diff --git a/refpolicy/Changelog b/refpolicy/Changelog index aa940d0..3d13ece 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -6,6 +6,7 @@ automount ddcprobe fetchmail + irc openct readahead slrnpull diff --git a/refpolicy/policy/modules/apps/irc.fc b/refpolicy/policy/modules/apps/irc.fc new file mode 100644 index 0000000..618588c --- /dev/null +++ b/refpolicy/policy/modules/apps/irc.fc @@ -0,0 +1,11 @@ +# +# /home +# +HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:ROLE_irc_home_t,s0) + +# +# /usr +# +/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0) +/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0) +/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0) diff --git a/refpolicy/policy/modules/apps/irc.if b/refpolicy/policy/modules/apps/irc.if new file mode 100644 index 0000000..2eb7109 --- /dev/null +++ b/refpolicy/policy/modules/apps/irc.if @@ -0,0 +1,166 @@ +## IRC client policy + +####################################### +## +## The per user domain template for the irc module. +## +## +##

+## This template creates a derived domains which are used +## for an irc client sessions. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+##
+## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## The type of the user domain. +## +## +## The role associated with the user domain. +## +# +template(`irc_per_userdomain_template',` + gen_require(` + type irc_exec_t; + ') + + ######################################## + # + # Declarations + # + + type $1_irc_t; + domain_type($1_irc_t) + domain_entry_file($1_irc_t,irc_exec_t) + role $3 types $1_irc_t; + + type $1_irc_exec_t; + userdom_home_file($1,$1_irc_exec_t) + domain_entry_file($1_irc_t,$1_irc_exec_t) + + type $1_irc_home_t; + userdom_home_file($1,$1_irc_home_t) + + ######################################## + # + # Local policy + # + + allow $1_irc_t self:dir search; + allow $1_irc_t self:lnk_file read; + allow $1_irc_t self:unix_stream_socket create_stream_socket_perms; + allow $1_irc_t self:tcp_socket create_socket_perms; + allow $1_irc_t self:udp_socket create_socket_perms; + + allow $1_irc_t $1_irc_home_t:dir create_dir_perms; + allow $1_irc_t $1_irc_home_t:file create_file_perms; + allow $1_irc_t $1_irc_home_t:lnk_file create_lnk_perms; + userdom_create_user_home($1,$1_irc_t,{ dir file lnk_file },$1_irc_home_t) + + # access files under /tmp + allow $1_irc_t $1_tmp_t:dir create_dir_perms; + allow $1_irc_t $1_tmp_t:file create_file_perms; + allow $1_irc_t $1_tmp_t:lnk_file create_lnk_perms; + allow $1_irc_t $1_tmp_t:sock_file create_file_perms; + allow $1_irc_t $1_tmp_t:fifo_file create_file_perms; + files_create_tmp_files($1_irc_t,$1_tmp_t,{ file dir lnk_file sock_file fifo_file }) + + # Transition from the user domain to the derived domain. + domain_auto_trans($2,irc_exec_t,$1_irc_t) + allow $2 $1_irc_t:fd use; + allow $1_irc_t $2:fd use; + allow $1_irc_t $2:fifo_file rw_file_perms; + allow $1_irc_t $2:process sigchld; + + allow $2 $1_irc_t:process signal; + + allow $2 $1_irc_exec_t:file { relabelfrom relabelto create_file_perms }; + + # allow ps to show irc + allow $2 $1_irc_t:dir { search getattr read }; + allow $2 $1_irc_t:{ file lnk_file } { read getattr }; + allow $2 $1_irc_t:process getattr; + # We need to suppress this denial because procps tries to access + # /proc/pid/environ and this now triggers a ptrace check in recent kernels + # (2.4 and 2.6). Might want to change procps to not do this, or only if + # running in a privileged domain. + dontaudit $2 $1_irc_t:process ptrace; + + kernel_read_proc_symlinks($1_irc_t) + + corenet_non_ipsec_sendrecv($1_irc_t) + corenet_tcp_sendrecv_generic_if($1_irc_t) + corenet_udp_sendrecv_generic_if($1_irc_t) + corenet_raw_sendrecv_generic_if($1_irc_t) + corenet_tcp_sendrecv_all_nodes($1_irc_t) + corenet_udp_sendrecv_all_nodes($1_irc_t) + corenet_raw_sendrecv_all_nodes($1_irc_t) + corenet_tcp_sendrecv_all_ports($1_irc_t) + corenet_udp_sendrecv_all_ports($1_irc_t) + corenet_tcp_bind_all_nodes($1_irc_t) + corenet_udp_bind_all_nodes($1_irc_t) + # cjp: this seems excessive: + corenet_tcp_connect_all_ports($1_irc_t) + + domain_use_wide_inherit_fd($1_irc_t) + + files_dontaudit_search_pids($1_irc_t) + files_search_var($1_irc_t) + files_read_etc_files($1_irc_t) + files_read_usr_files($1_irc_t) + + fs_getattr_xattr_fs($1_irc_t) + fs_search_auto_mountpoints($1_irc_t) + + term_use_controlling_term($1_irc_t) + term_list_ptys($1_irc_t) + + # allow utmp access + init_read_script_pid($1_irc_t) + init_dontaudit_lock_pid($1_irc_t) + + libs_use_ld_so($1_irc_t) + libs_use_shared_libs($1_irc_t) + + miscfiles_read_localization($1_irc_t) + + # Inherit and use descriptors from newrole. + seutil_use_newrole_fd($1_irc_t) + + sysnet_read_config($1_irc_t) + + # Write to the user domain tty. + userdom_use_user_terminals($1,$1_irc_t) + + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs($1_irc_t) + fs_manage_nfs_files($1_irc_t) + fs_manage_nfs_symlinks($1_irc_t) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs($1_irc_t) + fs_manage_cifs_files($1_irc_t) + fs_manage_cifs_symlinks($1_irc_t) + ') + + optional_policy(`nis',` + nis_use_ypbind($1_irc_t) + ') + + ifdef(`TODO',` + optional_policy(`ircd.te', ` + allow $1_irc_t ircd_t:tcp_socket { connectto recvfrom }; + allow ircd_t $1_irc_t:tcp_socket { acceptfrom recvfrom }; + kernel_tcp_recvfrom($1_irc_t) + kernel_tcp_recvfrom(ircd_t) + ') + ') +') diff --git a/refpolicy/policy/modules/apps/irc.te b/refpolicy/policy/modules/apps/irc.te new file mode 100644 index 0000000..01fcbeb --- /dev/null +++ b/refpolicy/policy/modules/apps/irc.te @@ -0,0 +1,10 @@ + +policy_module(irc,1.0.0) + +######################################## +# +# Declarations +# + +type irc_exec_t; +files_type(irc_exec_t) diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 38ab298..32f4902 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -833,6 +833,23 @@ interface(`init_dontaudit_write_script_pid',` ') ######################################## +## +## Do not audit attempts to lock +## init script pid files. +## +## +## Domain allowed access. +## +# +interface(`init_dontaudit_lock_pid',` + gen_require(` + type initrc_var_run_t; + ') + + dontaudit $1 initrc_var_run_t:file lock; +') + +######################################## # # init_rw_script_pid(domain) #