The tabs in irc.fc are weird because of Eclipse.
We can remove the irc_home_t stuff from irc.if once userdom_user_home_content is fixed to handle it.
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 65ece18... 200a6cd... M policy/modules/apps/irc.fc
:100644 100644 4f9dc90... a638de0... M policy/modules/apps/irc.if
:100644 100644 66beb80... b1526ce... M policy/modules/apps/irc.te
policy/modules/apps/irc.fc | 18 ++++++-------
policy/modules/apps/irc.if | 29 ++++++++++++++++++---
policy/modules/apps/irc.te | 59 +++++++++++++++++++++++++++++++++++--------
3 files changed, 80 insertions(+), 26 deletions(-)
diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc
index 65ece18..200a6cd 100644
--- a/policy/modules/apps/irc.fc
+++ b/policy/modules/apps/irc.fc
@@ -1,11 +1,9 @@
-#
-# /home
-#
-HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
+HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
+HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0)
-#
-# /usr
-#
-/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
-/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
-/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
+/etc/irssi.conf -- gen_context(system_u:object_r:irc_etc_t,s0)
+
+/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/irssi -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
index 4f9dc90..a638de0 100644
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@@ -1,4 +1,4 @@
-## <summary>IRC client policy</summary>
+## <summary>IRC clients.</summary>
########################################
## <summary>
@@ -17,15 +17,34 @@
#
interface(`irc_role',`
gen_require(`
- type irc_t, irc_exec_t;
+ type irc_t, irc_exec_t, irc_tmp_t;
+ type irc_home_t;
')
role $1 types irc_t;
- # Transition from the user domain to the derived domain.
domtrans_pattern($2, irc_exec_t, irc_t)
- # allow ps to show irc
ps_process_pattern($2, irc_t)
- allow $2 irc_t:process signal;
+ allow $2 irc_t:process { ptrace signal_perms };
+
+ manage_dirs_pattern($2, irc_home_t, irc_home_t)
+ manage_files_pattern($2, irc_home_t, irc_home_t)
+ manage_lnk_files_pattern($2, irc_home_t, irc_home_t)
+
+ relabel_dirs_pattern($2, irc_home_t, irc_home_t)
+ relabel_files_pattern($2, irc_home_t, irc_home_t)
+ relabel_lnk_files_pattern($2, irc_home_t, irc_home_t)
+
+ manage_dirs_pattern($2, irc_tmp_t, irc_tmp_t)
+ manage_files_pattern($2, irc_tmp_t, irc_tmp_t)
+ manage_lnk_files_pattern($2, irc_tmp_t, irc_tmp_t)
+ manage_fifo_files_pattern($2, irc_tmp_t, irc_tmp_t)
+ manage_sock_files_pattern($2, irc_tmp_t, irc_tmp_t)
+
+ relabel_dirs_pattern($2, irc_tmp_t, irc_tmp_t)
+ relabel_files_pattern($2, irc_tmp_t, irc_tmp_t)
+ relabel_lnk_files_pattern($2, irc_tmp_t, irc_tmp_t)
+ relabel_fifo_files_pattern($2, irc_tmp_t, irc_tmp_t)
+ relabel_sock_files_pattern($2, irc_tmp_t, irc_tmp_t)
')
diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
index 66beb80..b1526ce 100644
--- a/policy/modules/apps/irc.te
+++ b/policy/modules/apps/irc.te
@@ -5,6 +5,14 @@ policy_module(irc, 2.1.0)
# Declarations
#
+## <desc>
+## <p>
+## Allow IRC Clients to connect to any TCP port,
+## and to bind TCP sockets to any unreserved port.
+## </p>
+## </desc>
+gen_tunable(irc_can_network, false)
+
type irc_t;
type irc_exec_t;
typealias irc_t alias { user_irc_t staff_irc_t sysadm_irc_t };
@@ -12,6 +20,9 @@ typealias irc_t alias { auditadm_irc_t secadm_irc_t };
application_domain(irc_t, irc_exec_t)
ubac_constrained(irc_t)
+type irc_etc_t;
+files_config_file(irc_etc_t)
+
type irc_home_t;
typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t };
typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
@@ -20,23 +31,28 @@ userdom_user_home_content(irc_home_t)
type irc_tmp_t;
typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
-userdom_user_home_content(irc_tmp_t)
+files_tmp_file(irc_tmp_t)
+ubac_constrained(irc_tmp_t)
########################################
#
# Local policy
#
+allow irc_t self:process { signal sigkill };
+allow irc_t self:fifo_file rw_fifo_file_perms;
+allow irc_t self:netlink_route_socket create_netlink_socket_perms;
allow irc_t self:unix_stream_socket create_stream_socket_perms;
-allow irc_t self:tcp_socket create_socket_perms;
+allow irc_t self:tcp_socket create_stream_socket_perms;
allow irc_t self:udp_socket create_socket_perms;
+allow irc_t irc_etc_t:file read_file_perms;
+
manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
manage_files_pattern(irc_t, irc_home_t, irc_home_t)
manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file })
-# access files under /tmp
manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
@@ -44,7 +60,9 @@ manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
-kernel_read_proc_symlinks(irc_t)
+kernel_read_system_state(irc_t)
+
+corecmd_read_bin_symlinks(irc_t)
corenet_all_recvfrom_unlabeled(irc_t)
corenet_all_recvfrom_netlabel(irc_t)
@@ -52,12 +70,19 @@ corenet_tcp_sendrecv_generic_if(irc_t)
corenet_udp_sendrecv_generic_if(irc_t)
corenet_tcp_sendrecv_generic_node(irc_t)
corenet_udp_sendrecv_generic_node(irc_t)
+corenet_tcp_bind_generic_node(irc_t)
+corenet_udp_bind_generic_node(irc_t)
corenet_tcp_sendrecv_all_ports(irc_t)
corenet_udp_sendrecv_all_ports(irc_t)
+corenet_tcp_connect_ircd_port(irc_t)
corenet_sendrecv_ircd_client_packets(irc_t)
-# cjp: this seems excessive:
-corenet_tcp_connect_all_ports(irc_t)
-corenet_sendrecv_all_client_packets(irc_t)
+corenet_tcp_connect_http_cache_port(irc_t)
+corenet_sendrecv_http_cache_client_packets(irc_t)
+corenet_tcp_connect_gatekeeper_port(irc_t)
+corenet_sendrecv_gatekeeper_client_packets(irc_t)
+
+dev_read_urand(irc_t)
+dev_read_rand(irc_t)
domain_use_interactive_fds(irc_t)
@@ -70,22 +95,26 @@ fs_getattr_xattr_fs(irc_t)
fs_search_auto_mountpoints(irc_t)
term_use_controlling_term(irc_t)
-term_list_ptys(irc_t)
-# allow utmp access
init_read_utmp(irc_t)
init_dontaudit_lock_utmp(irc_t)
+miscfiles_read_certs(irc_t)
miscfiles_read_localization(irc_t)
-# Inherit and use descriptors from newrole.
seutil_use_newrole_fds(irc_t)
sysnet_read_config(irc_t)
-# Write to the user domain tty.
userdom_use_user_terminals(irc_t)
+tunable_policy(`irc_can_network',`
+ corenet_tcp_bind_all_unreserved_ports(irc_t)
+ corenet_sendrecv_all_server_packets(irc_t)
+ corenet_tcp_connect_all_ports(irc_t)
+ corenet_sendrecv_all_client_packets(irc_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(irc_t)
fs_manage_nfs_files(irc_t)
@@ -99,5 +128,13 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ automount_dontaudit_getattr_tmp_dirs(irc_t)
+')
+
+optional_policy(`
nis_use_ypbind(irc_t)
')
+
+optional_policy(`
+ nscd_socket_use(irc_t)
+')
--
1.7.0.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100622/88c96ac1/attachment.bin
On Tue, 2010-06-22 at 21:36 +0200, Dominick Grift wrote:
> The tabs in irc.fc are weird because of Eclipse.
> We can remove the irc_home_t stuff from irc.if once userdom_user_home_content is fixed to handle it.
A couple of minor issues inline.
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> :100644 100644 65ece18... 200a6cd... M policy/modules/apps/irc.fc
> :100644 100644 4f9dc90... a638de0... M policy/modules/apps/irc.if
> :100644 100644 66beb80... b1526ce... M policy/modules/apps/irc.te
> policy/modules/apps/irc.fc | 18 ++++++-------
> policy/modules/apps/irc.if | 29 ++++++++++++++++++---
> policy/modules/apps/irc.te | 59 +++++++++++++++++++++++++++++++++++--------
> 3 files changed, 80 insertions(+), 26 deletions(-)
>
> diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc
> index 65ece18..200a6cd 100644
> --- a/policy/modules/apps/irc.fc
> +++ b/policy/modules/apps/irc.fc
> @@ -1,11 +1,9 @@
> -#
> -# /home
> -#
> -HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
> +HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
> +HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0)
>
> -#
> -# /usr
> -#
> -/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
> -/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
> -/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
> +/etc/irssi.conf -- gen_context(system_u:object_r:irc_etc_t,s0)
> +
> +/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
> +/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
> +/usr/bin/irssi -- gen_context(system_u:object_r:irc_exec_t,s0)
> +/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
> diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
> index 4f9dc90..a638de0 100644
> --- a/policy/modules/apps/irc.if
> +++ b/policy/modules/apps/irc.if
> @@ -1,4 +1,4 @@
> -## <summary>IRC client policy</summary>
> +## <summary>IRC clients.</summary>
>
> ########################################
> ## <summary>
> @@ -17,15 +17,34 @@
> #
> interface(`irc_role',`
> gen_require(`
> - type irc_t, irc_exec_t;
> + type irc_t, irc_exec_t, irc_tmp_t;
> + type irc_home_t;
> ')
>
> role $1 types irc_t;
>
> - # Transition from the user domain to the derived domain.
> domtrans_pattern($2, irc_exec_t, irc_t)
>
> - # allow ps to show irc
> ps_process_pattern($2, irc_t)
> - allow $2 irc_t:process signal;
> + allow $2 irc_t:process { ptrace signal_perms };
> +
> + manage_dirs_pattern($2, irc_home_t, irc_home_t)
> + manage_files_pattern($2, irc_home_t, irc_home_t)
> + manage_lnk_files_pattern($2, irc_home_t, irc_home_t)
> +
> + relabel_dirs_pattern($2, irc_home_t, irc_home_t)
> + relabel_files_pattern($2, irc_home_t, irc_home_t)
> + relabel_lnk_files_pattern($2, irc_home_t, irc_home_t)
> +
> + manage_dirs_pattern($2, irc_tmp_t, irc_tmp_t)
> + manage_files_pattern($2, irc_tmp_t, irc_tmp_t)
> + manage_lnk_files_pattern($2, irc_tmp_t, irc_tmp_t)
> + manage_fifo_files_pattern($2, irc_tmp_t, irc_tmp_t)
> + manage_sock_files_pattern($2, irc_tmp_t, irc_tmp_t)
> +
> + relabel_dirs_pattern($2, irc_tmp_t, irc_tmp_t)
> + relabel_files_pattern($2, irc_tmp_t, irc_tmp_t)
> + relabel_lnk_files_pattern($2, irc_tmp_t, irc_tmp_t)
> + relabel_fifo_files_pattern($2, irc_tmp_t, irc_tmp_t)
> + relabel_sock_files_pattern($2, irc_tmp_t, irc_tmp_t)
> ')
> diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
> index 66beb80..b1526ce 100644
> --- a/policy/modules/apps/irc.te
> +++ b/policy/modules/apps/irc.te
> @@ -5,6 +5,14 @@ policy_module(irc, 2.1.0)
> # Declarations
> #
>
> +## <desc>
> +## <p>
> +## Allow IRC Clients to connect to any TCP port,
> +## and to bind TCP sockets to any unreserved port.
> +## </p>
> +## </desc>
> +gen_tunable(irc_can_network, false)
A more specific name would be better. Maybe irc_full_networking or
something.
> type irc_t;
> type irc_exec_t;
> typealias irc_t alias { user_irc_t staff_irc_t sysadm_irc_t };
> @@ -12,6 +20,9 @@ typealias irc_t alias { auditadm_irc_t secadm_irc_t };
> application_domain(irc_t, irc_exec_t)
> ubac_constrained(irc_t)
>
> +type irc_etc_t;
> +files_config_file(irc_etc_t)
Why is this necessary? From what I can tell, irc_t only reads it.
Irc_t already can read etc_t files, so this seems unnecessary.
> type irc_home_t;
> typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t };
> typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
> @@ -20,23 +31,28 @@ userdom_user_home_content(irc_home_t)
> type irc_tmp_t;
> typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
> typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
> -userdom_user_home_content(irc_tmp_t)
> +files_tmp_file(irc_tmp_t)
> +ubac_constrained(irc_tmp_t)
>
> ########################################
> #
> # Local policy
> #
>
> +allow irc_t self:process { signal sigkill };
> +allow irc_t self:fifo_file rw_fifo_file_perms;
> +allow irc_t self:netlink_route_socket create_netlink_socket_perms;
> allow irc_t self:unix_stream_socket create_stream_socket_perms;
> -allow irc_t self:tcp_socket create_socket_perms;
> +allow irc_t self:tcp_socket create_stream_socket_perms;
> allow irc_t self:udp_socket create_socket_perms;
>
> +allow irc_t irc_etc_t:file read_file_perms;
> +
> manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
> manage_files_pattern(irc_t, irc_home_t, irc_home_t)
> manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
> userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file })
>
> -# access files under /tmp
> manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
> manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
> manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
> @@ -44,7 +60,9 @@ manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
> manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
> files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
>
> -kernel_read_proc_symlinks(irc_t)
> +kernel_read_system_state(irc_t)
> +
> +corecmd_read_bin_symlinks(irc_t)
>
> corenet_all_recvfrom_unlabeled(irc_t)
> corenet_all_recvfrom_netlabel(irc_t)
> @@ -52,12 +70,19 @@ corenet_tcp_sendrecv_generic_if(irc_t)
> corenet_udp_sendrecv_generic_if(irc_t)
> corenet_tcp_sendrecv_generic_node(irc_t)
> corenet_udp_sendrecv_generic_node(irc_t)
> +corenet_tcp_bind_generic_node(irc_t)
> +corenet_udp_bind_generic_node(irc_t)
> corenet_tcp_sendrecv_all_ports(irc_t)
> corenet_udp_sendrecv_all_ports(irc_t)
> +corenet_tcp_connect_ircd_port(irc_t)
> corenet_sendrecv_ircd_client_packets(irc_t)
> -# cjp: this seems excessive:
> -corenet_tcp_connect_all_ports(irc_t)
> -corenet_sendrecv_all_client_packets(irc_t)
> +corenet_tcp_connect_http_cache_port(irc_t)
> +corenet_sendrecv_http_cache_client_packets(irc_t)
> +corenet_tcp_connect_gatekeeper_port(irc_t)
> +corenet_sendrecv_gatekeeper_client_packets(irc_t)
> +
> +dev_read_urand(irc_t)
> +dev_read_rand(irc_t)
>
> domain_use_interactive_fds(irc_t)
>
> @@ -70,22 +95,26 @@ fs_getattr_xattr_fs(irc_t)
> fs_search_auto_mountpoints(irc_t)
>
> term_use_controlling_term(irc_t)
> -term_list_ptys(irc_t)
>
> -# allow utmp access
> init_read_utmp(irc_t)
> init_dontaudit_lock_utmp(irc_t)
>
> +miscfiles_read_certs(irc_t)
> miscfiles_read_localization(irc_t)
>
> -# Inherit and use descriptors from newrole.
> seutil_use_newrole_fds(irc_t)
>
> sysnet_read_config(irc_t)
>
> -# Write to the user domain tty.
> userdom_use_user_terminals(irc_t)
>
> +tunable_policy(`irc_can_network',`
> + corenet_tcp_bind_all_unreserved_ports(irc_t)
> + corenet_sendrecv_all_server_packets(irc_t)
> + corenet_tcp_connect_all_ports(irc_t)
> + corenet_sendrecv_all_client_packets(irc_t)
> +')
> +
> tunable_policy(`use_nfs_home_dirs',`
> fs_manage_nfs_dirs(irc_t)
> fs_manage_nfs_files(irc_t)
> @@ -99,5 +128,13 @@ tunable_policy(`use_samba_home_dirs',`
> ')
>
> optional_policy(`
> + automount_dontaudit_getattr_tmp_dirs(irc_t)
> +')
> +
> +optional_policy(`
> nis_use_ypbind(irc_t)
> ')
> +
> +optional_policy(`
> + nscd_socket_use(irc_t)
> +')
These two and the netlink_route socket earlier makes it look like its
going towards auth_use_nsswitch().
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 06/22/2010 09:49 PM, Christopher J. PeBenito wrote:
>> +## <desc>
>> +## <p>
>> +## Allow IRC Clients to connect to any TCP port,
>> +## and to bind TCP sockets to any unreserved port.
>> +## </p>
>> +## </desc>
>> +gen_tunable(irc_can_network, false)
>
> A more specific name would be better. Maybe irc_full_networking or
> something.
I had something like that "irc_use_full_network" but i thought you would
like this better becausse of other domain use similar like
"httpd_can_network_connect" etc. Feel free to change it.
>> +type irc_etc_t;
>> +files_config_file(irc_etc_t)
>
> Why is this necessary? From what I can tell, irc_t only reads it.
> Irc_t already can read etc_t files, so this seems unnecessary.
No particular reason although i am not sure if this file can hold
sensitive information. It might also come in handy for an irc_admin()
although that would be the only thing one would need irc_admin() for.
Feel free to remove it (and its corresponding file context.
>> optional_policy(`
>> + automount_dontaudit_getattr_tmp_dirs(irc_t)
>> +')
>> +
>> +optional_policy(`
>> nis_use_ypbind(irc_t)
>> ')
>> +
>> +optional_policy(`
>> + nscd_socket_use(irc_t)
>> +')
>
> These two and the netlink_route socket earlier makes it look like its
> going towards auth_use_nsswitch().
Both are actually untested. Although the the first is afaik common to
user apps with user home content.
The latter is more a guess because irssi wants to search nscd pid. So i
am assuming that it does that because it supports nscd (if one have nscd
enabled, which i do not)
So feel free to either remove that and add nscd_dontaudit_search_pid()
(or similar) or add the auth_use_nsswitch(irc_t)
Can you apply these changes or do i have to submit a new patch?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100622/ca85ec05/attachment.bin
On 06/22/2010 09:49 PM, Christopher J. PeBenito wrote:
Some more arguments:
>> +## <desc>
>> +## <p>
>> +## Allow IRC Clients to connect to any TCP port,
>> +## and to bind TCP sockets to any unreserved port.
>> +## </p>
>> +## </desc>
>> +gen_tunable(irc_can_network, false)
>
> A more specific name would be better. Maybe irc_full_networking or
> something.
>
irc_full_network sounds consistent. qemu uses a similar boolean
"qemu_full_network"
>>
>> +type irc_etc_t;
>> +files_config_file(irc_etc_t)
>
> Why is this necessary? From what I can tell, irc_t only reads it.
> Irc_t already can read etc_t files, so this seems unnecessary.
>
Few arguments here:
1. possible sensitive data.
2. irc_admin()
3. mozilla also has a mozilla_etc_t and also has access to
files_read_etc_files() afaik.
>> optional_policy(`
>> + automount_dontaudit_getattr_tmp_dirs(irc_t)
>> +')
>> +
>> +optional_policy(`
>> nis_use_ypbind(irc_t)
>> ')
>> +
>> +optional_policy(`
>> + nscd_socket_use(irc_t)
>> +')
>
> These two and the netlink_route socket earlier makes it look like its
> going towards auth_use_nsswitch().
>
Mozilla also has "automount_dontaudit_getattr_tmp_dirs",
"nscd_socket_use" and "... self:netlink_route_socket
r_netlink_socket_perms;", but does NOT have auth_use_nsswitch().
So either mozillas policy is wrong here too or it is unrelated.
Fact remains that irssi searches nscd pid directories, likely looking
for the nscd.socket to connectto.
automount_dontaudit_getattr_tmp_dirs(irc_t) is in my view not specific
to irc clients, but since the irc domain can own temporary objects, my
opinion is that we should support it.
All in all, personally i would only change the boolean name and leave
the rest unchanged.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100623/ee8881b6/attachment.bin
On Wed, 2010-06-23 at 10:55 +0200, Dominick Grift wrote:
> On 06/22/2010 09:49 PM, Christopher J. PeBenito wrote:
>
> Some more arguments:
>
> >> +## <desc>
> >> +## <p>
> >> +## Allow IRC Clients to connect to any TCP port,
> >> +## and to bind TCP sockets to any unreserved port.
> >> +## </p>
> >> +## </desc>
> >> +gen_tunable(irc_can_network, false)
> >
> > A more specific name would be better. Maybe irc_full_networking or
> > something.
> >
>
> irc_full_network sounds consistent. qemu uses a similar boolean
> "qemu_full_network"
Thats fine.
> >>
> >> +type irc_etc_t;
> >> +files_config_file(irc_etc_t)
> >
> > Why is this necessary? From what I can tell, irc_t only reads it.
> > Irc_t already can read etc_t files, so this seems unnecessary.
> >
>
> Few arguments here:
>
> 1. possible sensitive data.
Such as?
> 2. irc_admin()
I'm not really compelled by this. I don't think regular apps have
admins.
> 3. mozilla also has a mozilla_etc_t and also has access to
> files_read_etc_files() afaik.
If anything, this just tells me that mozilla is wrong too.
> >> optional_policy(`
> >> + automount_dontaudit_getattr_tmp_dirs(irc_t)
> >> +')
> >> +
> >> +optional_policy(`
> >> nis_use_ypbind(irc_t)
> >> ')
> >> +
> >> +optional_policy(`
> >> + nscd_socket_use(irc_t)
> >> +')
> >
> > These two and the netlink_route socket earlier makes it look like its
> > going towards auth_use_nsswitch().
> >
>
> Mozilla also has "automount_dontaudit_getattr_tmp_dirs",
> "nscd_socket_use" and "... self:netlink_route_socket
> r_netlink_socket_perms;", but does NOT have auth_use_nsswitch().
I mean the nis_use_ypbind(), nscd_socket_use(), and netlink_route_socket
perms. Mozilla does not have nis_use_ypbind(), so it doesn't seem to
need auth_use_nsswitch() yet. Thats not the case here.
> So either mozillas policy is wrong here too or it is unrelated.
>
> Fact remains that irssi searches nscd pid directories, likely looking
> for the nscd.socket to connectto.
>
> automount_dontaudit_getattr_tmp_dirs(irc_t) is in my view not specific
> to irc clients, but since the irc domain can own temporary objects, my
> opinion is that we should support it.
>
> All in all, personally i would only change the boolean name and leave
> the rest unchanged.
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 06/23/2010 02:15 PM, Christopher J. PeBenito wrote:
>>>>
>>>> +type irc_etc_t;
>>>> +files_config_file(irc_etc_t)
>>>
>>> Why is this necessary? From what I can tell, irc_t only reads it.
>>> Irc_t already can read etc_t files, so this seems unnecessary.
>>>
>>
>> Few arguments here:
>>
>> 1. possible sensitive data.
>
> Such as?
>
For example: "proxy_password = "";"
>> 2. irc_admin()
>
> I'm not really compelled by this. I don't think regular apps have
> admins.
Well this is a system-wide config in /etc/irssi.conf only an (irc) admin
can set system-wide overrides.
>
>> 3. mozilla also has a mozilla_etc_t and also has access to
>> files_read_etc_files() afaik.
>
> If anything, this just tells me that mozilla is wrong too.
That may indeed be wrong but i still believe irc_etc_t is the right
thing to do for irc_t.
>>>> optional_policy(`
>>>> + automount_dontaudit_getattr_tmp_dirs(irc_t)
>>>> +')
>>>> +
>>>> +optional_policy(`
>>>> nis_use_ypbind(irc_t)
>>>> ')
>>>> +
>>>> +optional_policy(`
>>>> + nscd_socket_use(irc_t)
>>>> +')
>>>
>>> These two and the netlink_route socket earlier makes it look like its
>>> going towards auth_use_nsswitch().
>>>
>>
>> Mozilla also has "automount_dontaudit_getattr_tmp_dirs",
>> "nscd_socket_use" and "... self:netlink_route_socket
>> r_netlink_socket_perms;", but does NOT have auth_use_nsswitch().
>
> I mean the nis_use_ypbind(), nscd_socket_use(), and netlink_route_socket
> perms. Mozilla does not have nis_use_ypbind(), so it doesn't seem to
> need auth_use_nsswitch() yet. Thats not the case here.
>
>> So either mozillas policy is wrong here too or it is unrelated.
>>
>> Fact remains that irssi searches nscd pid directories, likely looking
>> for the nscd.socket to connectto.
>>
>> automount_dontaudit_getattr_tmp_dirs(irc_t) is in my view not specific
>> to irc clients, but since the irc domain can own temporary objects, my
>> opinion is that we should support it.
>>
>> All in all, personally i would only change the boolean name and leave
>> the rest unchanged.
>>
>
I am not sure here. Like i said before; i do not have a nis nor ldap or
nscd configuration. The netlink socket perms are confirmed to be
required for irssi, and i can also confirm that irssi atleast searches
nscd pid directories. I can only assume it does that to find the
nscd.socket.
If you are not comfortable with adding auth_use_nsswitch(irc_t), then
please add nscd_dontaudit_search_pid() and remove the nscd_socket_use
and nis_use_ypbind.
For what it is worth: In my personal branch i decided to just add
auth_use_nsswitch(irc_t).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100623/83f9d736/attachment.bin
On 06/23/2010 02:15 PM, Christopher J. PeBenito wrote:
>>>> optional_policy(`
>>>> + automount_dontaudit_getattr_tmp_dirs(irc_t)
>>>> +')
>>>> +
>>>> +optional_policy(`
>>>> nis_use_ypbind(irc_t)
>>>> ')
>>>> +
>>>> +optional_policy(`
>>>> + nscd_socket_use(irc_t)
>>>> +')
>>>
>>> These two and the netlink_route socket earlier makes it look like its
>>> going towards auth_use_nsswitch().
>>>
>>
>> Mozilla also has "automount_dontaudit_getattr_tmp_dirs",
>> "nscd_socket_use" and "... self:netlink_route_socket
>> r_netlink_socket_perms;", but does NOT have auth_use_nsswitch().
>
> I mean the nis_use_ypbind(), nscd_socket_use(), and netlink_route_socket
> perms. Mozilla does not have nis_use_ypbind(), so it doesn't seem to
> need auth_use_nsswitch() yet. Thats not the case here.
>
>> So either mozillas policy is wrong here too or it is unrelated.
>>
>> Fact remains that irssi searches nscd pid directories, likely looking
>> for the nscd.socket to connectto.
>>
>> automount_dontaudit_getattr_tmp_dirs(irc_t) is in my view not specific
>> to irc clients, but since the irc domain can own temporary objects, my
>> opinion is that we should support it.
>>
>> All in all, personally i would only change the boolean name and leave
>> the rest unchanged.
>>
>
Also note that nis_use_ypbind(irc_t) was already there for irc_t. But
nonetheless my irssi policy also has it. The underlying idea for me was
to support nis. (which i cannot confirm that it actually works)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100623/e8121b0a/attachment.bin
On Wed, 2010-06-23 at 14:28 +0200, Dominick Grift wrote:
> On 06/23/2010 02:15 PM, Christopher J. PeBenito wrote:
>
> >>>>
> >>>> +type irc_etc_t;
> >>>> +files_config_file(irc_etc_t)
> >>>
> >>> Why is this necessary? From what I can tell, irc_t only reads it.
> >>> Irc_t already can read etc_t files, so this seems unnecessary.
> >>>
> >>
> >> Few arguments here:
> >>
> >> 1. possible sensitive data.
> >
> > Such as?
> >
>
> For example: "proxy_password = "";"
Perhaps. Though I suspect its actually not that sensitive, and its
probably easy to get through the app itself.
> >> 2. irc_admin()
> >
> > I'm not really compelled by this. I don't think regular apps have
> > admins.
>
> Well this is a system-wide config in /etc/irssi.conf only an (irc) admin
> can set system-wide overrides.
>
> >
> >> 3. mozilla also has a mozilla_etc_t and also has access to
> >> files_read_etc_files() afaik.
> >
> > If anything, this just tells me that mozilla is wrong too.
>
> That may indeed be wrong but i still believe irc_etc_t is the right
> thing to do for irc_t.
>
> >>>> optional_policy(`
> >>>> + automount_dontaudit_getattr_tmp_dirs(irc_t)
> >>>> +')
> >>>> +
> >>>> +optional_policy(`
> >>>> nis_use_ypbind(irc_t)
> >>>> ')
> >>>> +
> >>>> +optional_policy(`
> >>>> + nscd_socket_use(irc_t)
> >>>> +')
> >>>
> >>> These two and the netlink_route socket earlier makes it look like its
> >>> going towards auth_use_nsswitch().
> >>>
> >>
> >> Mozilla also has "automount_dontaudit_getattr_tmp_dirs",
> >> "nscd_socket_use" and "... self:netlink_route_socket
> >> r_netlink_socket_perms;", but does NOT have auth_use_nsswitch().
> >
> > I mean the nis_use_ypbind(), nscd_socket_use(), and netlink_route_socket
> > perms. Mozilla does not have nis_use_ypbind(), so it doesn't seem to
> > need auth_use_nsswitch() yet. Thats not the case here.
[...]
> I am not sure here. Like i said before; i do not have a nis nor ldap or
> nscd configuration. The netlink socket perms are confirmed to be
> required for irssi, and i can also confirm that irssi atleast searches
> nscd pid directories. I can only assume it does that to find the
> nscd.socket.
>
> If you are not comfortable with adding auth_use_nsswitch(irc_t), then
> please add nscd_dontaudit_search_pid() and remove the nscd_socket_use
> and nis_use_ypbind.
>
> For what it is worth: In my personal branch i decided to just add
> auth_use_nsswitch(irc_t).
I think you misunderstand. I think auth_use_nsswitch(irc_t) _should_ be
in there.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Wed, 2010-06-23 at 09:49 -0400, Christopher J. PeBenito wrote:
> On Wed, 2010-06-23 at 14:28 +0200, Dominick Grift wrote:
> > On 06/23/2010 02:15 PM, Christopher J. PeBenito wrote:
> >
> > >>>>
> > >>>> +type irc_etc_t;
> > >>>> +files_config_file(irc_etc_t)
> > >>>
> > >>> Why is this necessary? From what I can tell, irc_t only reads it.
> > >>> Irc_t already can read etc_t files, so this seems unnecessary.
> > >>>
> > >>
> > >> Few arguments here:
> > >>
> > >> 1. possible sensitive data.
> > >
> > > Such as?
> > >
> >
> > For example: "proxy_password = "";"
>
> Perhaps. Though I suspect its actually not that sensitive, and its
> probably easy to get through the app itself.
>
> > >> 2. irc_admin()
> > >
> > > I'm not really compelled by this. I don't think regular apps have
> > > admins.
> >
> > Well this is a system-wide config in /etc/irssi.conf only an (irc) admin
> > can set system-wide overrides.
I'm still not compelled by the idea of an irc admin.
> > >
> > >> 3. mozilla also has a mozilla_etc_t and also has access to
> > >> files_read_etc_files() afaik.
> > >
> > > If anything, this just tells me that mozilla is wrong too.
> >
> > That may indeed be wrong but i still believe irc_etc_t is the right
> > thing to do for irc_t.
> >
> > >>>> optional_policy(`
> > >>>> + automount_dontaudit_getattr_tmp_dirs(irc_t)
> > >>>> +')
> > >>>> +
> > >>>> +optional_policy(`
> > >>>> nis_use_ypbind(irc_t)
> > >>>> ')
> > >>>> +
> > >>>> +optional_policy(`
> > >>>> + nscd_socket_use(irc_t)
> > >>>> +')
> > >>>
> > >>> These two and the netlink_route socket earlier makes it look like its
> > >>> going towards auth_use_nsswitch().
> > >>>
> > >>
> > >> Mozilla also has "automount_dontaudit_getattr_tmp_dirs",
> > >> "nscd_socket_use" and "... self:netlink_route_socket
> > >> r_netlink_socket_perms;", but does NOT have auth_use_nsswitch().
> > >
> > > I mean the nis_use_ypbind(), nscd_socket_use(), and netlink_route_socket
> > > perms. Mozilla does not have nis_use_ypbind(), so it doesn't seem to
> > > need auth_use_nsswitch() yet. Thats not the case here.
> [...]
> > I am not sure here. Like i said before; i do not have a nis nor ldap or
> > nscd configuration. The netlink socket perms are confirmed to be
> > required for irssi, and i can also confirm that irssi atleast searches
> > nscd pid directories. I can only assume it does that to find the
> > nscd.socket.
> >
> > If you are not comfortable with adding auth_use_nsswitch(irc_t), then
> > please add nscd_dontaudit_search_pid() and remove the nscd_socket_use
> > and nis_use_ypbind.
> >
> > For what it is worth: In my personal branch i decided to just add
> > auth_use_nsswitch(irc_t).
>
> I think you misunderstand. I think auth_use_nsswitch(irc_t) _should_ be
> in there.
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 06/23/2010 03:50 PM, Christopher J. PeBenito wrote:
> On Wed, 2010-06-23 at 09:49 -0400, Christopher J. PeBenito wrote:
>> On Wed, 2010-06-23 at 14:28 +0200, Dominick Grift wrote:
>>> On 06/23/2010 02:15 PM, Christopher J. PeBenito wrote:
>>>
>>>>>>>
>>>>>>> +type irc_etc_t;
>>>>>>> +files_config_file(irc_etc_t)
>>>>>>
>>>>>> Why is this necessary? From what I can tell, irc_t only reads it.
>>>>>> Irc_t already can read etc_t files, so this seems unnecessary.
>>>>>>
>>>>>
>>>>> Few arguments here:
>>>>>
>>>>> 1. possible sensitive data.
>>>>
>>>> Such as?
>>>>
>>>
>>> For example: "proxy_password = "";"
>>
>> Perhaps. Though I suspect its actually not that sensitive, and its
>> probably easy to get through the app itself.
>>
>>>>> 2. irc_admin()
>>>>
>>>> I'm not really compelled by this. I don't think regular apps have
>>>> admins.
>>>
>>> Well this is a system-wide config in /etc/irssi.conf only an (irc) admin
>>> can set system-wide overrides.
>
> I'm still not compelled by the idea of an irc admin.
Alright, why not commit what you think is right and drop the rest?
>
>>>>
>>>>> 3. mozilla also has a mozilla_etc_t and also has access to
>>>>> files_read_etc_files() afaik.
>>>>
>>>> If anything, this just tells me that mozilla is wrong too.
>>>
>>> That may indeed be wrong but i still believe irc_etc_t is the right
>>> thing to do for irc_t.
>>>
>>>>>>> optional_policy(`
>>>>>>> + automount_dontaudit_getattr_tmp_dirs(irc_t)
>>>>>>> +')
>>>>>>> +
>>>>>>> +optional_policy(`
>>>>>>> nis_use_ypbind(irc_t)
>>>>>>> ')
>>>>>>> +
>>>>>>> +optional_policy(`
>>>>>>> + nscd_socket_use(irc_t)
>>>>>>> +')
>>>>>>
>>>>>> These two and the netlink_route socket earlier makes it look like its
>>>>>> going towards auth_use_nsswitch().
>>>>>>
>>>>>
>>>>> Mozilla also has "automount_dontaudit_getattr_tmp_dirs",
>>>>> "nscd_socket_use" and "... self:netlink_route_socket
>>>>> r_netlink_socket_perms;", but does NOT have auth_use_nsswitch().
>>>>
>>>> I mean the nis_use_ypbind(), nscd_socket_use(), and netlink_route_socket
>>>> perms. Mozilla does not have nis_use_ypbind(), so it doesn't seem to
>>>> need auth_use_nsswitch() yet. Thats not the case here.
>> [...]
>>> I am not sure here. Like i said before; i do not have a nis nor ldap or
>>> nscd configuration. The netlink socket perms are confirmed to be
>>> required for irssi, and i can also confirm that irssi atleast searches
>>> nscd pid directories. I can only assume it does that to find the
>>> nscd.socket.
>>>
>>> If you are not comfortable with adding auth_use_nsswitch(irc_t), then
>>> please add nscd_dontaudit_search_pid() and remove the nscd_socket_use
>>> and nis_use_ypbind.
>>>
>>> For what it is worth: In my personal branch i decided to just add
>>> auth_use_nsswitch(irc_t).
>>
>> I think you misunderstand. I think auth_use_nsswitch(irc_t) _should_ be
>> in there.
>>
>
Alright, i cannot confirm nor deny. Why not commit what you think is right?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100623/0735859b/attachment.bin