This commit is contained in:
Chris PeBenito 2006-01-06 19:46:44 +00:00
parent 765bd961b3
commit 8cffa78840
5 changed files with 205 additions and 0 deletions

View File

@ -6,6 +6,7 @@
automount
ddcprobe
fetchmail
irc
openct
readahead
slrnpull

View File

@ -0,0 +1,11 @@
#
# /home
#
HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:ROLE_irc_home_t,s0)
#
# /usr
#
/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)

View File

@ -0,0 +1,166 @@
## <summary>IRC client policy</summary>
#######################################
## <summary>
## The per user domain template for the irc module.
## </summary>
## <desc>
## <p>
## This template creates a derived domains which are used
## for an irc client sessions.
## </p>
## <p>
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <param name="user_domain">
## The type of the user domain.
## </param>
## <param name="user_role">
## The role associated with the user domain.
## </param>
#
template(`irc_per_userdomain_template',`
gen_require(`
type irc_exec_t;
')
########################################
#
# Declarations
#
type $1_irc_t;
domain_type($1_irc_t)
domain_entry_file($1_irc_t,irc_exec_t)
role $3 types $1_irc_t;
type $1_irc_exec_t;
userdom_home_file($1,$1_irc_exec_t)
domain_entry_file($1_irc_t,$1_irc_exec_t)
type $1_irc_home_t;
userdom_home_file($1,$1_irc_home_t)
########################################
#
# Local policy
#
allow $1_irc_t self:dir search;
allow $1_irc_t self:lnk_file read;
allow $1_irc_t self:unix_stream_socket create_stream_socket_perms;
allow $1_irc_t self:tcp_socket create_socket_perms;
allow $1_irc_t self:udp_socket create_socket_perms;
allow $1_irc_t $1_irc_home_t:dir create_dir_perms;
allow $1_irc_t $1_irc_home_t:file create_file_perms;
allow $1_irc_t $1_irc_home_t:lnk_file create_lnk_perms;
userdom_create_user_home($1,$1_irc_t,{ dir file lnk_file },$1_irc_home_t)
# access files under /tmp
allow $1_irc_t $1_tmp_t:dir create_dir_perms;
allow $1_irc_t $1_tmp_t:file create_file_perms;
allow $1_irc_t $1_tmp_t:lnk_file create_lnk_perms;
allow $1_irc_t $1_tmp_t:sock_file create_file_perms;
allow $1_irc_t $1_tmp_t:fifo_file create_file_perms;
files_create_tmp_files($1_irc_t,$1_tmp_t,{ file dir lnk_file sock_file fifo_file })
# Transition from the user domain to the derived domain.
domain_auto_trans($2,irc_exec_t,$1_irc_t)
allow $2 $1_irc_t:fd use;
allow $1_irc_t $2:fd use;
allow $1_irc_t $2:fifo_file rw_file_perms;
allow $1_irc_t $2:process sigchld;
allow $2 $1_irc_t:process signal;
allow $2 $1_irc_exec_t:file { relabelfrom relabelto create_file_perms };
# allow ps to show irc
allow $2 $1_irc_t:dir { search getattr read };
allow $2 $1_irc_t:{ file lnk_file } { read getattr };
allow $2 $1_irc_t:process getattr;
# We need to suppress this denial because procps tries to access
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
# (2.4 and 2.6). Might want to change procps to not do this, or only if
# running in a privileged domain.
dontaudit $2 $1_irc_t:process ptrace;
kernel_read_proc_symlinks($1_irc_t)
corenet_non_ipsec_sendrecv($1_irc_t)
corenet_tcp_sendrecv_generic_if($1_irc_t)
corenet_udp_sendrecv_generic_if($1_irc_t)
corenet_raw_sendrecv_generic_if($1_irc_t)
corenet_tcp_sendrecv_all_nodes($1_irc_t)
corenet_udp_sendrecv_all_nodes($1_irc_t)
corenet_raw_sendrecv_all_nodes($1_irc_t)
corenet_tcp_sendrecv_all_ports($1_irc_t)
corenet_udp_sendrecv_all_ports($1_irc_t)
corenet_tcp_bind_all_nodes($1_irc_t)
corenet_udp_bind_all_nodes($1_irc_t)
# cjp: this seems excessive:
corenet_tcp_connect_all_ports($1_irc_t)
domain_use_wide_inherit_fd($1_irc_t)
files_dontaudit_search_pids($1_irc_t)
files_search_var($1_irc_t)
files_read_etc_files($1_irc_t)
files_read_usr_files($1_irc_t)
fs_getattr_xattr_fs($1_irc_t)
fs_search_auto_mountpoints($1_irc_t)
term_use_controlling_term($1_irc_t)
term_list_ptys($1_irc_t)
# allow utmp access
init_read_script_pid($1_irc_t)
init_dontaudit_lock_pid($1_irc_t)
libs_use_ld_so($1_irc_t)
libs_use_shared_libs($1_irc_t)
miscfiles_read_localization($1_irc_t)
# Inherit and use descriptors from newrole.
seutil_use_newrole_fd($1_irc_t)
sysnet_read_config($1_irc_t)
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_irc_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_irc_t)
fs_manage_nfs_files($1_irc_t)
fs_manage_nfs_symlinks($1_irc_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($1_irc_t)
fs_manage_cifs_files($1_irc_t)
fs_manage_cifs_symlinks($1_irc_t)
')
optional_policy(`nis',`
nis_use_ypbind($1_irc_t)
')
ifdef(`TODO',`
optional_policy(`ircd.te', `
allow $1_irc_t ircd_t:tcp_socket { connectto recvfrom };
allow ircd_t $1_irc_t:tcp_socket { acceptfrom recvfrom };
kernel_tcp_recvfrom($1_irc_t)
kernel_tcp_recvfrom(ircd_t)
')
')
')

View File

@ -0,0 +1,10 @@
policy_module(irc,1.0.0)
########################################
#
# Declarations
#
type irc_exec_t;
files_type(irc_exec_t)

View File

@ -832,6 +832,23 @@ interface(`init_dontaudit_write_script_pid',`
dontaudit $1 initrc_var_run_t:file { write lock };
')
########################################
## <summary>
## Do not audit attempts to lock
## init script pid files.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`init_dontaudit_lock_pid',`
gen_require(`
type initrc_var_run_t;
')
dontaudit $1 initrc_var_run_t:file lock;
')
########################################
#
# init_rw_script_pid(domain)