Hi all,
attached is a new policy for the ICQ transport PyICQt. I lost track of
head development ... guess the following lines are redundant now
libs_use_ld_so(pyicqt_t)
libs_use_shared_libs(pyicqt_t)
libs_read_lib_files(pyicqt_t)
and can be changed to
libs_read_lib_files(pyicqt_t)
I tested the policy on CentOS 5 for a couple of months with ejabberd so
hope everything is fine tested ;-)
cheers
Stefan
-------------- next part --------------
/etc/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_conf_t,s0)
/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0)
/var/log/pyicq-t\.log -- gen_context(system_u:object_r:pyicqt_log_t,s0)
/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0)
/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_spool_t,s0)
-------------- next part --------------
## <summary>PyICQt is an ICQ transport for XMPP server.</summary>
-------------- next part --------------
policy_module(pyicqt, 1.0.0)
########################################
#
# Declarations
#
type pyicqt_t;
type pyicqt_exec_t;
init_daemon_domain(pyicqt_t,pyicqt_exec_t)
type pyicqt_conf_t;
files_config_file(pyicqt_conf_t)
type pyicqt_spool_t;
files_type(pyicqt_spool_t)
type pyicqt_var_run_t;
files_pid_file(pyicqt_var_run_t)
type pyicqt_log_t;
logging_log_file(pyicqt_log_t)
########################################
#
# PyICQt policy
#
allow pyicqt_t self:fifo_file { read write };
allow pyicqt_t self:tcp_socket create_socket_perms;
allow pyicqt_t self:udp_socket create_socket_perms;
read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t)
manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t)
libs_use_ld_so(pyicqt_t)
libs_use_shared_libs(pyicqt_t)
libs_read_lib_files(pyicqt_t)
files_read_usr_files(pyicqt_t)
files_search_spool(pyicqt_t)
# /etc/nsswitch.conf
files_read_etc_files(pyicqt_t)
# /etc/resolv.conf
sysnet_read_config(pyicqt_t)
dev_read_urand(pyicqt_t)
corecmd_exec_bin(pyicqt_t)
kernel_read_system_state(pyicqt_t)
miscfiles_read_localization(pyicqt_t)
corenet_tcp_connect_generic_port(pyicqt_t)
corenet_sendrecv_unlabeled_packets(pyicqt_t)
On Sun, Oct 25, 2009 at 12:59:23PM +0100, Stefan Schulze Frielinghaus wrote:
> Hi all,
Hello i have made some comments in-line.
>
> attached is a new policy for the ICQ transport PyICQt. I lost track of
> head development ... guess the following lines are redundant now
>
> libs_use_ld_so(pyicqt_t)
> libs_use_shared_libs(pyicqt_t)
> libs_read_lib_files(pyicqt_t)
>
> and can be changed to
>
> libs_read_lib_files(pyicqt_t)
>
> I tested the policy on CentOS 5 for a couple of months with ejabberd so
> hope everything is fine tested ;-)
>
> cheers
> Stefan
> /etc/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_conf_t,s0)
>
> /usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0)
>
> /var/log/pyicq-t\.log -- gen_context(system_u:object_r:pyicqt_log_t,s0)
>
> /var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0)
>
> /var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_spool_t,s0)
> ## <summary>PyICQt is an ICQ transport for XMPP server.</summary>
>
> policy_module(pyicqt, 1.0.0)
>
> ########################################
> #
> # Declarations
> #
>
> type pyicqt_t;
> type pyicqt_exec_t;
> init_daemon_domain(pyicqt_t,pyicqt_exec_t)
>
> type pyicqt_conf_t;
> files_config_file(pyicqt_conf_t)
>
> type pyicqt_spool_t;
> files_type(pyicqt_spool_t)
>
> type pyicqt_var_run_t;
> files_pid_file(pyicqt_var_run_t)
>
> type pyicqt_log_t;
> logging_log_file(pyicqt_log_t)
>
> ########################################
> #
> # PyICQt policy
> #
>
> allow pyicqt_t self:fifo_file { read write };
allow pyicqt_t self:fifo_files rw_fifo_file_perms;
> allow pyicqt_t self:tcp_socket create_socket_perms;
> allow pyicqt_t self:udp_socket create_socket_perms;
>
> read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t)
>
> manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
> manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
files_spool_filetrans(pyicqt_t, pyicqt_spool_t, { dir file })
>
> manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t)
files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file)
>
> libs_use_ld_so(pyicqt_t)
> libs_use_shared_libs(pyicqt_t)
> libs_read_lib_files(pyicqt_t)
libs ... deprecated upstream
> files_read_usr_files(pyicqt_t)
> files_search_spool(pyicqt_t)
files_search_spool (likely) included with files_spool_filetrans (not sure)
>
> # /etc/nsswitch.conf
> files_read_etc_files(pyicqt_t)
> # /etc/resolv.conf
> sysnet_read_config(pyicqt_t)
>
> dev_read_urand(pyicqt_t)
>
> corecmd_exec_bin(pyicqt_t)
>
> kernel_read_system_state(pyicqt_t)
>
> miscfiles_read_localization(pyicqt_t)
>
> corenet_tcp_connect_generic_port(pyicqt_t)
> corenet_sendrecv_unlabeled_packets(pyicqt_t)
for compatibility:
corenet_all_recvfrom_unlabeled(pyicqt_t)
corenet_all_recvfrom_netlabel(pyicqt_t)
corenet_tcp_sendrecv_generic_if(pyicqt_t)
corenet_tcp_sendrecv_generic_node(pyicqt_t)
corenet_sendrecv_generic_client_packets(pyicqt_t)
Other:
Some style issues: example files_read_etc_files is below files_read_usr_files (not in alphabetical order)
pyicqt.if does not have a description.
You declared pyicqt_var_log_t but nowhere in personal policy pyicqt_t interacts with it.
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20091025/5b13d2c2/attachment.bin
On Sun, 2009-10-25 at 15:48 +0100, Dominick Grift wrote:
[...]
> allow pyicqt_t self:fifo_files rw_fifo_file_perms;
I only included read/write perms because the app didn't complain on all
the other permissions which rw_fifo_file_perms will include. But if it
is common to use the set of permissions I will change this.
[...]
> files_spool_filetrans(pyicqt_t, pyicqt_spool_t, { dir file })
Why should we introduce this rule? PyICQt only writes into a directory
labeled as pyicqt_spool_t and therefore all new files will inherit the
type.
[...]
> files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file)
Same again here. Why? PyICQt writes to /var/run/pyicq-t which is labeled
as pyicqt_var_run_t and therefore all new files will inherit this type.
[...]
> libs ... deprecated upstream
And what interface do we use instead? I guess I need to include a rule
to read lib_t files, right?
[...]
> > corenet_tcp_connect_generic_port(pyicqt_t)
> > corenet_sendrecv_unlabeled_packets(pyicqt_t)
>
> for compatibility:
> corenet_all_recvfrom_unlabeled(pyicqt_t)
> corenet_all_recvfrom_netlabel(pyicqt_t)
> corenet_tcp_sendrecv_generic_if(pyicqt_t)
> corenet_tcp_sendrecv_generic_node(pyicqt_t)
> corenet_sendrecv_generic_client_packets(pyicqt_t)
Yep. Will include those. I only included the two interfaces above
because PyICQt didn't complain for other rules. But if they are
mandatory for compatibility I will include them.
> Other:
> Some style issues: example files_read_etc_files is below files_read_usr_files (not in alphabetical order)
Is alphabetic order important? I can change this no problem. But my
actual intention was to group the two interface calls
for /etc/{nsswitch.conf,resolv.conf}.
> pyicqt.if does not have a description.
Yep. But isn't a summary line sufficient?
> You declared pyicqt_var_log_t but nowhere in personal policy pyicqt_t interacts with it.
Uh good point. I will fix that after the other points above are cleared.
On Sun, 2009-10-25 at 16:09 +0100, Stefan Schulze Frielinghaus wrote:
> On Sun, 2009-10-25 at 15:48 +0100, Dominick Grift wrote:
> [...]
> > allow pyicqt_t self:fifo_files rw_fifo_file_perms;
>
> I only included read/write perms because the app didn't complain on all
> the other permissions which rw_fifo_file_perms will include. But if it
> is common to use the set of permissions I will change this.
> [...]
> > files_spool_filetrans(pyicqt_t, pyicqt_spool_t, { dir file })
>
> Why should we introduce this rule? PyICQt only writes into a directory
> labeled as pyicqt_spool_t and therefore all new files will inherit the
> type.
So are you saying that /var/spool/pyicq-t gets installed by the package?
>
> [...]
> > files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file)
>
> Same again here. Why? PyICQt writes to /var/run/pyicq-t which is labeled
> as pyicqt_var_run_t and therefore all new files will inherit this type.
So /var/run/pyicq-t gets installed by the package?
>
> [...]
> > libs ... deprecated upstream
>
> And what interface do we use instead? I guess I need to include a rule
> to read lib_t files, right?
>
> [...]
> > > corenet_tcp_connect_generic_port(pyicqt_t)
> > > corenet_sendrecv_unlabeled_packets(pyicqt_t)
> >
> > for compatibility:
> > corenet_all_recvfrom_unlabeled(pyicqt_t)
> > corenet_all_recvfrom_netlabel(pyicqt_t)
> > corenet_tcp_sendrecv_generic_if(pyicqt_t)
> > corenet_tcp_sendrecv_generic_node(pyicqt_t)
> > corenet_sendrecv_generic_client_packets(pyicqt_t)
>
> Yep. Will include those. I only included the two interfaces above
> because PyICQt didn't complain for other rules. But if they are
> mandatory for compatibility I will include them.
>
> > Other:
> > Some style issues: example files_read_etc_files is below files_read_usr_files (not in alphabetical order)
>
> Is alphabetic order important? I can change this no problem. But my
> actual intention was to group the two interface calls
> for /etc/{nsswitch.conf,resolv.conf}.
See http://oss.tresys.com/projects/refpolicy/wiki/StyleGuide
>
> > pyicqt.if does not have a description.
>
> Yep. But isn't a summary line sufficient?
>
> > You declared pyicqt_var_log_t but nowhere in personal policy pyicqt_t interacts with it.
>
> Uh good point. I will fix that after the other points above are cleared.
>
On Sun, 2009-10-25 at 17:30 +0100, Dominick Grift wrote:
> On Sun, 2009-10-25 at 16:09 +0100, Stefan Schulze Frielinghaus wrote:
> > On Sun, 2009-10-25 at 15:48 +0100, Dominick Grift wrote:
> > [...]
> > > allow pyicqt_t self:fifo_files rw_fifo_file_perms;
> >
> > I only included read/write perms because the app didn't complain on all
> > the other permissions which rw_fifo_file_perms will include. But if it
> > is common to use the set of permissions I will change this.
>
> > [...]
> > > files_spool_filetrans(pyicqt_t, pyicqt_spool_t, { dir file })
> >
> > Why should we introduce this rule? PyICQt only writes into a directory
> > labeled as pyicqt_spool_t and therefore all new files will inherit the
> > type.
>
> So are you saying that /var/spool/pyicq-t gets installed by the package?
PyICQt is installed by default on Fedora to run as non root user. So,
yes, /var/{run,spool}/pyicq-t is installed by the RPM package. But I
think I know what you mean. What happens if another distro runs PyICQt
as root and uses /var/run as the base pidfile directory. I will include
this rule to make sure that other distributions won't run into trouble.
[...]
> > > files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file)
> >
> > Same again here. Why? PyICQt writes to /var/run/pyicq-t which is labeled
> > as pyicqt_var_run_t and therefore all new files will inherit this type.
>
> So /var/run/pyicq-t gets installed by the package?
Same as above.
[...]
> See http://oss.tresys.com/projects/refpolicy/wiki/StyleGuide
Hey, cool, wasn't aware of such a style guide. Thanks for the link and
the policy review. I will work on the suggestions and submit a new
policy.
On Sun, 2009-10-25 at 22:14 +0100, Stefan Schulze Frielinghaus wrote:
> I will work on the suggestions and submit a new
> policy.
And attached is a new version. Hope everything is alright now.
cheers
Stefan
PS: Just for the records. I created the type pyicqt_conf_t because the
config file contains a clear text password.
-------------- next part --------------
/etc/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_conf_t,s0)
/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0)
/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0)
/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_spool_t,s0)
-------------- next part --------------
## <summary>PyICQt is an ICQ transport for XMPP server.</summary>
-------------- next part --------------
policy_module(pyicqt, 1.0.0)
########################################
#
# Declarations
#
type pyicqt_t;
type pyicqt_exec_t;
init_daemon_domain(pyicqt_t, pyicqt_exec_t)
type pyicqt_conf_t;
files_config_file(pyicqt_conf_t)
type pyicqt_spool_t;
files_type(pyicqt_spool_t)
type pyicqt_var_run_t;
files_pid_file(pyicqt_var_run_t)
########################################
#
# PyICQt policy
#
allow pyicqt_t self:fifo_file rw_fifo_file_perms;
allow pyicqt_t self:tcp_socket create_socket_perms;
allow pyicqt_t self:udp_socket create_socket_perms;
read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t)
manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t)
kernel_read_system_state(pyicqt_t)
corecmd_exec_bin(pyicqt_t)
corenet_all_recvfrom_unlabeled(pyicqt_t)
corenet_all_recvfrom_netlabel(pyicqt_t)
corenet_tcp_connect_generic_port(pyicqt_t)
corenet_tcp_sendrecv_generic_if(pyicqt_t)
corenet_tcp_sendrecv_generic_node(pyicqt_t)
corenet_sendrecv_generic_client_packets(pyicqt_t)
corenet_sendrecv_unlabeled_packets(pyicqt_t)
dev_read_urand(pyicqt_t)
files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file)
files_read_etc_files(pyicqt_t)
files_read_usr_files(pyicqt_t)
files_spool_filetrans(pyicqt_t, pyicqt_spool_t, { dir file })
libs_read_lib_files(pyicqt_t)
libs_use_ld_so(pyicqt_t)
libs_use_shared_libs(pyicqt_t)
miscfiles_read_localization(pyicqt_t)
sysnet_read_config(pyicqt_t)