I have been enjoying my Irssi policy for some years now, and while i was merging my irssi policy
into the irc module of my custom policy based off of refpolicy i decided to give it another go and submit it.
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 65ece18... 45203f4... M policy/modules/apps/irc.fc
:100644 100644 4f9dc90... b712758... M policy/modules/apps/irc.if
:100644 100644 789e684... e4535f8... M policy/modules/apps/irc.te
policy/modules/apps/irc.fc | 15 ++++++++---
policy/modules/apps/irc.if | 19 ++++++++++++++
policy/modules/apps/irc.te | 60 +++++++++++++++++++++++++++++++++++++++----
3 files changed, 84 insertions(+), 10 deletions(-)
diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc
index 65ece18..45203f4 100644
--- a/policy/modules/apps/irc.fc
+++ b/policy/modules/apps/irc.fc
@@ -1,11 +1,18 @@
#
# /home
#
-HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
+HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
+HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0)
+
+#
+# /etc
+#
+/etc/irssi\.conf -- gen_context(system_u:object_r:irc_etc_t,s0)
#
# /usr
#
-/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
-/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
-/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/irssi -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
index 4f9dc90..b712758 100644
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@@ -18,6 +18,7 @@
interface(`irc_role',`
gen_require(`
type irc_t, irc_exec_t;
+ type irc_home_t, irc_tmp_t;
')
role $1 types irc_t;
@@ -28,4 +29,22 @@ interface(`irc_role',`
# allow ps to show irc
ps_process_pattern($2, irc_t)
allow $2 irc_t:process signal;
+
+ manage_dirs_pattern($2, irc_home_t, irc_home_t)
+ manage_files_pattern($2, irc_home_t, irc_home_t)
+ manage_lnk_files_pattern($2, irc_home_t, irc_home_t)
+
+ manage_dirs_pattern($2, irc_tmp_t, irc_tmp_t)
+ manage_files_pattern($2, irc_tmp_t, irc_tmp_t)
+ manage_fifo_files_pattern($2, irc_tmp_t, irc_tmp_t)
+ manage_sock_files_pattern($2, irc_tmp_t, irc_tmp_t)
+
+ relabel_dirs_pattern($2, irc_home_t, irc_home_t)
+ relabel_files_pattern($2, irc_home_t, irc_home_t)
+ relabel_lnk_files_pattern($2, irc_home_t, irc_home_t)
+
+ relabel_dirs_pattern($2, irc_tmp_t, irc_tmp_t)
+ relabel_files_pattern($2, irc_tmp_t, irc_tmp_t)
+ relabel_fifo_files_pattern($2, irc_tmp_t, irc_tmp_t)
+ relabel_sock_files_pattern($2, irc_tmp_t, irc_tmp_t)
')
diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
index 789e684..e4535f8 100644
--- a/policy/modules/apps/irc.te
+++ b/policy/modules/apps/irc.te
@@ -6,6 +6,22 @@ policy_module(irc, 2.1.0)
# Declarations
#
+## <desc>
+## <p>
+## Allow IRC clients to connect to
+## any ports.
+## </p>
+## </desc>
+gen_tunable(irc_connect_any, false)
+
+## <desc>
+## <p>
+## Allow IRC clients to bind to
+## generic ports.
+## </p>
+## </desc>
+gen_tunable(irc_tcp_server, false)
+
type irc_t;
type irc_exec_t;
typealias irc_t alias { user_irc_t staff_irc_t sysadm_irc_t };
@@ -13,6 +29,9 @@ typealias irc_t alias { auditadm_irc_t secadm_irc_t };
application_domain(irc_t, irc_exec_t)
ubac_constrained(irc_t)
+type irc_etc_t;
+files_config_file(irc_etc_t)
+
type irc_home_t;
typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t };
typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
@@ -21,21 +40,28 @@ userdom_user_home_content(irc_home_t)
type irc_tmp_t;
typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
-userdom_user_home_content(irc_tmp_t)
+files_tmp_file(irc_tmp_t)
+ubac_constrained(irc_tmp_t)
########################################
#
# Local policy
#
-allow irc_t self:unix_stream_socket create_stream_socket_perms;
-allow irc_t self:tcp_socket create_socket_perms;
+allow irc_t self:process { signal sigkill };
+allow irc_t self:fifo_file rw_fifo_file_perms;
+allow irc_t self:netlink_route_socket create_netlink_socket_perms;
+allow irc_t self:tcp_socket create_stream_socket_perms;
allow irc_t self:udp_socket create_socket_perms;
+allow irc_t self:unix_stream_socket create_stream_socket_perms;
+
+allow irc_t irc_etc_t:file read_file_perms;
manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
manage_files_pattern(irc_t, irc_home_t, irc_home_t)
manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file })
+userdom_search_user_home_dirs(irc_t)
# access files under /tmp
manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
@@ -47,6 +73,9 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
kernel_read_proc_symlinks(irc_t)
+corecmd_search_bin(irc_t)
+corecmd_read_bin_symlinks(irc_t)
+
corenet_all_recvfrom_unlabeled(irc_t)
corenet_all_recvfrom_netlabel(irc_t)
corenet_tcp_sendrecv_generic_if(irc_t)
@@ -55,10 +84,15 @@ corenet_tcp_sendrecv_generic_node(irc_t)
corenet_udp_sendrecv_generic_node(irc_t)
corenet_tcp_sendrecv_all_ports(irc_t)
corenet_udp_sendrecv_all_ports(irc_t)
+# Privoxy
+corenet_tcp_connect_http_cache_port(irc_t)
+corenet_sendrecv_http_cache_client_packets(irc_t)
+corenet_tcp_connect_ircd_port(irc_t)
corenet_sendrecv_ircd_client_packets(irc_t)
-# cjp: this seems excessive:
-corenet_tcp_connect_all_ports(irc_t)
-corenet_sendrecv_all_client_packets(irc_t)
+
+dev_read_urand(irc_t)
+# irssi-otr genkey.
+dev_read_rand(irc_t)
domain_use_interactive_fds(irc_t)
@@ -87,6 +121,16 @@ sysnet_read_config(irc_t)
# Write to the user domain tty.
userdom_use_user_terminals(irc_t)
+tunable_policy(`irc_connect_any',`
+ corenet_tcp_connect_all_ports(irc_t)
+ corenet_sendrecv_all_client_packets(irc_t)
+')
+
+tunable_policy(`irc_tcp_server',`
+ corenet_tcp_bind_generic_port(irc_t)
+ corenet_sendrecv_generic_server_packets(irc_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(irc_t)
fs_manage_nfs_files(irc_t)
@@ -100,5 +144,9 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ automount_dontaudit_getattr_tmp_dirs(irc_t)
+')
+
+optional_policy(`
nis_use_ypbind(irc_t)
')
--
1.7.0.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100322/c555f5c8/attachment-0001.bin