From: domg472@gmail.com (Dominick Grift)
Date: Tue, 22 Jun 2010 21:36:32 +0200
Subject: [refpolicy] [ irc patch 1/1] Extend the IRC domain to include IRSSI.
Message-ID: <20100622193622.GA26980@localhost.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The tabs in irc.fc are weird because of Eclipse.
We can remove the irc_home_t stuff from irc.if once userdom_user_home_content is fixed to handle it.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 65ece18... 200a6cd... M	policy/modules/apps/irc.fc
:100644 100644 4f9dc90... a638de0... M	policy/modules/apps/irc.if
:100644 100644 66beb80... b1526ce... M	policy/modules/apps/irc.te
 policy/modules/apps/irc.fc |   18 ++++++-------
 policy/modules/apps/irc.if |   29 ++++++++++++++++++---
 policy/modules/apps/irc.te |   59 +++++++++++++++++++++++++++++++++++--------
 3 files changed, 80 insertions(+), 26 deletions(-)

diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc
index 65ece18..200a6cd 100644
--- a/policy/modules/apps/irc.fc
+++ b/policy/modules/apps/irc.fc
@@ -1,11 +1,9 @@
-#
-# /home
-#
-HOME_DIR/\.ircmotd	--	gen_context(system_u:object_r:irc_home_t,s0)
+HOME_DIR/\.ircmotd			--	gen_context(system_u:object_r:irc_home_t,s0)
+HOME_DIR/\.irssi(/.*)?			gen_context(system_u:object_r:irc_home_t,s0)
 
-#
-# /usr
-#
-/usr/bin/[st]irc	--	gen_context(system_u:object_r:irc_exec_t,s0)
-/usr/bin/ircII		--	gen_context(system_u:object_r:irc_exec_t,s0)
-/usr/bin/tinyirc	--	gen_context(system_u:object_r:irc_exec_t,s0)
+/etc/irssi.conf				--	gen_context(system_u:object_r:irc_etc_t,s0)
+
+/usr/bin/[st]irc			--	gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/ircII				--	gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/irssi				--	gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/tinyirc			--	gen_context(system_u:object_r:irc_exec_t,s0)
diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
index 4f9dc90..a638de0 100644
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@@ -1,4 +1,4 @@
-## <summary>IRC client policy</summary>
+## <summary>IRC clients.</summary>
 
 ########################################
 ## <summary>
@@ -17,15 +17,34 @@
 #
 interface(`irc_role',`
 	gen_require(`
-		type irc_t, irc_exec_t;
+		type irc_t, irc_exec_t, irc_tmp_t;
+		type irc_home_t;
 	')
 
 	role $1 types irc_t;
 
-	# Transition from the user domain to the derived domain.
 	domtrans_pattern($2, irc_exec_t, irc_t)
 
-	# allow ps to show irc
 	ps_process_pattern($2, irc_t)
-	allow $2 irc_t:process signal;
+	allow $2 irc_t:process { ptrace signal_perms };
+
+	manage_dirs_pattern($2, irc_home_t, irc_home_t)
+	manage_files_pattern($2, irc_home_t, irc_home_t)
+	manage_lnk_files_pattern($2, irc_home_t, irc_home_t)
+
+	relabel_dirs_pattern($2, irc_home_t, irc_home_t)
+	relabel_files_pattern($2, irc_home_t, irc_home_t)
+	relabel_lnk_files_pattern($2, irc_home_t, irc_home_t)
+
+	manage_dirs_pattern($2, irc_tmp_t, irc_tmp_t)
+	manage_files_pattern($2, irc_tmp_t, irc_tmp_t)
+	manage_lnk_files_pattern($2, irc_tmp_t, irc_tmp_t)
+	manage_fifo_files_pattern($2, irc_tmp_t, irc_tmp_t)
+	manage_sock_files_pattern($2, irc_tmp_t, irc_tmp_t)
+
+	relabel_dirs_pattern($2, irc_tmp_t, irc_tmp_t)
+	relabel_files_pattern($2, irc_tmp_t, irc_tmp_t)
+	relabel_lnk_files_pattern($2, irc_tmp_t, irc_tmp_t)
+	relabel_fifo_files_pattern($2, irc_tmp_t, irc_tmp_t)
+	relabel_sock_files_pattern($2, irc_tmp_t, irc_tmp_t)
 ')
diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
index 66beb80..b1526ce 100644
--- a/policy/modules/apps/irc.te
+++ b/policy/modules/apps/irc.te
@@ -5,6 +5,14 @@ policy_module(irc, 2.1.0)
 # Declarations
 #
 
+## <desc>
+##	<p>
+##	Allow IRC Clients to connect to any TCP port,
+##	and to bind TCP sockets to any unreserved port.
+##	</p>
+## </desc>
+gen_tunable(irc_can_network, false)
+
 type irc_t;
 type irc_exec_t;
 typealias irc_t alias { user_irc_t staff_irc_t sysadm_irc_t };
@@ -12,6 +20,9 @@ typealias irc_t alias { auditadm_irc_t secadm_irc_t };
 application_domain(irc_t, irc_exec_t)
 ubac_constrained(irc_t)
 
+type irc_etc_t;
+files_config_file(irc_etc_t)
+
 type irc_home_t;
 typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t };
 typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
@@ -20,23 +31,28 @@ userdom_user_home_content(irc_home_t)
 type irc_tmp_t;
 typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
 typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
-userdom_user_home_content(irc_tmp_t)
+files_tmp_file(irc_tmp_t)
+ubac_constrained(irc_tmp_t)
 
 ########################################
 #
 # Local policy
 #
 
+allow irc_t self:process { signal sigkill };
+allow irc_t self:fifo_file rw_fifo_file_perms;
+allow irc_t self:netlink_route_socket create_netlink_socket_perms;
 allow irc_t self:unix_stream_socket create_stream_socket_perms;
-allow irc_t self:tcp_socket create_socket_perms;
+allow irc_t self:tcp_socket create_stream_socket_perms;
 allow irc_t self:udp_socket create_socket_perms;
 
+allow irc_t irc_etc_t:file read_file_perms;
+
 manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
 manage_files_pattern(irc_t, irc_home_t, irc_home_t)
 manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
 userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file })
 
-# access files under /tmp
 manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
 manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
 manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
@@ -44,7 +60,9 @@ manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
 manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
 files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
 
-kernel_read_proc_symlinks(irc_t)
+kernel_read_system_state(irc_t)
+
+corecmd_read_bin_symlinks(irc_t)
 
 corenet_all_recvfrom_unlabeled(irc_t)
 corenet_all_recvfrom_netlabel(irc_t)
@@ -52,12 +70,19 @@ corenet_tcp_sendrecv_generic_if(irc_t)
 corenet_udp_sendrecv_generic_if(irc_t)
 corenet_tcp_sendrecv_generic_node(irc_t)
 corenet_udp_sendrecv_generic_node(irc_t)
+corenet_tcp_bind_generic_node(irc_t)
+corenet_udp_bind_generic_node(irc_t)
 corenet_tcp_sendrecv_all_ports(irc_t)
 corenet_udp_sendrecv_all_ports(irc_t)
+corenet_tcp_connect_ircd_port(irc_t)
 corenet_sendrecv_ircd_client_packets(irc_t)
-# cjp: this seems excessive:
-corenet_tcp_connect_all_ports(irc_t)
-corenet_sendrecv_all_client_packets(irc_t)
+corenet_tcp_connect_http_cache_port(irc_t)
+corenet_sendrecv_http_cache_client_packets(irc_t)
+corenet_tcp_connect_gatekeeper_port(irc_t)
+corenet_sendrecv_gatekeeper_client_packets(irc_t)
+
+dev_read_urand(irc_t)
+dev_read_rand(irc_t)
 
 domain_use_interactive_fds(irc_t)
 
@@ -70,22 +95,26 @@ fs_getattr_xattr_fs(irc_t)
 fs_search_auto_mountpoints(irc_t)
 
 term_use_controlling_term(irc_t)
-term_list_ptys(irc_t)
 
-# allow utmp access
 init_read_utmp(irc_t)
 init_dontaudit_lock_utmp(irc_t)
 
+miscfiles_read_certs(irc_t)
 miscfiles_read_localization(irc_t)
 
-# Inherit and use descriptors from newrole.
 seutil_use_newrole_fds(irc_t)
 
 sysnet_read_config(irc_t)
 
-# Write to the user domain tty.
 userdom_use_user_terminals(irc_t)
 
+tunable_policy(`irc_can_network',`
+	corenet_tcp_bind_all_unreserved_ports(irc_t)
+	corenet_sendrecv_all_server_packets(irc_t)
+	corenet_tcp_connect_all_ports(irc_t)
+	corenet_sendrecv_all_client_packets(irc_t)
+')
+
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(irc_t)
 	fs_manage_nfs_files(irc_t)
@@ -99,5 +128,13 @@ tunable_policy(`use_samba_home_dirs',`
 ')
 
 optional_policy(`
+	automount_dontaudit_getattr_tmp_dirs(irc_t)
+')
+
+optional_policy(`
 	nis_use_ypbind(irc_t)
 ')
+
+optional_policy(`
+	nscd_socket_use(irc_t)
+')
-- 
1.7.0.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100622/88c96ac1/attachment.bin