From: domg472@gmail.com (Dominick Grift)
Date: Mon, 22 Mar 2010 12:57:31 +0100
Subject: [refpolicy] [ irc patch RETRY 1/1] Extend IRC client policy to
 support irssi.
Message-ID: <20100322115728.GA9609@localhost.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Slight error in my previous patch where i forgot to allow users to manage and relabel irc_tmp_t lnk_files.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 65ece18... 45203f4... M	policy/modules/apps/irc.fc
:100644 100644 4f9dc90... 2111a46... M	policy/modules/apps/irc.if
:100644 100644 789e684... e4535f8... M	policy/modules/apps/irc.te
 policy/modules/apps/irc.fc |   15 ++++++++---
 policy/modules/apps/irc.if |   21 +++++++++++++++
 policy/modules/apps/irc.te |   60 +++++++++++++++++++++++++++++++++++++++----
 3 files changed, 86 insertions(+), 10 deletions(-)

diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc
index 65ece18..45203f4 100644
--- a/policy/modules/apps/irc.fc
+++ b/policy/modules/apps/irc.fc
@@ -1,11 +1,18 @@
 #
 # /home
 #
-HOME_DIR/\.ircmotd	--	gen_context(system_u:object_r:irc_home_t,s0)
+HOME_DIR/\.ircmotd		--	gen_context(system_u:object_r:irc_home_t,s0)
+HOME_DIR/\.irssi(/.*)?		gen_context(system_u:object_r:irc_home_t,s0)
+
+#
+# /etc
+#
+/etc/irssi\.conf		--	gen_context(system_u:object_r:irc_etc_t,s0)
 
 #
 # /usr
 #
-/usr/bin/[st]irc	--	gen_context(system_u:object_r:irc_exec_t,s0)
-/usr/bin/ircII		--	gen_context(system_u:object_r:irc_exec_t,s0)
-/usr/bin/tinyirc	--	gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/[st]irc		--	gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/ircII			--	gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/irssi			--	gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/tinyirc		--	gen_context(system_u:object_r:irc_exec_t,s0)
diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
index 4f9dc90..2111a46 100644
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@@ -18,6 +18,7 @@
 interface(`irc_role',`
 	gen_require(`
 		type irc_t, irc_exec_t;
+		type irc_home_t, irc_tmp_t;
 	')
 
 	role $1 types irc_t;
@@ -28,4 +29,24 @@ interface(`irc_role',`
 	# allow ps to show irc
 	ps_process_pattern($2, irc_t)
 	allow $2 irc_t:process signal;
+
+	manage_dirs_pattern($2, irc_home_t, irc_home_t)
+	manage_files_pattern($2, irc_home_t, irc_home_t)
+	manage_lnk_files_pattern($2, irc_home_t, irc_home_t)
+
+	manage_dirs_pattern($2, irc_tmp_t, irc_tmp_t)
+	manage_files_pattern($2, irc_tmp_t, irc_tmp_t)
+	manage_fifo_files_pattern($2, irc_tmp_t, irc_tmp_t)
+	manage_lnk_files_pattern($2, irc_tmp_t, irc_tmp_t)
+	manage_sock_files_pattern($2, irc_tmp_t, irc_tmp_t)
+
+	relabel_dirs_pattern($2, irc_home_t, irc_home_t)
+	relabel_files_pattern($2, irc_home_t, irc_home_t)
+	relabel_lnk_files_pattern($2, irc_home_t, irc_home_t)
+
+	relabel_dirs_pattern($2, irc_tmp_t, irc_tmp_t)
+	relabel_files_pattern($2, irc_tmp_t, irc_tmp_t)
+	relabel_fifo_files_pattern($2, irc_tmp_t, irc_tmp_t)
+	relabel_lnk_files_pattern($2, irc_tmp_t, irc_tmp_t)
+	relabel_sock_files_pattern($2, irc_tmp_t, irc_tmp_t)
 ')
diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
index 789e684..e4535f8 100644
--- a/policy/modules/apps/irc.te
+++ b/policy/modules/apps/irc.te
@@ -6,6 +6,22 @@ policy_module(irc, 2.1.0)
 # Declarations
 #
 
+## <desc>
+##	<p>
+##	Allow IRC clients to connect to
+##	any ports.
+##	</p>
+## </desc>
+gen_tunable(irc_connect_any, false)
+
+## <desc>
+##	<p>
+##	Allow IRC clients to bind to
+##	generic ports.
+##	</p>
+## </desc>
+gen_tunable(irc_tcp_server, false)
+
 type irc_t;
 type irc_exec_t;
 typealias irc_t alias { user_irc_t staff_irc_t sysadm_irc_t };
@@ -13,6 +29,9 @@ typealias irc_t alias { auditadm_irc_t secadm_irc_t };
 application_domain(irc_t, irc_exec_t)
 ubac_constrained(irc_t)
 
+type irc_etc_t;
+files_config_file(irc_etc_t)
+
 type irc_home_t;
 typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t };
 typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
@@ -21,21 +40,28 @@ userdom_user_home_content(irc_home_t)
 type irc_tmp_t;
 typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
 typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
-userdom_user_home_content(irc_tmp_t)
+files_tmp_file(irc_tmp_t)
+ubac_constrained(irc_tmp_t)
 
 ########################################
 #
 # Local policy
 #
 
-allow irc_t self:unix_stream_socket create_stream_socket_perms;
-allow irc_t self:tcp_socket create_socket_perms;
+allow irc_t self:process { signal sigkill };
+allow irc_t self:fifo_file rw_fifo_file_perms;
+allow irc_t self:netlink_route_socket create_netlink_socket_perms;
+allow irc_t self:tcp_socket create_stream_socket_perms;
 allow irc_t self:udp_socket create_socket_perms;
+allow irc_t self:unix_stream_socket create_stream_socket_perms;
+
+allow irc_t irc_etc_t:file read_file_perms;
 
 manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
 manage_files_pattern(irc_t, irc_home_t, irc_home_t)
 manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
 userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file })
+userdom_search_user_home_dirs(irc_t)
 
 # access files under /tmp
 manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
@@ -47,6 +73,9 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
 
 kernel_read_proc_symlinks(irc_t)
 
+corecmd_search_bin(irc_t)
+corecmd_read_bin_symlinks(irc_t)
+
 corenet_all_recvfrom_unlabeled(irc_t)
 corenet_all_recvfrom_netlabel(irc_t)
 corenet_tcp_sendrecv_generic_if(irc_t)
@@ -55,10 +84,15 @@ corenet_tcp_sendrecv_generic_node(irc_t)
 corenet_udp_sendrecv_generic_node(irc_t)
 corenet_tcp_sendrecv_all_ports(irc_t)
 corenet_udp_sendrecv_all_ports(irc_t)
+# Privoxy
+corenet_tcp_connect_http_cache_port(irc_t)
+corenet_sendrecv_http_cache_client_packets(irc_t)
+corenet_tcp_connect_ircd_port(irc_t)
 corenet_sendrecv_ircd_client_packets(irc_t)
-# cjp: this seems excessive:
-corenet_tcp_connect_all_ports(irc_t)
-corenet_sendrecv_all_client_packets(irc_t)
+
+dev_read_urand(irc_t)
+# irssi-otr genkey.
+dev_read_rand(irc_t)
 
 domain_use_interactive_fds(irc_t)
 
@@ -87,6 +121,16 @@ sysnet_read_config(irc_t)
 # Write to the user domain tty.
 userdom_use_user_terminals(irc_t)
 
+tunable_policy(`irc_connect_any',`
+	corenet_tcp_connect_all_ports(irc_t)
+	corenet_sendrecv_all_client_packets(irc_t)
+')
+
+tunable_policy(`irc_tcp_server',`
+	corenet_tcp_bind_generic_port(irc_t)
+	corenet_sendrecv_generic_server_packets(irc_t)
+')
+
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(irc_t)
 	fs_manage_nfs_files(irc_t)
@@ -100,5 +144,9 @@ tunable_policy(`use_samba_home_dirs',`
 ')
 
 optional_policy(`
+	automount_dontaudit_getattr_tmp_dirs(irc_t)
+')
+
+optional_policy(`
 	nis_use_ypbind(irc_t)
 ')
-- 
1.7.0.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100322/af5071e5/attachment.bin