From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 12 Apr 2010 11:07:39 -0400
Subject: [refpolicy] [ irc patch RETRY 1/1] Extend IRC client policy to
 support irssi.
In-Reply-To: <20100322115728.GA9609@localhost.localdomain>
References: <20100322115728.GA9609@localhost.localdomain>
Message-ID: <1271084859.2815.201.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 2010-03-22 at 12:57 +0100, Dominick Grift wrote:
> Slight error in my previous patch where i forgot to allow users to manage and relabel irc_tmp_t lnk_files.

Comments inline.

> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---
> :100644 100644 65ece18... 45203f4... M	policy/modules/apps/irc.fc
> :100644 100644 4f9dc90... 2111a46... M	policy/modules/apps/irc.if
> :100644 100644 789e684... e4535f8... M	policy/modules/apps/irc.te
>  policy/modules/apps/irc.fc |   15 ++++++++---
>  policy/modules/apps/irc.if |   21 +++++++++++++++
>  policy/modules/apps/irc.te |   60 +++++++++++++++++++++++++++++++++++++++----
>  3 files changed, 86 insertions(+), 10 deletions(-)
> 
> diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc
> index 65ece18..45203f4 100644
> --- a/policy/modules/apps/irc.fc
> +++ b/policy/modules/apps/irc.fc
> @@ -1,11 +1,18 @@
>  #
>  # /home
>  #
> -HOME_DIR/\.ircmotd	--	gen_context(system_u:object_r:irc_home_t,s0)
> +HOME_DIR/\.ircmotd		--	gen_context(system_u:object_r:irc_home_t,s0)
> +HOME_DIR/\.irssi(/.*)?		gen_context(system_u:object_r:irc_home_t,s0)
> +
> +#
> +# /etc
> +#
> +/etc/irssi\.conf		--	gen_context(system_u:object_r:irc_etc_t,s0)
>  
>  #
>  # /usr
>  #
> -/usr/bin/[st]irc	--	gen_context(system_u:object_r:irc_exec_t,s0)
> -/usr/bin/ircII		--	gen_context(system_u:object_r:irc_exec_t,s0)
> -/usr/bin/tinyirc	--	gen_context(system_u:object_r:irc_exec_t,s0)
> +/usr/bin/[st]irc		--	gen_context(system_u:object_r:irc_exec_t,s0)
> +/usr/bin/ircII			--	gen_context(system_u:object_r:irc_exec_t,s0)
> +/usr/bin/irssi			--	gen_context(system_u:object_r:irc_exec_t,s0)
> +/usr/bin/tinyirc		--	gen_context(system_u:object_r:irc_exec_t,s0)

Whitespace changes should be in a separate patch.

> diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
> index 4f9dc90..2111a46 100644
> --- a/policy/modules/apps/irc.if
> +++ b/policy/modules/apps/irc.if
> @@ -18,6 +18,7 @@
>  interface(`irc_role',`
>  	gen_require(`
>  		type irc_t, irc_exec_t;
> +		type irc_home_t, irc_tmp_t;
>  	')
>  
>  	role $1 types irc_t;
> @@ -28,4 +29,24 @@ interface(`irc_role',`
>  	# allow ps to show irc
>  	ps_process_pattern($2, irc_t)
>  	allow $2 irc_t:process signal;
> +
> +	manage_dirs_pattern($2, irc_home_t, irc_home_t)
> +	manage_files_pattern($2, irc_home_t, irc_home_t)
> +	manage_lnk_files_pattern($2, irc_home_t, irc_home_t)
> +
> +	manage_dirs_pattern($2, irc_tmp_t, irc_tmp_t)
> +	manage_files_pattern($2, irc_tmp_t, irc_tmp_t)
> +	manage_fifo_files_pattern($2, irc_tmp_t, irc_tmp_t)
> +	manage_lnk_files_pattern($2, irc_tmp_t, irc_tmp_t)
> +	manage_sock_files_pattern($2, irc_tmp_t, irc_tmp_t)
> +
> +	relabel_dirs_pattern($2, irc_home_t, irc_home_t)
> +	relabel_files_pattern($2, irc_home_t, irc_home_t)
> +	relabel_lnk_files_pattern($2, irc_home_t, irc_home_t)
> +
> +	relabel_dirs_pattern($2, irc_tmp_t, irc_tmp_t)
> +	relabel_files_pattern($2, irc_tmp_t, irc_tmp_t)
> +	relabel_fifo_files_pattern($2, irc_tmp_t, irc_tmp_t)
> +	relabel_lnk_files_pattern($2, irc_tmp_t, irc_tmp_t)
> +	relabel_sock_files_pattern($2, irc_tmp_t, irc_tmp_t)
>  ')
> diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
> index 789e684..e4535f8 100644
> --- a/policy/modules/apps/irc.te
> +++ b/policy/modules/apps/irc.te
> @@ -6,6 +6,22 @@ policy_module(irc, 2.1.0)
>  # Declarations
>  #
>  
> +## <desc>
> +##	<p>
> +##	Allow IRC clients to connect to
> +##	any ports.
> +##	</p>
> +## </desc>
> +gen_tunable(irc_connect_any, false)
> +
> +## <desc>
> +##	<p>
> +##	Allow IRC clients to bind to
> +##	generic ports.
> +##	</p>
> +## </desc>
> +gen_tunable(irc_tcp_server, false)
> +
>  type irc_t;
>  type irc_exec_t;
>  typealias irc_t alias { user_irc_t staff_irc_t sysadm_irc_t };
> @@ -13,6 +29,9 @@ typealias irc_t alias { auditadm_irc_t secadm_irc_t };
>  application_domain(irc_t, irc_exec_t)
>  ubac_constrained(irc_t)
>  
> +type irc_etc_t;
> +files_config_file(irc_etc_t)
> +
>  type irc_home_t;
>  typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t };
>  typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
> @@ -21,21 +40,28 @@ userdom_user_home_content(irc_home_t)
>  type irc_tmp_t;
>  typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
>  typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
> -userdom_user_home_content(irc_tmp_t)
> +files_tmp_file(irc_tmp_t)
> +ubac_constrained(irc_tmp_t)
>  
>  ########################################
>  #
>  # Local policy
>  #
>  
> -allow irc_t self:unix_stream_socket create_stream_socket_perms;
> -allow irc_t self:tcp_socket create_socket_perms;
> +allow irc_t self:process { signal sigkill };
> +allow irc_t self:fifo_file rw_fifo_file_perms;
> +allow irc_t self:netlink_route_socket create_netlink_socket_perms;
> +allow irc_t self:tcp_socket create_stream_socket_perms;
>  allow irc_t self:udp_socket create_socket_perms;
> +allow irc_t self:unix_stream_socket create_stream_socket_perms;
> +
> +allow irc_t irc_etc_t:file read_file_perms;

This type seems redundant since irc can already read etc files.

>  manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
>  manage_files_pattern(irc_t, irc_home_t, irc_home_t)
>  manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
>  userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file })
> +userdom_search_user_home_dirs(irc_t)

Shouldn't be needed due to the rule above it.

>  # access files under /tmp
>  manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
> @@ -47,6 +73,9 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
>  
>  kernel_read_proc_symlinks(irc_t)
>  
> +corecmd_search_bin(irc_t)
> +corecmd_read_bin_symlinks(irc_t)

The first line is redundant due to the second.

>  corenet_all_recvfrom_unlabeled(irc_t)
>  corenet_all_recvfrom_netlabel(irc_t)
>  corenet_tcp_sendrecv_generic_if(irc_t)
> @@ -55,10 +84,15 @@ corenet_tcp_sendrecv_generic_node(irc_t)
>  corenet_udp_sendrecv_generic_node(irc_t)
>  corenet_tcp_sendrecv_all_ports(irc_t)
>  corenet_udp_sendrecv_all_ports(irc_t)
> +# Privoxy
> +corenet_tcp_connect_http_cache_port(irc_t)
> +corenet_sendrecv_http_cache_client_packets(irc_t)
> +corenet_tcp_connect_ircd_port(irc_t)
>  corenet_sendrecv_ircd_client_packets(irc_t)
> -# cjp: this seems excessive:
> -corenet_tcp_connect_all_ports(irc_t)
> -corenet_sendrecv_all_client_packets(irc_t)
> +
> +dev_read_urand(irc_t)
> +# irssi-otr genkey.
> +dev_read_rand(irc_t)
>  
>  domain_use_interactive_fds(irc_t)
>  
> @@ -87,6 +121,16 @@ sysnet_read_config(irc_t)
>  # Write to the user domain tty.
>  userdom_use_user_terminals(irc_t)
>  
> +tunable_policy(`irc_connect_any',`
> +	corenet_tcp_connect_all_ports(irc_t)
> +	corenet_sendrecv_all_client_packets(irc_t)
> +')
> +
> +tunable_policy(`irc_tcp_server',`
> +	corenet_tcp_bind_generic_port(irc_t)
> +	corenet_sendrecv_generic_server_packets(irc_t)
> +')
> +
>  tunable_policy(`use_nfs_home_dirs',`
>  	fs_manage_nfs_dirs(irc_t)
>  	fs_manage_nfs_files(irc_t)
> @@ -100,5 +144,9 @@ tunable_policy(`use_samba_home_dirs',`
>  ')
>  
>  optional_policy(`
> +	automount_dontaudit_getattr_tmp_dirs(irc_t)
> +')
> +
> +optional_policy(`
>  	nis_use_ypbind(irc_t)
>  ')

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150