From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 29 Jul 2011 08:59:33 -0400 Subject: [refpolicy] [PATCH/RFC] Add support for the skype_t domain In-Reply-To: <20110724153808.GA25350@siphos.be> References: <20110724153808.GA25350@siphos.be> Message-ID: <4E32AEB5.2030100@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 07/24/11 11:38, Sven Vermeulen wrote: > The skype application is a popular voice and video chat application. > This patch adds preliminary support for skype on SELinux. > > This is currently a "one patch" offer, so I'd like to know if it is okay > when adding new applications to refpolicy like this to use a single patch > (as long as it isn't too complicated)? Yes, its fine, as log as it isn't too complicated. > Also a quick review on the policy wouldn't hurt ;-) Feedback always > appreciated. > > Signed-off-by: Sven Vermeulen > --- > policy/modules/apps/skype.fc | 3 + > policy/modules/apps/skype.if | 51 ++++++++++++++++++ > policy/modules/apps/skype.te | 99 ++++++++++++++++++++++++++++++++++++ > policy/modules/roles/staff.te | 4 ++ > policy/modules/roles/sysadm.te | 4 ++ > policy/modules/roles/unprivuser.te | 4 ++ > 6 files changed, 165 insertions(+), 0 deletions(-) > create mode 100644 policy/modules/apps/skype.fc > create mode 100644 policy/modules/apps/skype.if > create mode 100644 policy/modules/apps/skype.te > > diff --git a/policy/modules/apps/skype.fc b/policy/modules/apps/skype.fc > new file mode 100644 > index 0000000..a802960 > --- /dev/null > +++ b/policy/modules/apps/skype.fc > @@ -0,0 +1,3 @@ > +/usr/bin/skype -- gen_context(system_u:object_r:skype_exec_t,s0) > +/opt/skype/skype -- gen_context(system_u:object_r:skype_exec_t,s0) > +HOME_DIR/\.Skype(/.*)? gen_context(system_u:object_r:skype_home_t,s0) > diff --git a/policy/modules/apps/skype.if b/policy/modules/apps/skype.if > new file mode 100644 > index 0000000..f72c534 > --- /dev/null > +++ b/policy/modules/apps/skype.if > @@ -0,0 +1,51 @@ > +## Skype softphone. > + > +####################################### > +## > +## Role access for the skype module. > +## > +## > +## > +## The role associated with the user domain. > +## > +## > +## > +## > +## The type of the user domain. > +## > +## > +# > +interface(`skype_role',` > + gen_require(` > + type skype_t, skype_exec_t, skype_tmpfs_t, skype_home_t; > + ') > + > + ####################################### > + # > + # Declarations > + # > + > + role $1 types skype_t; > + > + ############################ > + # > + # Policy > + # > + allow $2 skype_t:process { ptrace signal_perms }; > + dontaudit skype_t $2:unix_stream_socket { connectto }; > + > + domtrans_pattern($2, skype_exec_t, skype_t) > + > + # Allow the user to manage the skype configuration files in his home > + # directory > + manage_dirs_pattern($2, skype_home_t, skype_home_t) > + manage_files_pattern($2, skype_home_t, skype_home_t) > + manage_lnk_files_pattern($2, skype_home_t, skype_home_t) > + > + # Allow the user to relabel files from/to skype_home_t > + relabel_dirs_pattern($2, skype_home_t, skype_home_t) > + relabel_files_pattern($2, skype_home_t, skype_home_t) > + relabel_lnk_files_pattern($2, skype_home_t, skype_home_t) > + > + ps_process_pattern($2, skype_t) > +') > diff --git a/policy/modules/apps/skype.te b/policy/modules/apps/skype.te > new file mode 100644 > index 0000000..0e0ca86 > --- /dev/null > +++ b/policy/modules/apps/skype.te > @@ -0,0 +1,99 @@ > +policy_module(skype, 0.0.2) > + > +############################ > +# > +# Declarations > +# > + > +type skype_t; > +type skype_exec_t; > +application_domain(skype_t, skype_exec_t) > +can_exec(skype_t, skype_exec_t) > + > +type skype_home_t; > + > +type skype_tmpfs_t; > +files_tmpfs_file(skype_tmpfs_t) > +ubac_constrained(skype_tmpfs_t) > + > +############################ > +# > +# Policy > +# > + > +allow skype_t self:process { getsched setsched execmem signal }; > +allow skype_t self:fifo_file rw_fifo_file_perms; > +allow skype_t self:unix_stream_socket create_socket_perms; > +allow skype_t self:sem create_sem_perms; > +allow skype_t self:tcp_socket create_stream_socket_perms; > + > +# Allow skype to work with its ~/.skype location > +manage_dirs_pattern(skype_t, skype_home_t, skype_home_t) > +manage_files_pattern(skype_t, skype_home_t, skype_home_t) > +manage_lnk_files_pattern(skype_t, skype_home_t, skype_home_t) > + > +# Needed for supporting X11 & shared memory > +manage_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t) > +manage_lnk_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t) > +manage_fifo_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t) > +manage_sock_files_pattern(skype_t, skype_tmpfs_t, skype_tmpfs_t) > +fs_tmpfs_filetrans(skype_t, skype_tmpfs_t, { file lnk_file sock_file fifo_file }) > + > + > +## Kernel layer calls > +# Needs some whitespace and unnecessary comments removal here and below > +kernel_dontaudit_search_sysctl(skype_t) > +kernel_read_system_state(skype_t) > + > +corecmd_exec_bin(skype_t) > +corecmd_exec_shell(skype_t) > + > +corenet_all_recvfrom_netlabel(skype_t) > +corenet_all_recvfrom_unlabeled(skype_t) > +corenet_sendrecv_http_client_packets(skype_t) > +corenet_tcp_bind_generic_node(skype_t) > +corenet_tcp_bind_generic_port(skype_t) > +corenet_tcp_connect_generic_port(skype_t) > +corenet_tcp_connect_http_port(skype_t) > +corenet_tcp_sendrecv_http_port(skype_t) > +corenet_udp_bind_generic_node(skype_t) > +corenet_udp_bind_generic_port(skype_t) > + > +dev_dontaudit_search_sysfs(skype_t) > +dev_read_sound(skype_t) > +dev_read_video_dev(skype_t) > +dev_write_sound(skype_t) > +dev_write_video_dev(skype_t) > + > +# Needed to debug skype (start through commandline) > +domain_use_interactive_fds(skype_t) > + > +files_read_etc_files(skype_t) > +files_read_usr_files(skype_t) > + > +fs_dontaudit_getattr_xattr_fs(skype_t) > + > +## System layer calls > +# > +auth_use_nsswitch(skype_t) > +miscfiles_dontaudit_setattr_fonts_dirs(skype_t) > +miscfiles_read_localization(skype_t) > +userdom_manage_user_home_content_dirs(skype_t) > +userdom_manage_user_home_content_files(skype_t) Is this really necessary since there is skype_home_t? > +userdom_use_user_terminals(skype_t) > +userdom_user_home_dir_filetrans(skype_t, skype_home_t, dir) > +userdom_user_home_content(skype_home_t) This like usually goes up with the decl > + > +## Other calls > +# > +xserver_user_x_domain_template(skype, skype_t, skype_tmpfs_t) > + > +optional_policy(` > + alsa_read_rw_config(skype_t) > +') > + > +optional_policy(` > + dbus_system_bus_client(skype_t) > + dbus_session_bus_client(skype_t) > +') > + > diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te > index 2be17d2..92dc0a5 100644 > --- a/policy/modules/roles/staff.te > +++ b/policy/modules/roles/staff.te > @@ -141,6 +141,10 @@ ifndef(`distro_redhat',` > ') > > optional_policy(` > + skype_role(staff_r, staff_t) > + ') > + > + optional_policy(` > spamassassin_role(staff_r, staff_t) > ') > > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te > index e14b961..c7880dd 100644 > --- a/policy/modules/roles/sysadm.te > +++ b/policy/modules/roles/sysadm.te > @@ -307,6 +307,10 @@ optional_policy(` > ') > > optional_policy(` > + skype_role(sysadm_r, sysadm_t) > +') > + > +optional_policy(` > spamassassin_role(sysadm_r, sysadm_t) > ') > > diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te > index e5bfdd4..1b50f42 100644 > --- a/policy/modules/roles/unprivuser.te > +++ b/policy/modules/roles/unprivuser.te > @@ -118,6 +118,10 @@ ifndef(`distro_redhat',` > ') > > optional_policy(` > + skype_role(user_r, user_t) > + ') > + > + optional_policy(` > spamassassin_role(user_r, user_t) > ') > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com