[refpolicy] apps_irc.patch

Christopher J. PeBenito cpebenito at tresys.com
Tue Jun 22 07:51:42 CDT 2010 

On Mon, 2010-06-21 at 16:53 +0200, Dominick Grift wrote:
> On Mon, Jun 21, 2010 at 09:09:35AM -0400, Christopher J. PeBenito wrote:
> > On Wed, 2010-06-02 at 16:05 -0400, Daniel J Walsh wrote:
> > > http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_irc.patch
> > > 
> > > isc policy updates from Dominic Grift.
> > 
> > Why does irssi need a special domain?  Why can't it just use/augment the
> > irc_t domain?
> 
> Because of this:
> 
> allow irc_t self:unix_stream_socket create_stream_socket_perms;
> allow irc_t self:tcp_socket create_socket_perms;
> 
> manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
> manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
> manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
> manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
> manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
> files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
> 
> kernel_read_proc_symlinks(irc_t)
> 
> corenet_tcp_sendrecv_all_ports(irc_t)
> corenet_udp_sendrecv_all_ports(irc_t)
> corenet_tcp_connect_all_ports(irc_t)
> corenet_sendrecv_all_client_packets(irc_t)
> 
> domain_use_interactive_fds(irc_t)
> 
> files_dontaudit_search_pids(irc_t)
> files_search_var(irc_t)
> 
> fs_getattr_xattr_fs(irc_t)
> 
> term_use_controlling_term(irc_t)
> term_list_ptys(irc_t)
> 
> init_read_utmp(irc_t)
> init_dontaudit_lock_utmp(irc_t)
> 
> seutil_use_newrole_fds(irc_t)
> 
> allow irssi_t self:process { signal sigkill };
> allow irssi_t self:fifo_file rw_fifo_file_perms;
> allow irssi_t self:netlink_route_socket create_netlink_socket_perms;
> allow irssi_t self:tcp_socket create_stream_socket_perms;
> 
> allow irssi_t irssi_etc_t:file read_file_perms;
> 
> kernel_read_system_state(irssi_t)
> 
> corecmd_read_bin_symlinks(irssi_t)
> 
> corenet_udp_sendrecv_generic_node(irssi_t)
> corenet_tcp_connect_ircd_port(irssi_t)
> 
> corenet_tcp_connect_http_cache_port(irssi_t)
> corenet_sendrecv_http_cache_client_packets(irssi_t)
> 
> corenet_tcp_connect_gatekeeper_port(irssi_t)
> corenet_sendrecv_gatekeeper_client_packets(irssi_t)
> 
> dev_read_urand(irssi_t)
> dev_read_rand(irssi_t)
> 
> miscfiles_read_certs(irssi_t)
> 
> tunable_policy(`irssi_use_full_network',`
> 	corenet_tcp_bind_all_unreserved_ports(irssi_t)
> 	corenet_tcp_connect_all_ports(irssi_t)
> 	corenet_sendrecv_all_client_packets(irssi_t)
> 	corenet_sendrecv_generic_server_packets(irssi_t)
> ')
> 
> optional_policy(`
> 	automount_dontaudit_getattr_tmp_dirs(irssi_t)
> ')
> 
> optional_policy(`
> 	nscd_socket_use(irssi_t
> ')
> 
> I think its just too much overhead.

I'm not clear on what you're saying

>  Besides i do not agree with some of the security decisions made for
> the irc_t domain.

Please be more specific.

> So the best compromise in my view is to just add a new irssi_t domain
> to the existing irc module.
> 
> That said, i think the patch that is in question here is not what i
> currently have in my repository. In my repository i have combined all
> policy that is common to both irc_t and irssi_t in a irc_domain
> section (attribute irc_domain for both irc_t, irssi_t)
> 
> Also if i am not mistaken, i have submitted a patch where irssi was
> merged into the irc_t domain some time ago, That patch has not made it
> in either for some reason.

Its easy to get lost in the flood due to the number of patches I get
from Dan.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

More information about the refpolicy mailing list