This patch aims to merge my irssi module with the existing irc module. The previous patch that i submitted is missing a pretty important interface for a irc client. corenet_tcp_connect_ircd_port(). I also changed to description of the boolean a bit for clarity. Index: /home/domg472/Workspace/refpolicy1/policy/modules/apps/irc.te =================================================================== --- /home/domg472/Workspace/refpolicy1/policy/modules/apps/irc.te (revision 2763) +++ /home/domg472/Workspace/refpolicy1/policy/modules/apps/irc.te (working copy) @@ -6,5 +6,17 @@ # Declarations # +## <desc> +## <p> +## Allow IRC clients to bind TCP sockets to all +## unreserved ports, and to connect +## to all TCP ports. +## </p> +## </desc> +gen_tunable(irc_unrestricted_tcp_network, false) + type irc_exec_t; application_executable_file(irc_exec_t) + +type irc_etc_t; +files_config_file(irc_etc_t) Index: /home/domg472/Workspace/refpolicy1/policy/modules/apps/irc.if =================================================================== --- /home/domg472/Workspace/refpolicy1/policy/modules/apps/irc.if (revision 2763) +++ /home/domg472/Workspace/refpolicy1/policy/modules/apps/irc.if (working copy) @@ -51,6 +51,7 @@ application_domain($1_irc_t, $1_irc_exec_t) type $1_irc_home_t; + files_poly_member($1_irc_home_t) userdom_user_home_content($1, $1_irc_home_t) type $1_irc_tmp_t; @@ -61,15 +62,29 @@ # Local policy # - allow $1_irc_t self:unix_stream_socket create_stream_socket_perms; - allow $1_irc_t self:tcp_socket create_socket_perms; - allow $1_irc_t self:udp_socket create_socket_perms; + allow $1_irc_t self:fifo_file rw_fifo_file_perms; + allow $1_irc_t self:netlink_route_socket create_netlink_socket_perms; + allow $1_irc_t self:process signal; + allow $1_irc_t self:tcp_socket { accept listen create_socket_perms }; + allow $1_irc_t self:udp_socket { create_socket_perms }; + allow $1_irc_t self:unix_stream_socket { create_stream_socket_perms }; + read_files_pattern($1_irc_t, irc_etc_t, irc_etc_t) + manage_dirs_pattern($1_irc_t, $1_irc_home_t, $1_irc_home_t) manage_files_pattern($1_irc_t, $1_irc_home_t, $1_irc_home_t) manage_lnk_files_pattern($1_irc_t, $1_irc_home_t, $1_irc_home_t) userdom_user_home_dir_filetrans($1, $1_irc_t, $1_irc_home_t,{ dir file lnk_file }) + userdom_search_user_home_dirs($1, $1_irc_t) + manage_dirs_pattern($2, $1_irc_home_t, $1_irc_home_t) + manage_files_pattern($2, $1_irc_home_t, $1_irc_home_t) + manage_lnk_files_pattern($2, $1_irc_home_t, $1_irc_home_t) + + relabel_dirs_pattern($2, $1_irc_home_t, $1_irc_home_t) + relabel_files_pattern($2, $1_irc_home_t, $1_irc_home_t) + relabel_lnk_files_pattern($2, $1_irc_home_t, $1_irc_home_t) + # access files under /tmp manage_dirs_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t) manage_files_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t) @@ -85,10 +100,12 @@ # allow ps to show irc ps_process_pattern($2, $1_irc_t) - allow $2 $1_irc_t:process signal; kernel_read_proc_symlinks($1_irc_t) + corecmd_search_bin($1_irc_t) + corecmd_read_bin_symlinks($1_irc_t) + corenet_all_recvfrom_unlabeled($1_irc_t) corenet_all_recvfrom_netlabel($1_irc_t) corenet_tcp_sendrecv_generic_if($1_irc_t) @@ -97,11 +114,11 @@ corenet_udp_sendrecv_all_nodes($1_irc_t) corenet_tcp_sendrecv_all_ports($1_irc_t) corenet_udp_sendrecv_all_ports($1_irc_t) + corenet_tcp_connect_ircd_port($1_irc_t) corenet_sendrecv_ircd_client_packets($1_irc_t) - # cjp: this seems excessive: - corenet_tcp_connect_all_ports($1_irc_t) - corenet_sendrecv_all_client_packets($1_irc_t) + dev_read_urand($1_irc_t) + domain_use_interactive_fds($1_irc_t) files_dontaudit_search_pids($1_irc_t) @@ -124,6 +141,8 @@ miscfiles_read_localization($1_irc_t) + nscd_read_pid($1_irc_t) + # Inherit and use descriptors from newrole. seutil_use_newrole_fds($1_irc_t) @@ -131,20 +150,68 @@ # Write to the user domain tty. userdom_use_user_terminals($1, $1_irc_t) + userdom_sigchld_all_users($1_irc_t) + tunable_policy(`irc_unrestricted_tcp_network',` + corenet_tcp_bind_all_unreserved_ports($1_irc_t) + corenet_tcp_connect_all_ports($1_irc_t) + corenet_sendrecv_all_client_packets($1_irc_t) + corenet_sendrecv_all_server_packets($1_irc_t) + ') + tunable_policy(`use_nfs_home_dirs',` + fs_search_auto_mountpoints($1_irc_t) fs_manage_nfs_dirs($1_irc_t) fs_manage_nfs_files($1_irc_t) fs_manage_nfs_symlinks($1_irc_t) ') tunable_policy(`use_samba_home_dirs',` + fs_search_auto_mountpoints($1_irc_t) fs_manage_cifs_dirs($1_irc_t) fs_manage_cifs_files($1_irc_t) fs_manage_cifs_symlinks($1_irc_t) ') optional_policy(` + automount_dontaudit_getattr_tmp_dirs($1_irc_t) + ') + + optional_policy(` nis_use_ypbind($1_irc_t) ') ') + +######################################## +## <summary> +## Signal and trace the user IRC Client process. +## </summary> +## <desc> +## <p> +## Allows users to signal and trace the user IRC +## Client process. +## </p> +## <p> +## This is a templated interface, and should only +## be called from a per-userdomain template. +## </p> +## </desc> +## <param name="userdomain_prefix"> +## <summary> +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +template(`irc_signal_user_irc',` + gen_require(` + type $1_irc_t; + ') + + allow $2 $1_irc_t:process { ptrace signal_perms }; +') Index: /home/domg472/Workspace/refpolicy1/policy/modules/apps/irc.fc =================================================================== --- /home/domg472/Workspace/refpolicy1/policy/modules/apps/irc.fc (revision 2763) +++ /home/domg472/Workspace/refpolicy1/policy/modules/apps/irc.fc (working copy) @@ -1,11 +1,18 @@ # +# /etc +# +/etc/irssi\.conf -- gen_context(system_u:object_r:irc_etc_t,s0) + +# # /home # HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:ROLE_irc_home_t,s0) +HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:ROLE_irc_home_t,s0) # # /usr # /usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0) /usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0) +/usr/bin/irssi -- gen_context(system_u:object_r:irc_exec_t,s0) /usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0) Index: /home/domg472/Workspace/refpolicy1/policy/modules/system/userdomain.if =================================================================== --- /home/domg472/Workspace/refpolicy1/policy/modules/system/userdomain.if (revision 2763) +++ /home/domg472/Workspace/refpolicy1/policy/modules/system/userdomain.if (working copy) @@ -818,6 +818,10 @@ ') optional_policy(` + irc_signal_user_irc($1, $1_t) + ') + + optional_policy(` locate_read_lib_files($1_t) ')
Attachment:
signature.asc
Description: This is a digitally signed message part