From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 22 Jun 2010 15:49:08 -0400
Subject: [refpolicy] [ irc patch 1/1] Extend the IRC domain to include
 IRSSI.
In-Reply-To: <20100622193622.GA26980@localhost.localdomain>
References: <20100622193622.GA26980@localhost.localdomain>
Message-ID: <1277236148.19832.6.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 2010-06-22 at 21:36 +0200, Dominick Grift wrote:
> The tabs in irc.fc are weird because of Eclipse.
> We can remove the irc_home_t stuff from irc.if once userdom_user_home_content is fixed to handle it.

A couple of minor issues inline.

> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---
> :100644 100644 65ece18... 200a6cd... M	policy/modules/apps/irc.fc
> :100644 100644 4f9dc90... a638de0... M	policy/modules/apps/irc.if
> :100644 100644 66beb80... b1526ce... M	policy/modules/apps/irc.te
>  policy/modules/apps/irc.fc |   18 ++++++-------
>  policy/modules/apps/irc.if |   29 ++++++++++++++++++---
>  policy/modules/apps/irc.te |   59 +++++++++++++++++++++++++++++++++++--------
>  3 files changed, 80 insertions(+), 26 deletions(-)
> 
> diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc
> index 65ece18..200a6cd 100644
> --- a/policy/modules/apps/irc.fc
> +++ b/policy/modules/apps/irc.fc
> @@ -1,11 +1,9 @@
> -#
> -# /home
> -#
> -HOME_DIR/\.ircmotd	--	gen_context(system_u:object_r:irc_home_t,s0)
> +HOME_DIR/\.ircmotd			--	gen_context(system_u:object_r:irc_home_t,s0)
> +HOME_DIR/\.irssi(/.*)?			gen_context(system_u:object_r:irc_home_t,s0)
>  
> -#
> -# /usr
> -#
> -/usr/bin/[st]irc	--	gen_context(system_u:object_r:irc_exec_t,s0)
> -/usr/bin/ircII		--	gen_context(system_u:object_r:irc_exec_t,s0)
> -/usr/bin/tinyirc	--	gen_context(system_u:object_r:irc_exec_t,s0)
> +/etc/irssi.conf				--	gen_context(system_u:object_r:irc_etc_t,s0)
> +
> +/usr/bin/[st]irc			--	gen_context(system_u:object_r:irc_exec_t,s0)
> +/usr/bin/ircII				--	gen_context(system_u:object_r:irc_exec_t,s0)
> +/usr/bin/irssi				--	gen_context(system_u:object_r:irc_exec_t,s0)
> +/usr/bin/tinyirc			--	gen_context(system_u:object_r:irc_exec_t,s0)
> diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
> index 4f9dc90..a638de0 100644
> --- a/policy/modules/apps/irc.if
> +++ b/policy/modules/apps/irc.if
> @@ -1,4 +1,4 @@
> -## <summary>IRC client policy</summary>
> +## <summary>IRC clients.</summary>
>  
>  ########################################
>  ## <summary>
> @@ -17,15 +17,34 @@
>  #
>  interface(`irc_role',`
>  	gen_require(`
> -		type irc_t, irc_exec_t;
> +		type irc_t, irc_exec_t, irc_tmp_t;
> +		type irc_home_t;
>  	')
>  
>  	role $1 types irc_t;
>  
> -	# Transition from the user domain to the derived domain.
>  	domtrans_pattern($2, irc_exec_t, irc_t)
>  
> -	# allow ps to show irc
>  	ps_process_pattern($2, irc_t)
> -	allow $2 irc_t:process signal;
> +	allow $2 irc_t:process { ptrace signal_perms };
> +
> +	manage_dirs_pattern($2, irc_home_t, irc_home_t)
> +	manage_files_pattern($2, irc_home_t, irc_home_t)
> +	manage_lnk_files_pattern($2, irc_home_t, irc_home_t)
> +
> +	relabel_dirs_pattern($2, irc_home_t, irc_home_t)
> +	relabel_files_pattern($2, irc_home_t, irc_home_t)
> +	relabel_lnk_files_pattern($2, irc_home_t, irc_home_t)
> +
> +	manage_dirs_pattern($2, irc_tmp_t, irc_tmp_t)
> +	manage_files_pattern($2, irc_tmp_t, irc_tmp_t)
> +	manage_lnk_files_pattern($2, irc_tmp_t, irc_tmp_t)
> +	manage_fifo_files_pattern($2, irc_tmp_t, irc_tmp_t)
> +	manage_sock_files_pattern($2, irc_tmp_t, irc_tmp_t)
> +
> +	relabel_dirs_pattern($2, irc_tmp_t, irc_tmp_t)
> +	relabel_files_pattern($2, irc_tmp_t, irc_tmp_t)
> +	relabel_lnk_files_pattern($2, irc_tmp_t, irc_tmp_t)
> +	relabel_fifo_files_pattern($2, irc_tmp_t, irc_tmp_t)
> +	relabel_sock_files_pattern($2, irc_tmp_t, irc_tmp_t)
>  ')
> diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
> index 66beb80..b1526ce 100644
> --- a/policy/modules/apps/irc.te
> +++ b/policy/modules/apps/irc.te
> @@ -5,6 +5,14 @@ policy_module(irc, 2.1.0)
>  # Declarations
>  #
>  
> +## <desc>
> +##	<p>
> +##	Allow IRC Clients to connect to any TCP port,
> +##	and to bind TCP sockets to any unreserved port.
> +##	</p>
> +## </desc>
> +gen_tunable(irc_can_network, false)

A more specific name would be better.  Maybe irc_full_networking or
something.

>  type irc_t;
>  type irc_exec_t;
>  typealias irc_t alias { user_irc_t staff_irc_t sysadm_irc_t };
> @@ -12,6 +20,9 @@ typealias irc_t alias { auditadm_irc_t secadm_irc_t };
>  application_domain(irc_t, irc_exec_t)
>  ubac_constrained(irc_t)
>  
> +type irc_etc_t;
> +files_config_file(irc_etc_t)

Why is this necessary?  From what I can tell, irc_t only reads it.
Irc_t already can read etc_t files, so this seems unnecessary.

>  type irc_home_t;
>  typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t };
>  typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
> @@ -20,23 +31,28 @@ userdom_user_home_content(irc_home_t)
>  type irc_tmp_t;
>  typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
>  typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
> -userdom_user_home_content(irc_tmp_t)
> +files_tmp_file(irc_tmp_t)
> +ubac_constrained(irc_tmp_t)
>  
>  ########################################
>  #
>  # Local policy
>  #
>  
> +allow irc_t self:process { signal sigkill };
> +allow irc_t self:fifo_file rw_fifo_file_perms;
> +allow irc_t self:netlink_route_socket create_netlink_socket_perms;
>  allow irc_t self:unix_stream_socket create_stream_socket_perms;
> -allow irc_t self:tcp_socket create_socket_perms;
> +allow irc_t self:tcp_socket create_stream_socket_perms;
>  allow irc_t self:udp_socket create_socket_perms;
>  
> +allow irc_t irc_etc_t:file read_file_perms;
> +
>  manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
>  manage_files_pattern(irc_t, irc_home_t, irc_home_t)
>  manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
>  userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file })
>  
> -# access files under /tmp
>  manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
>  manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
>  manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
> @@ -44,7 +60,9 @@ manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
>  manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
>  files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
>  
> -kernel_read_proc_symlinks(irc_t)
> +kernel_read_system_state(irc_t)
> +
> +corecmd_read_bin_symlinks(irc_t)
>  
>  corenet_all_recvfrom_unlabeled(irc_t)
>  corenet_all_recvfrom_netlabel(irc_t)
> @@ -52,12 +70,19 @@ corenet_tcp_sendrecv_generic_if(irc_t)
>  corenet_udp_sendrecv_generic_if(irc_t)
>  corenet_tcp_sendrecv_generic_node(irc_t)
>  corenet_udp_sendrecv_generic_node(irc_t)
> +corenet_tcp_bind_generic_node(irc_t)
> +corenet_udp_bind_generic_node(irc_t)
>  corenet_tcp_sendrecv_all_ports(irc_t)
>  corenet_udp_sendrecv_all_ports(irc_t)
> +corenet_tcp_connect_ircd_port(irc_t)
>  corenet_sendrecv_ircd_client_packets(irc_t)
> -# cjp: this seems excessive:
> -corenet_tcp_connect_all_ports(irc_t)
> -corenet_sendrecv_all_client_packets(irc_t)
> +corenet_tcp_connect_http_cache_port(irc_t)
> +corenet_sendrecv_http_cache_client_packets(irc_t)
> +corenet_tcp_connect_gatekeeper_port(irc_t)
> +corenet_sendrecv_gatekeeper_client_packets(irc_t)
> +
> +dev_read_urand(irc_t)
> +dev_read_rand(irc_t)
>  
>  domain_use_interactive_fds(irc_t)
>  
> @@ -70,22 +95,26 @@ fs_getattr_xattr_fs(irc_t)
>  fs_search_auto_mountpoints(irc_t)
>  
>  term_use_controlling_term(irc_t)
> -term_list_ptys(irc_t)
>  
> -# allow utmp access
>  init_read_utmp(irc_t)
>  init_dontaudit_lock_utmp(irc_t)
>  
> +miscfiles_read_certs(irc_t)
>  miscfiles_read_localization(irc_t)
>  
> -# Inherit and use descriptors from newrole.
>  seutil_use_newrole_fds(irc_t)
>  
>  sysnet_read_config(irc_t)
>  
> -# Write to the user domain tty.
>  userdom_use_user_terminals(irc_t)
>  
> +tunable_policy(`irc_can_network',`
> +	corenet_tcp_bind_all_unreserved_ports(irc_t)
> +	corenet_sendrecv_all_server_packets(irc_t)
> +	corenet_tcp_connect_all_ports(irc_t)
> +	corenet_sendrecv_all_client_packets(irc_t)
> +')
> +
>  tunable_policy(`use_nfs_home_dirs',`
>  	fs_manage_nfs_dirs(irc_t)
>  	fs_manage_nfs_files(irc_t)
> @@ -99,5 +128,13 @@ tunable_policy(`use_samba_home_dirs',`
>  ')
>  
>  optional_policy(`
> +	automount_dontaudit_getattr_tmp_dirs(irc_t)
> +')
> +
> +optional_policy(`
>  	nis_use_ypbind(irc_t)
>  ')
> +
> +optional_policy(`
> +	nscd_socket_use(irc_t)
> +')

These two and the netlink_route socket earlier makes it look like its
going towards auth_use_nsswitch().

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com