From: domg472@gmail.com (Dominick Grift)
Date: Mon, 21 Jun 2010 16:53:22 +0200
Subject: [refpolicy] apps_irc.patch
In-Reply-To: <1277125775.2929.359.camel@gorn.columbia.tresys.com>
References: <4C06B996.50800@redhat.com>
	<1277125775.2929.359.camel@gorn.columbia.tresys.com>
Message-ID: <20100621145320.GA30288@localhost.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, Jun 21, 2010 at 09:09:35AM -0400, Christopher J. PeBenito wrote:
> On Wed, 2010-06-02 at 16:05 -0400, Daniel J Walsh wrote:
> > http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_irc.patch
> > 
> > isc policy updates from Dominic Grift.
> 
> Why does irssi need a special domain?  Why can't it just use/augment the
> irc_t domain?

Because of this:

allow irc_t self:unix_stream_socket create_stream_socket_perms;
allow irc_t self:tcp_socket create_socket_perms;

manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })

kernel_read_proc_symlinks(irc_t)

corenet_tcp_sendrecv_all_ports(irc_t)
corenet_udp_sendrecv_all_ports(irc_t)
corenet_tcp_connect_all_ports(irc_t)
corenet_sendrecv_all_client_packets(irc_t)

domain_use_interactive_fds(irc_t)

files_dontaudit_search_pids(irc_t)
files_search_var(irc_t)

fs_getattr_xattr_fs(irc_t)

term_use_controlling_term(irc_t)
term_list_ptys(irc_t)

init_read_utmp(irc_t)
init_dontaudit_lock_utmp(irc_t)

seutil_use_newrole_fds(irc_t)

allow irssi_t self:process { signal sigkill };
allow irssi_t self:fifo_file rw_fifo_file_perms;
allow irssi_t self:netlink_route_socket create_netlink_socket_perms;
allow irssi_t self:tcp_socket create_stream_socket_perms;

allow irssi_t irssi_etc_t:file read_file_perms;

kernel_read_system_state(irssi_t)

corecmd_read_bin_symlinks(irssi_t)

corenet_udp_sendrecv_generic_node(irssi_t)
corenet_tcp_connect_ircd_port(irssi_t)

corenet_tcp_connect_http_cache_port(irssi_t)
corenet_sendrecv_http_cache_client_packets(irssi_t)

corenet_tcp_connect_gatekeeper_port(irssi_t)
corenet_sendrecv_gatekeeper_client_packets(irssi_t)

dev_read_urand(irssi_t)
dev_read_rand(irssi_t)

miscfiles_read_certs(irssi_t)

tunable_policy(`irssi_use_full_network',`
	corenet_tcp_bind_all_unreserved_ports(irssi_t)
	corenet_tcp_connect_all_ports(irssi_t)
	corenet_sendrecv_all_client_packets(irssi_t)
	corenet_sendrecv_generic_server_packets(irssi_t)
')

optional_policy(`
	automount_dontaudit_getattr_tmp_dirs(irssi_t)
')

optional_policy(`
	nscd_socket_use(irssi_t
')

I think its just too much overhead. Besides i do not agree with some of the security decisions made for the irc_t domain.

So the best compromise in my view is to just add a new irssi_t domain to the existing irc module.

That said, i think the patch that is in question here is not what i currently have in my repository. In my repository i have combined all policy that is common to both irc_t and irssi_t in a irc_domain section (attribute irc_domain for both irc_t, irssi_t)

Also if i am not mistaken, i have submitted a patch where irssi was merged into the irc_t domain some time ago, That patch has not made it in either for some reason.

> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100621/29e60178/attachment.bin