[refpolicy patch] retry: merge irssi module with irc module.

Dominick Grift <domg472@xxxxxxxxx> · Thu, 24 Jul 2008 16:27:01 +0200

This patch aims to merge my irssi module with the existing irc module.
The previous patch that i submitted is missing a pretty important
interface for a irc client. corenet_tcp_connect_ircd_port().

I also changed to description of the boolean a bit for clarity.

Index: /home/domg472/Workspace/refpolicy1/policy/modules/apps/irc.te
===================================================================

--- /home/domg472/Workspace/refpolicy1/policy/modules/apps/irc.te
(revision 2763)
+++ /home/domg472/Workspace/refpolicy1/policy/modules/apps/irc.te
(working copy)
@@ -6,5 +6,17 @@
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow IRC clients to bind TCP sockets to all
+## unreserved ports, and to connect
+## to all TCP ports.
+## </p>
+## </desc>
+gen_tunable(irc_unrestricted_tcp_network, false)
+
 type irc_exec_t;
 application_executable_file(irc_exec_t)
+
+type irc_etc_t;
+files_config_file(irc_etc_t)
Index: /home/domg472/Workspace/refpolicy1/policy/modules/apps/irc.if
===================================================================
--- /home/domg472/Workspace/refpolicy1/policy/modules/apps/irc.if
(revision 2763)
+++ /home/domg472/Workspace/refpolicy1/policy/modules/apps/irc.if
(working copy)
@@ -51,6 +51,7 @@
 	application_domain($1_irc_t, $1_irc_exec_t)
 
 	type $1_irc_home_t;
+	files_poly_member($1_irc_home_t)
 	userdom_user_home_content($1, $1_irc_home_t)
 
 	type $1_irc_tmp_t;
@@ -61,15 +62,29 @@
 	# Local policy
 	#
 
-	allow $1_irc_t self:unix_stream_socket create_stream_socket_perms;
-	allow $1_irc_t self:tcp_socket create_socket_perms;
-	allow $1_irc_t self:udp_socket create_socket_perms;
+	allow $1_irc_t self:fifo_file rw_fifo_file_perms;
+	allow $1_irc_t self:netlink_route_socket create_netlink_socket_perms;
+	allow $1_irc_t self:process signal;
+	allow $1_irc_t self:tcp_socket { accept listen create_socket_perms };
+	allow $1_irc_t self:udp_socket { create_socket_perms };
+	allow $1_irc_t self:unix_stream_socket { create_stream_socket_perms };
 
+	read_files_pattern($1_irc_t, irc_etc_t, irc_etc_t)
+
 	manage_dirs_pattern($1_irc_t, $1_irc_home_t, $1_irc_home_t)
 	manage_files_pattern($1_irc_t, $1_irc_home_t, $1_irc_home_t)
 	manage_lnk_files_pattern($1_irc_t, $1_irc_home_t, $1_irc_home_t)
 	userdom_user_home_dir_filetrans($1, $1_irc_t, $1_irc_home_t,{ dir file
lnk_file })
+	userdom_search_user_home_dirs($1, $1_irc_t)
 
+	manage_dirs_pattern($2, $1_irc_home_t, $1_irc_home_t)
+	manage_files_pattern($2, $1_irc_home_t, $1_irc_home_t)
+	manage_lnk_files_pattern($2, $1_irc_home_t, $1_irc_home_t)
+
+	relabel_dirs_pattern($2, $1_irc_home_t, $1_irc_home_t)
+	relabel_files_pattern($2, $1_irc_home_t, $1_irc_home_t)
+	relabel_lnk_files_pattern($2, $1_irc_home_t, $1_irc_home_t)
+
 	# access files under /tmp
 	manage_dirs_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t)
 	manage_files_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t)
@@ -85,10 +100,12 @@
 
 	# allow ps to show irc
 	ps_process_pattern($2, $1_irc_t)
-	allow $2 $1_irc_t:process signal;
 	
 	kernel_read_proc_symlinks($1_irc_t)
 
+	corecmd_search_bin($1_irc_t)
+	corecmd_read_bin_symlinks($1_irc_t)
+
 	corenet_all_recvfrom_unlabeled($1_irc_t)
 	corenet_all_recvfrom_netlabel($1_irc_t)
 	corenet_tcp_sendrecv_generic_if($1_irc_t)
@@ -97,11 +114,11 @@
 	corenet_udp_sendrecv_all_nodes($1_irc_t)
 	corenet_tcp_sendrecv_all_ports($1_irc_t)
 	corenet_udp_sendrecv_all_ports($1_irc_t)
+	corenet_tcp_connect_ircd_port($1_irc_t)
 	corenet_sendrecv_ircd_client_packets($1_irc_t)
-	# cjp: this seems excessive:
-	corenet_tcp_connect_all_ports($1_irc_t)
-	corenet_sendrecv_all_client_packets($1_irc_t)
 
+	dev_read_urand($1_irc_t)
+
 	domain_use_interactive_fds($1_irc_t)
 
 	files_dontaudit_search_pids($1_irc_t)
@@ -124,6 +141,8 @@
 
 	miscfiles_read_localization($1_irc_t)
 
+	nscd_read_pid($1_irc_t)
+
 	# Inherit and use descriptors from newrole.
 	seutil_use_newrole_fds($1_irc_t)
 
@@ -131,20 +150,68 @@
 
 	# Write to the user domain tty.
 	userdom_use_user_terminals($1, $1_irc_t)
+	userdom_sigchld_all_users($1_irc_t)
 
+	tunable_policy(`irc_unrestricted_tcp_network',`
+		corenet_tcp_bind_all_unreserved_ports($1_irc_t)
+		corenet_tcp_connect_all_ports($1_irc_t)
+		corenet_sendrecv_all_client_packets($1_irc_t)
+		corenet_sendrecv_all_server_packets($1_irc_t)
+	')
+
 	tunable_policy(`use_nfs_home_dirs',`
+		fs_search_auto_mountpoints($1_irc_t)
 		fs_manage_nfs_dirs($1_irc_t)
 		fs_manage_nfs_files($1_irc_t)
 		fs_manage_nfs_symlinks($1_irc_t)
 	')
 
 	tunable_policy(`use_samba_home_dirs',`
+		fs_search_auto_mountpoints($1_irc_t)
 		fs_manage_cifs_dirs($1_irc_t)
 		fs_manage_cifs_files($1_irc_t)
 		fs_manage_cifs_symlinks($1_irc_t)
 	')
 
 	optional_policy(`
+		automount_dontaudit_getattr_tmp_dirs($1_irc_t)
+	')
+
+	optional_policy(`
 		nis_use_ypbind($1_irc_t)
 	')
 ')
+
+########################################
+## <summary>
+##  Signal and trace the user IRC Client process.
+## </summary>
+## <desc>
+##	<p>
+##	Allows users to signal and trace the user IRC 
+##	Client process.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`irc_signal_user_irc',`
+	gen_require(`
+		type $1_irc_t;
+	')
+
+	allow $2 $1_irc_t:process { ptrace signal_perms };	
+')
Index: /home/domg472/Workspace/refpolicy1/policy/modules/apps/irc.fc
===================================================================
--- /home/domg472/Workspace/refpolicy1/policy/modules/apps/irc.fc
(revision 2763)
+++ /home/domg472/Workspace/refpolicy1/policy/modules/apps/irc.fc
(working copy)
@@ -1,11 +1,18 @@
 #
+# /etc
+#
+/etc/irssi\.conf                 --
gen_context(system_u:object_r:irc_etc_t,s0)
+
+#
 # /home
 #
 HOME_DIR/\.ircmotd	--	gen_context(system_u:object_r:ROLE_irc_home_t,s0)
+HOME_DIR/\.irssi(/.*)?
gen_context(system_u:object_r:ROLE_irc_home_t,s0)
 
 #
 # /usr
 #
 /usr/bin/[st]irc		--	gen_context(system_u:object_r:irc_exec_t,s0)
 /usr/bin/ircII		--	gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/irssi                  --
gen_context(system_u:object_r:irc_exec_t,s0)
 /usr/bin/tinyirc		--	gen_context(system_u:object_r:irc_exec_t,s0)
Index: /home/domg472/Workspace/refpolicy1/policy/modules/system/userdomain.if
===================================================================
--- /home/domg472/Workspace/refpolicy1/policy/modules/system/userdomain.if	(revision 2763)
+++ /home/domg472/Workspace/refpolicy1/policy/modules/system/userdomain.if	(working copy)
@@ -818,6 +818,10 @@
 	')
 
 	optional_policy(`
+		irc_signal_user_irc($1, $1_t)
+	')
+
+	optional_policy(`
 		locate_read_lib_files($1_t)
 	')
 

Attachment:
signature.asc

Description: This is a digitally signed message part




