fc are weird because of Eclipse.
> We can remove the irc_home_t stuff from irc.if once userdom_user_home_content is fixed to handle it.

A couple of minor issues inline.

> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---
> :100644 100644 65ece18... 200a6cd... M	policy/modules/apps/irc.fc
> :100644 100644 4f9dc90... a638de0... M	policy/modules/apps/irc.if
> :100644 100644 66beb80... b1526ce... M	policy/modules/apps/irc.te
>  policy/modules/apps/irc.fc |   18 ++++++-------
>  policy/modules/apps/irc.if |   29 ++++++++++++++++++---
>  policy/modules/apps/irc.te |   59 +++++++++++++++++++++++++++++++++++--------
>  3 files changed, 80 insertions(+), 26 deletions(-)
> 
> diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc
> index 65ece18..200a6cd 100644
> --- a/policy/modules/apps/irc.fc
> +++ b/policy/modules/apps/irc.fc
> @@ -1,11 +1,9 @@
> -#
> -# /home
> -#
> -HOME_DIR/\.ircmotd	--	gen_context(system_u:object_r:irc_home_t,s0)
> +HOME_DIR/\.ircmotd			--	gen_context(system_u:object_r:irc_home_t,s0)
> +HOME_DIR/\.irssi(/.*)?			gen_context(system_u:object_r:irc_home_t,s0)
>  
> -#
> -# /usr
> -#
> -/usr/bin/[st]irc	--	gen_context(system_u:object_r:irc_exec_t,s0)
> -/usr/bin/ircII		--	gen_context(system_u:object_r:irc_exec_t,s0)
> -/usr/bin/tinyirc	--	gen_context(system_u:object_r:irc_exec_t,s0)
> +/etc/irssi.conf				--	gen_context(system_u:object_r:irc_etc_t,s0)
> +
> +/usr/bin/[st]irc			--	gen_context(system_u:object_r:irc_exec_t,s0)
> +/usr/bin/ircII				--	gen_context(system_u:object_r:irc_exec_t,s0)
> +/usr/bin/irssi				--	gen_context(system_u:object_r:irc_exec_t,s0)
> +/usr/bin/tinyirc			--	gen_context(system_u:object_r:irc_exec_t,s0)
> diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
> index 4f9dc90..a638de0 100644
> --- a/policy/modules/apps/irc.if
> +++ b/policy/modules/apps/irc.if
> @@ -1,4 +1,4 @@
> -## <summary>IRC client policy</summary>
> +## <summary>IRC clients.</summary>
>  
>  ########################################
>  ## <summary>
> @@ -17,15 +17,34 @@
>  #
>  interface(`irc_role',`
>  	gen_require(`
> -		type irc_t, irc_exec_t;
> +		type irc_t, irc_exec_t, irc_tmp_t;
> +		type irc_home_t;
>  	')
>  
>  	role $1 types irc_t;
>  
> -	# Transition from the user domain to the derived domain.
>  	domtrans_pattern($2, irc_exec_t, irc_t)
>  
> -	# allow ps to show irc
>  	ps_process_pattern($2, irc_t)
> -	allow $2 irc_t:process signal;
> +	allow $2 irc_t:process { ptrace signal_perms };
> +
> +	manage_dirs_pattern($2, irc_home_t, irc_home_t)
> +	manage_files_pattern($2, irc_home_t, irc_home_t)
> +	manage_lnk_files_pattern($2, irc_home_t, irc_home_t)
> +
> +	relabel_dirs_pattern($2, irc_home_t, irc_home_t)
> +	relabel_files_pattern($2, irc_home_t, irc_home_t)
> +	relabel_lnk_files_pattern($2, irc_home_t, irc_home_t)
> +
> +	manage_dirs_pattern($2, irc_tmp_t, irc_tmp_t)
> +	manage_files_pattern($2, irc_tmp_t, irc_tmp_t)
> +	manage_lnk_files_pattern($2, irc_tmp_t, irc_tmp_t)
> +	manage_fifo_files_pattern($2, irc_tmp_t, irc_tmp_t)
> +	manage_sock_files_pattern($2, irc_tmp_t, irc_tmp_t)
> +
> +	relabel_dirs_pattern($2, irc_tmp_t, irc_tmp_t)
> +	relabel_files_pattern($2, irc_tmp_t, irc_tmp_t)
> +	relabel_lnk_files_pattern($2, irc_tmp_t, irc_tmp_t)
> +	relabel_fifo_files_pattern($2, irc_tmp_t, irc_tmp_t)
> +	relabel_sock_files_pattern($2, irc_tmp_t, irc_tmp_t)
>  ')
> diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
> index 66beb80..b1526ce 100644
> --- a/policy/modules/apps/irc.te
> +++ b/policy/modules/apps/irc.te
> @@ -5,6 +5,14 @@ policy_module(irc, 2.1.0)
>  # Declarations
>  #
>  
> +## <desc>
> +##	<p>
> +##	Allow IRC Clients to connect to any TCP port,
> +##	and to bind TCP sockets to any unreserved port.
> +##	</p>
> +## </desc>
> +gen_tunable(irc_can_network, false)

A more specific name would be better.  Maybe irc_full_networking or
something.

>  type irc_t;
>  type irc_exec_t;
>  typealias irc_t alias { user_irc_t staff_irc_t sysadm_irc_t };
> @@ -12,6 +20,9 @@ typealias irc_t alias { auditadm_irc_t secadm_irc_t };
>  application_domain(irc_t, irc_exec_t)
>  ubac_constrained(irc_t)
>  
> +type irc_etc_t;
> +files_config_file(irc_etc_t)

Why is this necessary?  From what I can tell, irc_t only reads it.
Irc_t already can read etc_t files, so this seems unnecessary.

>  type irc_home_t;
>  typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t };
>  typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
> @@ -20,23 +31,28 @@ userdom_user_home_content(irc_home_t)
>  type irc_tmp_t;
>  typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
>  typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
> -userdom_user_home_content(irc_tmp_t)
> +files_tmp_file(irc_tmp_t)
> +ubac_constrained(irc_tmp_t)
>  
>  ########################################
>  #
>  # Local policy
>  #
>  
> +allow irc_t self:process { signal sigkill };
> +allow irc_t self:fifo_file rw_fifo_file_perms;
> +allow irc_t self:netlink_route_socket create_netlink_socket_perms;
>  allow irc_t self:unix_stream_socket create_stream_socket_perms;
> -allow irc_t self:tcp_socket create_socket_perms;
> +allow irc_t self:tcp_socket create_stream_socket_perms;
>  allow irc_t self:udp_socket create_socket_perms;
>  
> +allow irc_t irc_etc_t:file read_file_perms;
> +
>  manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
>  manage_files_pattern(irc_t, irc_home_t, irc_home_t)
>  manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
>  userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file })
>  
> -# access files under /tmp
>  manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
>  manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
>  manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
> @@ -44,7 +60,9 @@ manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
>  manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
>  files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
>  
> -kernel_read_proc_symlinks(irc_t)
> +kernel_read_system_state(irc_t)
> +
> +corecmd_read_bin_symlinks(irc_t)
>  
>  corenet_all_recvfrom_unlabeled(irc_t)
>  corenet_all_recvfrom_netlabel(irc_t)
> @@ -52,12 +70,19 @@ corenet_tcp_sendrecv_generic_if(irc_t)
>  corenet_udp_sendrecv_generic_if(irc_t)
>  corenet_tcp_sendrecv_generic_node(irc_t)
>  corenet_udp_sendrecv_generic_node(irc_t)
> +corenet_tcp_bind_generic_node(irc_t)
> +corenet_udp_bind_generic_node(irc_t)
>  corenet_tcp_sendrecv_all_ports(irc_t)
>  corenet_udp_sendrecv_all_ports(irc_t)
> +corenet_tcp_connect_ircd_port(irc_t)
>  corenet_sendrecv_ircd_client_packets(irc_t)
> -# cjp: this seems excessive:
> -corenet_tcp_connect_all_ports(irc_t)
> -corenet_sendrecv_all_client_packets(irc_t)
> +corenet_tcp_connect_http_cache_port(irc_t)
> +corenet_sendrecv_http_cache_client_packets(irc_t)
> +corenet_tcp_connect_gatekeeper_port(irc_t)
> +corenet_sendrecv_gatekeeper_client_packets(irc_t)
> +
> +dev_read_urand(irc_t)
> +dev_read_rand(irc_t)
>  
>  domain_use_interactive_fds(irc_t)
>  
> @@ -70,22 +95,26 @@ fs_getattr_xattr_fs(irc_t)
>  fs_search_auto_mountpoints(irc_t)
>  
>  term_use_controlling_term(irc_t)
> -term_list_ptys(irc_t)
>  
> -# allow utmp access
>  init_read_utmp(irc_t)
>  init_dontaudit_lock_utmp(irc_t)
>  
> +miscfiles_read_certs(irc_t)
>  miscfiles_read_localization(irc_t)
>  
> -# Inherit and use descriptors from newrole.
>  seutil_use_newrole_fds(irc_t)
>  
>  sysnet_read_config(irc_t)
>  
> -# Write to the user domain tty.
>  userdom_use_user_terminals(irc_t)
>  
> +tunable_policy(`irc_can_network',`
> +	corenet_tcp_bind_all_unreserved_ports(irc_t)
> +	corenet_sendrecv_all_server_packets(irc_t)
> +	corenet_tcp_connect_all_ports(irc_t)
> +	corenet_sendrecv_all_client_packets(irc_t)
> +')
> +
>  tunable_policy(`use_nfs_home_dirs',`
>  	fs_manage_nfs_dirs(irc_t)
>  	fs_manage_nfs_files(irc_t)
> @@ -99,5 +128,13 @@ tunable_policy(`use_samba_home_dirs',`
>  ')
>  
>  optional_policy(`
> +	automount_dontaudit_getattr_tmp_dirs(irc_t)
> +')
> +
> +optional_policy(`
>  	nis_use_ypbind(irc_t)
>  ')
> +
> +optional_policy(`
> +	nscd_socket_use(irc_t)
> +')

These two and the netlink_route socket earlier makes it look like its
going towards auth_use_nsswitch().

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [ irc patch 1/1] Extend the IRC domain to include IRSSI.

[Dominick Grift]

On 06/22/2010 09:49 PM, Christopher J. PeBenito wrote:

>> +## <desc>
>> +##	<p>
>> +##	Allow IRC Clients to connect to any TCP port,
>> +##	and to bind TCP sockets to any unreserved port.
>> +##	</p>
>> +## </desc>
>> +gen_tunable(irc_can_network, false)
> 
> A more specific name would be better.  Maybe irc_full_networking or
> something.

I had something like that "irc_use_full_network" but i thought you would
like this better becausse of other domain use similar like
"httpd_can_network_connect" etc. Feel free to change it.

>> +type irc_etc_t;
>> +files_config_file(irc_etc_t)
> 
> Why is this necessary?  From what I can tell, irc_t only reads it.
> Irc_t already can read etc_t files, so this seems unnecessary.

No particular reason although i am not sure if this file can hold
sensitive information. It might also come in handy for an irc_admin()
although that would be the only thing one would need irc_admin() for.

Feel free to remove it (and its corresponding file context.

>>  optional_policy(`
>> +	automount_dontaudit_getattr_tmp_dirs(irc_t)
>> +')
>> +
>> +optional_policy(`
>>  	nis_use_ypbind(irc_t)
>>  ')
>> +
>> +optional_policy(`
>> +	nscd_socket_use(irc_t)
>> +')
> 
> These two and the netlink_route socket earlier makes it look like its
> going towards auth_use_nsswitch().

Both are actually untested. Although the the first is afaik common to
user apps with user home content.

The latter is more a guess because irssi wants to search nscd pid. So i
am assuming that it does that because it supports nscd (if one have nscd
enabled, which i do not)

So feel free to either remove that and add nscd_dontaudit_search_pid()
(or similar) or add the auth_use_nsswitch(irc_t)

Can you apply these changes or do i have to submit a new patch?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100622/ca85ec05/attachment.bin 

[refpolicy] [ irc patch 1/1] Extend the IRC domain to include IRSSI.

[Dominick Grift]

On 06/22/2010 09:49 PM, Christopher J. PeBenito wrote:

Some more arguments:

>> +## <desc>
>> +##	<p>
>> +##	Allow IRC Clients to connect to any TCP port,
>> +##	and to bind TCP sockets to any unreserved port.
>> +##	</p>
>> +## </desc>
>> +gen_tunable(irc_can_network, false)
> 
> A more specific name would be better.  Maybe irc_full_networking or
> something.
> 

irc_full_network sounds consistent. qemu uses a similar boolean
"qemu_full_network"

>>  
>> +type irc_etc_t;
>> +files_config_file(irc_etc_t)
> 
> Why is this necessary?  From what I can tell, irc_t only reads it.
> Irc_t already can read etc_t files, so this seems unnecessary.
> 

Few arguments here:

1. possible sensitive data.
2. irc_admin()
3. mozilla also has a mozilla_etc_t and also has access to
files_read_etc_files() afaik.

>>  optional_policy(`
>> +	automount_dontaudit_getattr_tmp_dirs(irc_t)
>> +')
>> +
>> +optional_policy(`
>>  	nis_use_ypbind(irc_t)
>>  ')
>> +
>> +optional_policy(`
>> +	nscd_socket_use(irc_t)
>> +')
> 
> These two and the netlink_route socket earlier makes it look like its
> going towards auth_use_nsswitch().
> 

Mozilla also has "automount_dontaudit_getattr_tmp_dirs",
"nscd_socket_use" and "... self:netlink_route_socket
r_netlink_socket_perms;", but does NOT have auth_use_nsswitch().

So either mozillas policy is wrong here too or it is unrelated.

Fact remains that irssi searches nscd pid directories, likely looking
for the nscd.socket to connectto.

automount_dontaudit_getattr_tmp_dirs(irc_t) is in my view not specific
to irc clients, but since the irc domain can own temporary objects, my
opinion is that we should support it.

All in all, personally i would only change the boolean name and leave
the rest unchanged.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100623/ee8881b6/attachment.bin 

[refpolicy] [ irc patch 1/1] Extend the IRC domain to include IRSSI.

[Christopher J. PeBenito]

On Wed, 2010-06-23 at 10:55 +0200, Dominick Grift wrote:
> On 06/22/2010 09:49 PM, Christopher J. PeBenito wrote:
> 
> Some more arguments:
> 
> >> +## <desc>
> >> +##	<p>
> >> +##	Allow IRC Clients to connect to any TCP port,
> >> +##	and to bind TCP sockets to any unreserved port.
> >> +##	</p>
> >> +## </desc>
> >> +gen_tunable(irc_can_network, false)
> > 
> > A more specific name would be better.  Maybe irc_full_networking or
> > something.
> > 
> 
> irc_full_network sounds consistent. qemu uses a similar boolean
> "qemu_full_network"

Thats fine.

> >>  
> >> +type irc_etc_t;
> >> +files_config_file(irc_etc_t)
> > 
> > Why is this necessary?  From what I can tell, irc_t only reads it.
> > Irc_t already can read etc_t files, so this seems unnecessary.
> > 
> 
> Few arguments here:
> 
> 1. possible sensitive data.

Such as?

> 2. irc_admin()

I'm not really compelled by this.  I don't think regular apps have
admins.

> 3. mozilla also has a mozilla_etc_t and also has access to
> files_read_etc_files() afaik.

If anything, this just tells me that mozilla is wrong too.

> >>  optional_policy(`
> >> +	automount_dontaudit_getattr_tmp_dirs(irc_t)
> >> +')
> >> +
> >> +optional_policy(`
> >>  	nis_use_ypbind(irc_t)
> >>  ')
> >> +
> >> +optional_policy(`
> >> +	nscd_socket_use(irc_t)
> >> +')
> > 
> > These two and the netlink_route socket earlier makes it look like its
> > going towards auth_use_nsswitch().
> > 
> 
> Mozilla also has "automount_dontaudit_getattr_tmp_dirs",
> "nscd_socket_use" and "... self:netlink_route_socket
> r_netlink_socket_perms;", but does NOT have auth_use_nsswitch().

I mean the nis_use_ypbind(), nscd_socket_use(), and netlink_route_socket
perms.  Mozilla does not have nis_use_ypbind(), so it doesn't seem to
need auth_use_nsswitch() yet.  Thats not the case here.

> So either mozillas policy is wrong here too or it is unrelated.
> 
> Fact remains that irssi searches nscd pid directories, likely looking
> for the nscd.socket to connectto.
> 
> automount_dontaudit_getattr_tmp_dirs(irc_t) is in my view not specific
> to irc clients, but since the irc domain can own temporary objects, my
> opinion is that we should support it.
> 
> All in all, personally i would only change the boolean name and leave
> the rest unchanged.
> 

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [ irc patch 1/1] Extend the IRC domain to include IRSSI.

[Dominick Grift]

On 06/23/2010 02:15 PM, Christopher J. PeBenito wrote:

>>>>  
>>>> +type irc_etc_t;
>>>> +files_config_file(irc_etc_t)
>>>
>>> Why is this necessary?  From what I can tell, irc_t only reads it.
>>> Irc_t already can read etc_t files, so this seems unnecessary.
>>>
>>
>> Few arguments here:
>>
>> 1. possible sensitive data.
> 
> Such as?
> 

For example: "proxy_password = "";"

>> 2. irc_admin()
> 
> I'm not really compelled by this.  I don't think regular apps have
> admins.

Well this is a system-wide config in /etc/irssi.conf only an (irc) admin
can set system-wide overrides.

> 
>> 3. mozilla also has a mozilla_etc_t and also has access to
>> files_read_etc_files() afaik.
> 
> If anything, this just tells me that mozilla is wrong too.

That may indeed be wrong but i still believe irc_etc_t is the right
thing to do for irc_t.

>>>>  optional_policy(`
>>>> +	automount_dontaudit_getattr_tmp_dirs(irc_t)
>>>> +')
>>>> +
>>>> +optional_policy(`
>>>>  	nis_use_ypbind(irc_t)
>>>>  ')
>>>> +
>>>> +optional_policy(`
>>>> +	nscd_socket_use(irc_t)
>>>> +')
>>>
>>> These two and the netlink_route socket earlier makes it look like its
>>> going towards auth_use_nsswitch().
>>>
>>
>> Mozilla also has "automount_dontaudit_getattr_tmp_dirs",
>> "nscd_socket_use" and "... self:netlink_route_socket
>> r_netlink_socket_perms;", but does NOT have auth_use_nsswitch().
> 
> I mean the nis_use_ypbind(), nscd_socket_use(), and netlink_route_socket
> perms.  Mozilla does not have nis_use_ypbind(), so it doesn't seem to
> need auth_use_nsswitch() yet.  Thats not the case here.
> 
>> So either mozillas policy is wrong here too or it is unrelated.
>>
>> Fact remains that irssi searches nscd pid directories, likely looking
>> for the nscd.socket to connectto.
>>
>> automount_dontaudit_getattr_tmp_dirs(irc_t) is in my view not specific
>> to irc clients, but since the irc domain can own temporary objects, my
>> opinion is that we should support it.
>>
>> All in all, personally i would only change the boolean name and leave
>> the rest unchanged.
>>
> 

I am not sure here. Like i said before; i do not have a nis nor ldap or
nscd configuration. The netlink socket perms are confirmed to be
required for irssi, and i can also confirm that irssi atleast searches
nscd pid directories. I can only assume it does that to find the
nscd.socket.

If you are not comfortable with adding auth_use_nsswitch(irc_t), then
please add nscd_dontaudit_search_pid() and remove the nscd_socket_use
and nis_use_ypbind.

For what it is worth: In my personal branch i decided to just add
auth_use_nsswitch(irc_t).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100623/83f9d736/attachment.bin 

[refpolicy] [ irc patch 1/1] Extend the IRC domain to include IRSSI.

[Christopher J. PeBenito]

On Wed, 2010-06-23 at 14:28 +0200, Dominick Grift wrote:
> On 06/23/2010 02:15 PM, Christopher J. PeBenito wrote:
> 
> >>>>  
> >>>> +type irc_etc_t;
> >>>> +files_config_file(irc_etc_t)
> >>>
> >>> Why is this necessary?  From what I can tell, irc_t only reads it.
> >>> Irc_t already can read etc_t files, so this seems unnecessary.
> >>>
> >>
> >> Few arguments here:
> >>
> >> 1. possible sensitive data.
> > 
> > Such as?
> > 
> 
> For example: "proxy_password = "";"

Perhaps.  Though I suspect its actually not that sensitive, and its
probably easy to get through the app itself.

> >> 2. irc_admin()
> > 
> > I'm not really compelled by this.  I don't think regular apps have
> > admins.
> 
> Well this is a system-wide config in /etc/irssi.conf only an (irc) admin
> can set system-wide overrides.
> 
> > 
> >> 3. mozilla also has a mozilla_etc_t and also has access to
> >> files_read_etc_files() afaik.
> > 
> > If anything, this just tells me that mozilla is wrong too.
> 
> That may indeed be wrong but i still believe irc_etc_t is the right
> thing to do for irc_t.
> 
> >>>>  optional_policy(`
> >>>> +	automount_dontaudit_getattr_tmp_dirs(irc_t)
> >>>> +')
> >>>> +
> >>>> +optional_policy(`
> >>>>  	nis_use_ypbind(irc_t)
> >>>>  ')
> >>>> +
> >>>> +optional_policy(`
> >>>> +	nscd_socket_use(irc_t)
> >>>> +')
> >>>
> >>> These two and the netlink_route socket earlier makes it look like its
> >>> going towards auth_use_nsswitch().
> >>>
> >>
> >> Mozilla also has "automount_dontaudit_getattr_tmp_dirs",
> >> "nscd_socket_use" and "... self:netlink_route_socket
> >> r_netlink_socket_perms;", but does NOT have auth_use_nsswitch().
> > 
> > I mean the nis_use_ypbind(), nscd_socket_use(), and netlink_route_socket
> > perms.  Mozilla does not have nis_use_ypbind(), so it doesn't seem to
> > need auth_use_nsswitch() yet.  Thats not the case here.
[...]
> I am not sure here. Like i said before; i do not have a nis nor ldap or
> nscd configuration. The netlink socket perms are confirmed to be
> required for irssi, and i can also confirm that irssi atleast searches
> nscd pid directories. I can only assume it does that to find the
> nscd.socket.
> 
> If you are not comfortable with adding auth_use_nsswitch(irc_t), then
> please add nscd_dontaudit_search_pid() and remove the nscd_socket_use
> and nis_use_ypbind.
> 
> For what it is worth: In my personal branch i decided to just add
> auth_use_nsswitch(irc_t).

I think you misunderstand.  I think auth_use_nsswitch(irc_t) _should_ be
in there.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [ irc patch 1/1] Extend the IRC domain to include IRSSI.

[Christopher J. PeBenito]

On Wed, 2010-06-23 at 09:49 -0400, Christopher J. PeBenito wrote:
> On Wed, 2010-06-23 at 14:28 +0200, Dominick Grift wrote:
> > On 06/23/2010 02:15 PM, Christopher J. PeBenito wrote:
> > 
> > >>>>  
> > >>>> +type irc_etc_t;
> > >>>> +files_config_file(irc_etc_t)
> > >>>
> > >>> Why is this necessary?  From what I can tell, irc_t only reads it.
> > >>> Irc_t already can read etc_t files, so this seems unnecessary.
> > >>>
> > >>
> > >> Few arguments here:
> > >>
> > >> 1. possible sensitive data.
> > > 
> > > Such as?
> > > 
> > 
> > For example: "proxy_password = "";"
> 
> Perhaps.  Though I suspect its actually not that sensitive, and its
> probably easy to get through the app itself.
> 
> > >> 2. irc_admin()
> > > 
> > > I'm not really compelled by this.  I don't think regular apps have
> > > admins.
> > 
> > Well this is a system-wide config in /etc/irssi.conf only an (irc) admin
> > can set system-wide overrides.

I'm still not compelled by the idea of an irc admin.

> > > 
> > >> 3. mozilla also has a mozilla_etc_t and also has access to
> > >> files_read_etc_files() afaik.
> > > 
> > > If anything, this just tells me that mozilla is wrong too.
> > 
> > That may indeed be wrong but i still believe irc_etc_t is the right
> > thing to do for irc_t.
> > 
> > >>>>  optional_policy(`
> > >>>> +	automount_dontaudit_getattr_tmp_dirs(irc_t)
> > >>>> +')
> > >>>> +
> > >>>> +optional_policy(`
> > >>>>  	nis_use_ypbind(irc_t)
> > >>>>  ')
> > >>>> +
> > >>>> +optional_policy(`
> > >>>> +	nscd_socket_use(irc_t)
> > >>>> +')
> > >>>
> > >>> These two and the netlink_route socket earlier makes it look like its
> > >>> going towards auth_use_nsswitch().
> > >>>
> > >>
> > >> Mozilla also has "automount_dontaudit_getattr_tmp_dirs",
> > >> "nscd_socket_use" and "... self:netlink_route_socket
> > >> r_netlink_socket_perms;", but does NOT have auth_use_nsswitch().
> > > 
> > > I mean the nis_use_ypbind(), nscd_socket_use(), and netlink_route_socket
> > > perms.  Mozilla does not have nis_use_ypbind(), so it doesn't seem to
> > > need auth_use_nsswitch() yet.  Thats not the case here.
> [...]
> > I am not sure here. Like i said before; i do not have a nis nor ldap or
> > nscd configuration. The netlink socket perms are confirmed to be
> > required for irssi, and i can also confirm that irssi atleast searches
> > nscd pid directories. I can only assume it does that to find the
> > nscd.socket.
> > 
> > If you are not comfortable with adding auth_use_nsswitch(irc_t), then
> > please add nscd_dontaudit_search_pid() and remove the nscd_socket_use
> > and nis_use_ypbind.
> > 
> > For what it is worth: In my personal branch i decided to just add
> > auth_use_nsswitch(irc_t).
> 
> I think you misunderstand.  I think auth_use_nsswitch(irc_t) _should_ be
> in there.
> 

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [ irc patch 1/1] Extend the IRC domain to include IRSSI.

[Dominick Grift]

On 06/23/2010 03:50 PM, Christopher J. PeBenito wrote:
> On Wed, 2010-06-23 at 09:49 -0400, Christopher J. PeBenito wrote:
>> On Wed, 2010-06-23 at 14:28 +0200, Dominick Grift wrote:
>>> On 06/23/2010 02:15 PM, Christopher J. PeBenito wrote:
>>>
>>>>>>>  
>>>>>>> +type irc_etc_t;
>>>>>>> +files_config_file(irc_etc_t)
>>>>>>
>>>>>> Why is this necessary?  From what I can tell, irc_t only reads it.
>>>>>> Irc_t already can read etc_t files, so this seems unnecessary.
>>>>>>
>>>>>
>>>>> Few arguments here:
>>>>>
>>>>> 1. possible sensitive data.
>>>>
>>>> Such as?
>>>>
>>>
>>> For example: "proxy_password = "";"
>>
>> Perhaps.  Though I suspect its actually not that sensitive, and its
>> probably easy to get through the app itself.
>>
>>>>> 2. irc_admin()
>>>>
>>>> I'm not really compelled by this.  I don't think regular apps have
>>>> admins.
>>>
>>> Well this is a system-wide config in /etc/irssi.conf only an (irc) admin
>>> can set system-wide overrides.
> 
> I'm still not compelled by the idea of an irc admin.

Alright, why not commit what you think is right and drop the rest?

> 
>>>>
>>>>> 3. mozilla also has a mozilla_etc_t and also has access to
>>>>> files_read_etc_files() afaik.
>>>>
>>>> If anything, this just tells me that mozilla is wrong too.
>>>
>>> That may indeed be wrong but i still believe irc_etc_t is the right
>>> thing to do for irc_t.
>>>
>>>>>>>  optional_policy(`
>>>>>>> +	automount_dontaudit_getattr_tmp_dirs(irc_t)
>>>>>>> +')
>>>>>>> +
>>>>>>> +optional_policy(`
>>>>>>>  	nis_use_ypbind(irc_t)
>>>>>>>  ')
>>>>>>> +
>>>>>>> +optional_policy(`
>>>>>>> +	nscd_socket_use(irc_t)
>>>>>>> +')
>>>>>>
>>>>>> These two and the netlink_route socket earlier makes it look like its
>>>>>> going towards auth_use_nsswitch().
>>>>>>
>>>>>
>>>>> Mozilla also has "automount_dontaudit_getattr_tmp_dirs",
>>>>> "nscd_socket_use" and "... self:netlink_route_socket
>>>>> r_netlink_socket_perms;", but does NOT have auth_use_nsswitch().
>>>>
>>>> I mean the nis_use_ypbind(), nscd_socket_use(), and netlink_route_socket
>>>> perms.  Mozilla does not have nis_use_ypbind(), so it doesn't seem to
>>>> need auth_use_nsswitch() yet.  Thats not the case here.
>> [...]
>>> I am not sure here. Like i said before; i do not have a nis nor ldap or
>>> nscd configuration. The netlink socket perms are confirmed to be
>>> required for irssi, and i can also confirm that irssi atleast searches
>>> nscd pid directories. I can only assume it does that to find the
>>> nscd.socket.
>>>
>>> If you are not comfortable with adding auth_use_nsswitch(irc_t), then
>>> please add nscd_dontaudit_search_pid() and remove the nscd_socket_use
>>> and nis_use_ypbind.
>>>
>>> For what it is worth: In my personal branch i decided to just add
>>> auth_use_nsswitch(irc_t).
>>
>> I think you misunderstand.  I think auth_use_nsswitch(irc_t) _should_ be
>> in there.
>>
> 

Alright, i cannot confirm nor deny. Why not commit what you think is right?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100623/0735859b/attachment.bin 

[refpolicy] [ irc patch 1/1] Extend the IRC domain to include IRSSI.

[Dominick Grift]

On 06/23/2010 02:15 PM, Christopher J. PeBenito wrote:

>>>>  optional_policy(`
>>>> +	automount_dontaudit_getattr_tmp_dirs(irc_t)
>>>> +')
>>>> +
>>>> +optional_policy(`
>>>>  	nis_use_ypbind(irc_t)
>>>>  ')
>>>> +
>>>> +optional_policy(`
>>>> +	nscd_socket_use(irc_t)
>>>> +')
>>>
>>> These two and the netlink_route socket earlier makes it look like its
>>> going towards auth_use_nsswitch().
>>>
>>
>> Mozilla also has "automount_dontaudit_getattr_tmp_dirs",
>> "nscd_socket_use" and "... self:netlink_route_socket
>> r_netlink_socket_perms;", but does NOT have auth_use_nsswitch().
> 
> I mean the nis_use_ypbind(), nscd_socket_use(), and netlink_route_socket
> perms.  Mozilla does not have nis_use_ypbind(), so it doesn't seem to
> need auth_use_nsswitch() yet.  Thats not the case here.
> 
>> So either mozillas policy is wrong here too or it is unrelated.
>>
>> Fact remains that irssi searches nscd pid directories, likely looking
>> for the nscd.socket to connectto.
>>
>> automount_dontaudit_getattr_tmp_dirs(irc_t) is in my view not specific
>> to irc clients, but since the irc domain can own temporary objects, my
>> opinion is that we should support it.
>>
>> All in all, personally i would only change the boolean name and leave
>> the rest unchanged.
>>
> 

Also note that nis_use_ypbind(irc_t) was already there for irc_t. But
nonetheless my irssi policy also has it. The underlying idea for me was
to support nis. (which i cannot confirm that it actually works)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100623/e8121b0a/attachment.bin