[refpolicy] apps_irc.patch

[refpolicy] apps_irc.patch

[Daniel J Walsh]

http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_irc.patch

isc policy updates from Dominic Grift.

[refpolicy] apps_irc.patch

[Christopher J. PeBenito]

On Wed, 2010-06-02 at 16:05 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_irc.patch
> 
> isc policy updates from Dominic Grift.

Why does irssi need a special domain?  Why can't it just use/augment the
irc_t domain?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] apps_irc.patch

[Dominick Grift]

On Mon, Jun 21, 2010 at 09:09:35AM -0400, Christopher J. PeBenito wrote:
> On Wed, 2010-06-02 at 16:05 -0400, Daniel J Walsh wrote:
> > http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_irc.patch
> > 
> > isc policy updates from Dominic Grift.
> 
> Why does irssi need a special domain?  Why can't it just use/augment the
> irc_t domain?

Because of this:

allow irc_t self:unix_stream_socket create_stream_socket_perms;
allow irc_t self:tcp_socket create_socket_perms;

manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })

kernel_read_proc_symlinks(irc_t)

corenet_tcp_sendrecv_all_ports(irc_t)
corenet_udp_sendrecv_all_ports(irc_t)
corenet_tcp_connect_all_ports(irc_t)
corenet_sendrecv_all_client_packets(irc_t)

domain_use_interactive_fds(irc_t)

files_dontaudit_search_pids(irc_t)
files_search_var(irc_t)

fs_getattr_xattr_fs(irc_t)

term_use_controlling_term(irc_t)
term_list_ptys(irc_t)

init_read_utmp(irc_t)
init_dontaudit_lock_utmp(irc_t)

seutil_use_newrole_fds(irc_t)

allow irssi_t self:process { signal sigkill };
allow irssi_t self:fifo_file rw_fifo_file_perms;
allow irssi_t self:netlink_route_socket create_netlink_socket_perms;
allow irssi_t self:tcp_socket create_stream_socket_perms;

allow irssi_t irssi_etc_t:file read_file_perms;

kernel_read_system_state(irssi_t)

corecmd_read_bin_symlinks(irssi_t)

corenet_udp_sendrecv_generic_node(irssi_t)
corenet_tcp_connect_ircd_port(irssi_t)

corenet_tcp_connect_http_cache_port(irssi_t)
corenet_sendrecv_http_cache_client_packets(irssi_t)

corenet_tcp_connect_gatekeeper_port(irssi_t)
corenet_sendrecv_gatekeeper_client_packets(irssi_t)

dev_read_urand(irssi_t)
dev_read_rand(irssi_t)

miscfiles_read_certs(irssi_t)

tunable_policy(`irssi_use_full_network',`
	corenet_tcp_bind_all_unreserved_ports(irssi_t)
	corenet_tcp_connect_all_ports(irssi_t)
	corenet_sendrecv_all_client_packets(irssi_t)
	corenet_sendrecv_generic_server_packets(irssi_t)
')

optional_policy(`
	automount_dontaudit_getattr_tmp_dirs(irssi_t)
')

optional_policy(`
	nscd_socket_use(irssi_t
')

I think its just too much overhead. Besides i do not agree with some of the security decisions made for the irc_t domain.

So the best compromise in my view is to just add a new irssi_t domain to the existing irc module.

That said, i think the patch that is in question here is not what i currently have in my repository. In my repository i have combined all policy that is common to both irc_t and irssi_t in a irc_domain section (attribute irc_domain for both irc_t, irssi_t)

Also if i am not mistaken, i have submitted a patch where irssi was merged into the irc_t domain some time ago, That patch has not made it in either for some reason.

> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100621/29e60178/attachment.bin 

[refpolicy] apps_irc.patch

[Christopher J. PeBenito]

On Mon, 2010-06-21 at 16:53 +0200, Dominick Grift wrote:
> On Mon, Jun 21, 2010 at 09:09:35AM -0400, Christopher J. PeBenito wrote:
> > On Wed, 2010-06-02 at 16:05 -0400, Daniel J Walsh wrote:
> > > http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_irc.patch
> > > 
> > > isc policy updates from Dominic Grift.
> > 
> > Why does irssi need a special domain?  Why can't it just use/augment the
> > irc_t domain?
> 
> Because of this:
> 
> allow irc_t self:unix_stream_socket create_stream_socket_perms;
> allow irc_t self:tcp_socket create_socket_perms;
> 
> manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
> manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
> manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
> manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
> manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
> files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
> 
> kernel_read_proc_symlinks(irc_t)
> 
> corenet_tcp_sendrecv_all_ports(irc_t)
> corenet_udp_sendrecv_all_ports(irc_t)
> corenet_tcp_connect_all_ports(irc_t)
> corenet_sendrecv_all_client_packets(irc_t)
> 
> domain_use_interactive_fds(irc_t)
> 
> files_dontaudit_search_pids(irc_t)
> files_search_var(irc_t)
> 
> fs_getattr_xattr_fs(irc_t)
> 
> term_use_controlling_term(irc_t)
> term_list_ptys(irc_t)
> 
> init_read_utmp(irc_t)
> init_dontaudit_lock_utmp(irc_t)
> 
> seutil_use_newrole_fds(irc_t)
> 
> allow irssi_t self:process { signal sigkill };
> allow irssi_t self:fifo_file rw_fifo_file_perms;
> allow irssi_t self:netlink_route_socket create_netlink_socket_perms;
> allow irssi_t self:tcp_socket create_stream_socket_perms;
> 
> allow irssi_t irssi_etc_t:file read_file_perms;
> 
> kernel_read_system_state(irssi_t)
> 
> corecmd_read_bin_symlinks(irssi_t)
> 
> corenet_udp_sendrecv_generic_node(irssi_t)
> corenet_tcp_connect_ircd_port(irssi_t)
> 
> corenet_tcp_connect_http_cache_port(irssi_t)
> corenet_sendrecv_http_cache_client_packets(irssi_t)
> 
> corenet_tcp_connect_gatekeeper_port(irssi_t)
> corenet_sendrecv_gatekeeper_client_packets(irssi_t)
> 
> dev_read_urand(irssi_t)
> dev_read_rand(irssi_t)
> 
> miscfiles_read_certs(irssi_t)
> 
> tunable_policy(`irssi_use_full_network',`
> 	corenet_tcp_bind_all_unreserved_ports(irssi_t)
> 	corenet_tcp_connect_all_ports(irssi_t)
> 	corenet_sendrecv_all_client_packets(irssi_t)
> 	corenet_sendrecv_generic_server_packets(irssi_t)
> ')
> 
> optional_policy(`
> 	automount_dontaudit_getattr_tmp_dirs(irssi_t)
> ')
> 
> optional_policy(`
> 	nscd_socket_use(irssi_t
> ')
> 
> I think its just too much overhead.

I'm not clear on what you're saying

>  Besides i do not agree with some of the security decisions made for
> the irc_t domain.

Please be more specific.

> So the best compromise in my view is to just add a new irssi_t domain
> to the existing irc module.
> 
> That said, i think the patch that is in question here is not what i
> currently have in my repository. In my repository i have combined all
> policy that is common to both irc_t and irssi_t in a irc_domain
> section (attribute irc_domain for both irc_t, irssi_t)
> 
> Also if i am not mistaken, i have submitted a patch where irssi was
> merged into the irc_t domain some time ago, That patch has not made it
> in either for some reason.

Its easy to get lost in the flood due to the number of patches I get
from Dan.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] apps_irc.patch

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_irc.patch

Fix ups or irc_admin and role interface

policy for irssi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkx27LAACgkQrlYvE4MpobNWMwCgs8s7PESm3SwUzdpvTEw4QHBf
+CoAn14emw0hZEZIRf5JDqW+UrNKxMiO
=nJ8D
-----END PGP SIGNATURE-----