http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_irc.patch
isc policy updates from Dominic Grift.
On Wed, 2010-06-02 at 16:05 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_irc.patch
>
> isc policy updates from Dominic Grift.
Why does irssi need a special domain? Why can't it just use/augment the
irc_t domain?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Mon, Jun 21, 2010 at 09:09:35AM -0400, Christopher J. PeBenito wrote:
> On Wed, 2010-06-02 at 16:05 -0400, Daniel J Walsh wrote:
> > http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_irc.patch
> >
> > isc policy updates from Dominic Grift.
>
> Why does irssi need a special domain? Why can't it just use/augment the
> irc_t domain?
Because of this:
allow irc_t self:unix_stream_socket create_stream_socket_perms;
allow irc_t self:tcp_socket create_socket_perms;
manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
kernel_read_proc_symlinks(irc_t)
corenet_tcp_sendrecv_all_ports(irc_t)
corenet_udp_sendrecv_all_ports(irc_t)
corenet_tcp_connect_all_ports(irc_t)
corenet_sendrecv_all_client_packets(irc_t)
domain_use_interactive_fds(irc_t)
files_dontaudit_search_pids(irc_t)
files_search_var(irc_t)
fs_getattr_xattr_fs(irc_t)
term_use_controlling_term(irc_t)
term_list_ptys(irc_t)
init_read_utmp(irc_t)
init_dontaudit_lock_utmp(irc_t)
seutil_use_newrole_fds(irc_t)
allow irssi_t self:process { signal sigkill };
allow irssi_t self:fifo_file rw_fifo_file_perms;
allow irssi_t self:netlink_route_socket create_netlink_socket_perms;
allow irssi_t self:tcp_socket create_stream_socket_perms;
allow irssi_t irssi_etc_t:file read_file_perms;
kernel_read_system_state(irssi_t)
corecmd_read_bin_symlinks(irssi_t)
corenet_udp_sendrecv_generic_node(irssi_t)
corenet_tcp_connect_ircd_port(irssi_t)
corenet_tcp_connect_http_cache_port(irssi_t)
corenet_sendrecv_http_cache_client_packets(irssi_t)
corenet_tcp_connect_gatekeeper_port(irssi_t)
corenet_sendrecv_gatekeeper_client_packets(irssi_t)
dev_read_urand(irssi_t)
dev_read_rand(irssi_t)
miscfiles_read_certs(irssi_t)
tunable_policy(`irssi_use_full_network',`
corenet_tcp_bind_all_unreserved_ports(irssi_t)
corenet_tcp_connect_all_ports(irssi_t)
corenet_sendrecv_all_client_packets(irssi_t)
corenet_sendrecv_generic_server_packets(irssi_t)
')
optional_policy(`
automount_dontaudit_getattr_tmp_dirs(irssi_t)
')
optional_policy(`
nscd_socket_use(irssi_t
')
I think its just too much overhead. Besides i do not agree with some of the security decisions made for the irc_t domain.
So the best compromise in my view is to just add a new irssi_t domain to the existing irc module.
That said, i think the patch that is in question here is not what i currently have in my repository. In my repository i have combined all policy that is common to both irc_t and irssi_t in a irc_domain section (attribute irc_domain for both irc_t, irssi_t)
Also if i am not mistaken, i have submitted a patch where irssi was merged into the irc_t domain some time ago, That patch has not made it in either for some reason.
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100621/29e60178/attachment.bin
On Mon, 2010-06-21 at 16:53 +0200, Dominick Grift wrote:
> On Mon, Jun 21, 2010 at 09:09:35AM -0400, Christopher J. PeBenito wrote:
> > On Wed, 2010-06-02 at 16:05 -0400, Daniel J Walsh wrote:
> > > http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_irc.patch
> > >
> > > isc policy updates from Dominic Grift.
> >
> > Why does irssi need a special domain? Why can't it just use/augment the
> > irc_t domain?
>
> Because of this:
>
> allow irc_t self:unix_stream_socket create_stream_socket_perms;
> allow irc_t self:tcp_socket create_socket_perms;
>
> manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
> manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
> manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
> manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
> manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
> files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
>
> kernel_read_proc_symlinks(irc_t)
>
> corenet_tcp_sendrecv_all_ports(irc_t)
> corenet_udp_sendrecv_all_ports(irc_t)
> corenet_tcp_connect_all_ports(irc_t)
> corenet_sendrecv_all_client_packets(irc_t)
>
> domain_use_interactive_fds(irc_t)
>
> files_dontaudit_search_pids(irc_t)
> files_search_var(irc_t)
>
> fs_getattr_xattr_fs(irc_t)
>
> term_use_controlling_term(irc_t)
> term_list_ptys(irc_t)
>
> init_read_utmp(irc_t)
> init_dontaudit_lock_utmp(irc_t)
>
> seutil_use_newrole_fds(irc_t)
>
> allow irssi_t self:process { signal sigkill };
> allow irssi_t self:fifo_file rw_fifo_file_perms;
> allow irssi_t self:netlink_route_socket create_netlink_socket_perms;
> allow irssi_t self:tcp_socket create_stream_socket_perms;
>
> allow irssi_t irssi_etc_t:file read_file_perms;
>
> kernel_read_system_state(irssi_t)
>
> corecmd_read_bin_symlinks(irssi_t)
>
> corenet_udp_sendrecv_generic_node(irssi_t)
> corenet_tcp_connect_ircd_port(irssi_t)
>
> corenet_tcp_connect_http_cache_port(irssi_t)
> corenet_sendrecv_http_cache_client_packets(irssi_t)
>
> corenet_tcp_connect_gatekeeper_port(irssi_t)
> corenet_sendrecv_gatekeeper_client_packets(irssi_t)
>
> dev_read_urand(irssi_t)
> dev_read_rand(irssi_t)
>
> miscfiles_read_certs(irssi_t)
>
> tunable_policy(`irssi_use_full_network',`
> corenet_tcp_bind_all_unreserved_ports(irssi_t)
> corenet_tcp_connect_all_ports(irssi_t)
> corenet_sendrecv_all_client_packets(irssi_t)
> corenet_sendrecv_generic_server_packets(irssi_t)
> ')
>
> optional_policy(`
> automount_dontaudit_getattr_tmp_dirs(irssi_t)
> ')
>
> optional_policy(`
> nscd_socket_use(irssi_t
> ')
>
> I think its just too much overhead.
I'm not clear on what you're saying
> Besides i do not agree with some of the security decisions made for
> the irc_t domain.
Please be more specific.
> So the best compromise in my view is to just add a new irssi_t domain
> to the existing irc module.
>
> That said, i think the patch that is in question here is not what i
> currently have in my repository. In my repository i have combined all
> policy that is common to both irc_t and irssi_t in a irc_domain
> section (attribute irc_domain for both irc_t, irssi_t)
>
> Also if i am not mistaken, i have submitted a patch where irssi was
> merged into the irc_t domain some time ago, That patch has not made it
> in either for some reason.
Its easy to get lost in the flood due to the number of patches I get
from Dan.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com