Slight error in my previous patch where i forgot to allow users to manage and relabel irc_tmp_t lnk_files.
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 65ece18... 45203f4... M policy/modules/apps/irc.fc
:100644 100644 4f9dc90... 2111a46... M policy/modules/apps/irc.if
:100644 100644 789e684... e4535f8... M policy/modules/apps/irc.te
policy/modules/apps/irc.fc | 15 ++++++++---
policy/modules/apps/irc.if | 21 +++++++++++++++
policy/modules/apps/irc.te | 60 +++++++++++++++++++++++++++++++++++++++----
3 files changed, 86 insertions(+), 10 deletions(-)
diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc
index 65ece18..45203f4 100644
--- a/policy/modules/apps/irc.fc
+++ b/policy/modules/apps/irc.fc
@@ -1,11 +1,18 @@
#
# /home
#
-HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
+HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
+HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0)
+
+#
+# /etc
+#
+/etc/irssi\.conf -- gen_context(system_u:object_r:irc_etc_t,s0)
#
# /usr
#
-/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
-/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
-/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/irssi -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
index 4f9dc90..2111a46 100644
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@@ -18,6 +18,7 @@
interface(`irc_role',`
gen_require(`
type irc_t, irc_exec_t;
+ type irc_home_t, irc_tmp_t;
')
role $1 types irc_t;
@@ -28,4 +29,24 @@ interface(`irc_role',`
# allow ps to show irc
ps_process_pattern($2, irc_t)
allow $2 irc_t:process signal;
+
+ manage_dirs_pattern($2, irc_home_t, irc_home_t)
+ manage_files_pattern($2, irc_home_t, irc_home_t)
+ manage_lnk_files_pattern($2, irc_home_t, irc_home_t)
+
+ manage_dirs_pattern($2, irc_tmp_t, irc_tmp_t)
+ manage_files_pattern($2, irc_tmp_t, irc_tmp_t)
+ manage_fifo_files_pattern($2, irc_tmp_t, irc_tmp_t)
+ manage_lnk_files_pattern($2, irc_tmp_t, irc_tmp_t)
+ manage_sock_files_pattern($2, irc_tmp_t, irc_tmp_t)
+
+ relabel_dirs_pattern($2, irc_home_t, irc_home_t)
+ relabel_files_pattern($2, irc_home_t, irc_home_t)
+ relabel_lnk_files_pattern($2, irc_home_t, irc_home_t)
+
+ relabel_dirs_pattern($2, irc_tmp_t, irc_tmp_t)
+ relabel_files_pattern($2, irc_tmp_t, irc_tmp_t)
+ relabel_fifo_files_pattern($2, irc_tmp_t, irc_tmp_t)
+ relabel_lnk_files_pattern($2, irc_tmp_t, irc_tmp_t)
+ relabel_sock_files_pattern($2, irc_tmp_t, irc_tmp_t)
')
diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
index 789e684..e4535f8 100644
--- a/policy/modules/apps/irc.te
+++ b/policy/modules/apps/irc.te
@@ -6,6 +6,22 @@ policy_module(irc, 2.1.0)
# Declarations
#
+## <desc>
+## <p>
+## Allow IRC clients to connect to
+## any ports.
+## </p>
+## </desc>
+gen_tunable(irc_connect_any, false)
+
+## <desc>
+## <p>
+## Allow IRC clients to bind to
+## generic ports.
+## </p>
+## </desc>
+gen_tunable(irc_tcp_server, false)
+
type irc_t;
type irc_exec_t;
typealias irc_t alias { user_irc_t staff_irc_t sysadm_irc_t };
@@ -13,6 +29,9 @@ typealias irc_t alias { auditadm_irc_t secadm_irc_t };
application_domain(irc_t, irc_exec_t)
ubac_constrained(irc_t)
+type irc_etc_t;
+files_config_file(irc_etc_t)
+
type irc_home_t;
typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t };
typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
@@ -21,21 +40,28 @@ userdom_user_home_content(irc_home_t)
type irc_tmp_t;
typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
-userdom_user_home_content(irc_tmp_t)
+files_tmp_file(irc_tmp_t)
+ubac_constrained(irc_tmp_t)
########################################
#
# Local policy
#
-allow irc_t self:unix_stream_socket create_stream_socket_perms;
-allow irc_t self:tcp_socket create_socket_perms;
+allow irc_t self:process { signal sigkill };
+allow irc_t self:fifo_file rw_fifo_file_perms;
+allow irc_t self:netlink_route_socket create_netlink_socket_perms;
+allow irc_t self:tcp_socket create_stream_socket_perms;
allow irc_t self:udp_socket create_socket_perms;
+allow irc_t self:unix_stream_socket create_stream_socket_perms;
+
+allow irc_t irc_etc_t:file read_file_perms;
manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
manage_files_pattern(irc_t, irc_home_t, irc_home_t)
manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file })
+userdom_search_user_home_dirs(irc_t)
# access files under /tmp
manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
@@ -47,6 +73,9 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
kernel_read_proc_symlinks(irc_t)
+corecmd_search_bin(irc_t)
+corecmd_read_bin_symlinks(irc_t)
+
corenet_all_recvfrom_unlabeled(irc_t)
corenet_all_recvfrom_netlabel(irc_t)
corenet_tcp_sendrecv_generic_if(irc_t)
@@ -55,10 +84,15 @@ corenet_tcp_sendrecv_generic_node(irc_t)
corenet_udp_sendrecv_generic_node(irc_t)
corenet_tcp_sendrecv_all_ports(irc_t)
corenet_udp_sendrecv_all_ports(irc_t)
+# Privoxy
+corenet_tcp_connect_http_cache_port(irc_t)
+corenet_sendrecv_http_cache_client_packets(irc_t)
+corenet_tcp_connect_ircd_port(irc_t)
corenet_sendrecv_ircd_client_packets(irc_t)
-# cjp: this seems excessive:
-corenet_tcp_connect_all_ports(irc_t)
-corenet_sendrecv_all_client_packets(irc_t)
+
+dev_read_urand(irc_t)
+# irssi-otr genkey.
+dev_read_rand(irc_t)
domain_use_interactive_fds(irc_t)
@@ -87,6 +121,16 @@ sysnet_read_config(irc_t)
# Write to the user domain tty.
userdom_use_user_terminals(irc_t)
+tunable_policy(`irc_connect_any',`
+ corenet_tcp_connect_all_ports(irc_t)
+ corenet_sendrecv_all_client_packets(irc_t)
+')
+
+tunable_policy(`irc_tcp_server',`
+ corenet_tcp_bind_generic_port(irc_t)
+ corenet_sendrecv_generic_server_packets(irc_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(irc_t)
fs_manage_nfs_files(irc_t)
@@ -100,5 +144,9 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ automount_dontaudit_getattr_tmp_dirs(irc_t)
+')
+
+optional_policy(`
nis_use_ypbind(irc_t)
')
--
1.7.0.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100322/af5071e5/attachment.bin
On Mon, 2010-03-22 at 12:57 +0100, Dominick Grift wrote:
> Slight error in my previous patch where i forgot to allow users to manage and relabel irc_tmp_t lnk_files.
Comments inline.
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> :100644 100644 65ece18... 45203f4... M policy/modules/apps/irc.fc
> :100644 100644 4f9dc90... 2111a46... M policy/modules/apps/irc.if
> :100644 100644 789e684... e4535f8... M policy/modules/apps/irc.te
> policy/modules/apps/irc.fc | 15 ++++++++---
> policy/modules/apps/irc.if | 21 +++++++++++++++
> policy/modules/apps/irc.te | 60 +++++++++++++++++++++++++++++++++++++++----
> 3 files changed, 86 insertions(+), 10 deletions(-)
>
> diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc
> index 65ece18..45203f4 100644
> --- a/policy/modules/apps/irc.fc
> +++ b/policy/modules/apps/irc.fc
> @@ -1,11 +1,18 @@
> #
> # /home
> #
> -HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
> +HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
> +HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0)
> +
> +#
> +# /etc
> +#
> +/etc/irssi\.conf -- gen_context(system_u:object_r:irc_etc_t,s0)
>
> #
> # /usr
> #
> -/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
> -/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
> -/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
> +/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
> +/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
> +/usr/bin/irssi -- gen_context(system_u:object_r:irc_exec_t,s0)
> +/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
Whitespace changes should be in a separate patch.
> diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
> index 4f9dc90..2111a46 100644
> --- a/policy/modules/apps/irc.if
> +++ b/policy/modules/apps/irc.if
> @@ -18,6 +18,7 @@
> interface(`irc_role',`
> gen_require(`
> type irc_t, irc_exec_t;
> + type irc_home_t, irc_tmp_t;
> ')
>
> role $1 types irc_t;
> @@ -28,4 +29,24 @@ interface(`irc_role',`
> # allow ps to show irc
> ps_process_pattern($2, irc_t)
> allow $2 irc_t:process signal;
> +
> + manage_dirs_pattern($2, irc_home_t, irc_home_t)
> + manage_files_pattern($2, irc_home_t, irc_home_t)
> + manage_lnk_files_pattern($2, irc_home_t, irc_home_t)
> +
> + manage_dirs_pattern($2, irc_tmp_t, irc_tmp_t)
> + manage_files_pattern($2, irc_tmp_t, irc_tmp_t)
> + manage_fifo_files_pattern($2, irc_tmp_t, irc_tmp_t)
> + manage_lnk_files_pattern($2, irc_tmp_t, irc_tmp_t)
> + manage_sock_files_pattern($2, irc_tmp_t, irc_tmp_t)
> +
> + relabel_dirs_pattern($2, irc_home_t, irc_home_t)
> + relabel_files_pattern($2, irc_home_t, irc_home_t)
> + relabel_lnk_files_pattern($2, irc_home_t, irc_home_t)
> +
> + relabel_dirs_pattern($2, irc_tmp_t, irc_tmp_t)
> + relabel_files_pattern($2, irc_tmp_t, irc_tmp_t)
> + relabel_fifo_files_pattern($2, irc_tmp_t, irc_tmp_t)
> + relabel_lnk_files_pattern($2, irc_tmp_t, irc_tmp_t)
> + relabel_sock_files_pattern($2, irc_tmp_t, irc_tmp_t)
> ')
> diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
> index 789e684..e4535f8 100644
> --- a/policy/modules/apps/irc.te
> +++ b/policy/modules/apps/irc.te
> @@ -6,6 +6,22 @@ policy_module(irc, 2.1.0)
> # Declarations
> #
>
> +## <desc>
> +## <p>
> +## Allow IRC clients to connect to
> +## any ports.
> +## </p>
> +## </desc>
> +gen_tunable(irc_connect_any, false)
> +
> +## <desc>
> +## <p>
> +## Allow IRC clients to bind to
> +## generic ports.
> +## </p>
> +## </desc>
> +gen_tunable(irc_tcp_server, false)
> +
> type irc_t;
> type irc_exec_t;
> typealias irc_t alias { user_irc_t staff_irc_t sysadm_irc_t };
> @@ -13,6 +29,9 @@ typealias irc_t alias { auditadm_irc_t secadm_irc_t };
> application_domain(irc_t, irc_exec_t)
> ubac_constrained(irc_t)
>
> +type irc_etc_t;
> +files_config_file(irc_etc_t)
> +
> type irc_home_t;
> typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t };
> typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
> @@ -21,21 +40,28 @@ userdom_user_home_content(irc_home_t)
> type irc_tmp_t;
> typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
> typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
> -userdom_user_home_content(irc_tmp_t)
> +files_tmp_file(irc_tmp_t)
> +ubac_constrained(irc_tmp_t)
>
> ########################################
> #
> # Local policy
> #
>
> -allow irc_t self:unix_stream_socket create_stream_socket_perms;
> -allow irc_t self:tcp_socket create_socket_perms;
> +allow irc_t self:process { signal sigkill };
> +allow irc_t self:fifo_file rw_fifo_file_perms;
> +allow irc_t self:netlink_route_socket create_netlink_socket_perms;
> +allow irc_t self:tcp_socket create_stream_socket_perms;
> allow irc_t self:udp_socket create_socket_perms;
> +allow irc_t self:unix_stream_socket create_stream_socket_perms;
> +
> +allow irc_t irc_etc_t:file read_file_perms;
This type seems redundant since irc can already read etc files.
> manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
> manage_files_pattern(irc_t, irc_home_t, irc_home_t)
> manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
> userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file })
> +userdom_search_user_home_dirs(irc_t)
Shouldn't be needed due to the rule above it.
> # access files under /tmp
> manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
> @@ -47,6 +73,9 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
>
> kernel_read_proc_symlinks(irc_t)
>
> +corecmd_search_bin(irc_t)
> +corecmd_read_bin_symlinks(irc_t)
The first line is redundant due to the second.
> corenet_all_recvfrom_unlabeled(irc_t)
> corenet_all_recvfrom_netlabel(irc_t)
> corenet_tcp_sendrecv_generic_if(irc_t)
> @@ -55,10 +84,15 @@ corenet_tcp_sendrecv_generic_node(irc_t)
> corenet_udp_sendrecv_generic_node(irc_t)
> corenet_tcp_sendrecv_all_ports(irc_t)
> corenet_udp_sendrecv_all_ports(irc_t)
> +# Privoxy
> +corenet_tcp_connect_http_cache_port(irc_t)
> +corenet_sendrecv_http_cache_client_packets(irc_t)
> +corenet_tcp_connect_ircd_port(irc_t)
> corenet_sendrecv_ircd_client_packets(irc_t)
> -# cjp: this seems excessive:
> -corenet_tcp_connect_all_ports(irc_t)
> -corenet_sendrecv_all_client_packets(irc_t)
> +
> +dev_read_urand(irc_t)
> +# irssi-otr genkey.
> +dev_read_rand(irc_t)
>
> domain_use_interactive_fds(irc_t)
>
> @@ -87,6 +121,16 @@ sysnet_read_config(irc_t)
> # Write to the user domain tty.
> userdom_use_user_terminals(irc_t)
>
> +tunable_policy(`irc_connect_any',`
> + corenet_tcp_connect_all_ports(irc_t)
> + corenet_sendrecv_all_client_packets(irc_t)
> +')
> +
> +tunable_policy(`irc_tcp_server',`
> + corenet_tcp_bind_generic_port(irc_t)
> + corenet_sendrecv_generic_server_packets(irc_t)
> +')
> +
> tunable_policy(`use_nfs_home_dirs',`
> fs_manage_nfs_dirs(irc_t)
> fs_manage_nfs_files(irc_t)
> @@ -100,5 +144,9 @@ tunable_policy(`use_samba_home_dirs',`
> ')
>
> optional_policy(`
> + automount_dontaudit_getattr_tmp_dirs(irc_t)
> +')
> +
> +optional_policy(`
> nis_use_ypbind(irc_t)
> ')
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
I Have implemented your suggestions. Thanks for that.
I am currently using a different version of the irc module implementation though.
If youre interested you can always have a look into my personal repository that is currently located here: git clone git://217.19.27.98/refpolicy.git
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100413/1375b413/attachment.bin