From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-512151-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id B1744138010
	for <garchives@archives.gentoo.org>; Sat,  6 Oct 2012 15:58:14 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 5E829E052E;
	Sat,  6 Oct 2012 15:56:42 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id C238BE052E
	for <gentoo-commits@lists.gentoo.org>; Sat,  6 Oct 2012 15:56:41 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 2478E33D763
	for <gentoo-commits@lists.gentoo.org>; Sat,  6 Oct 2012 15:56:41 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id 39D60E5436
	for <gentoo-commits@lists.gentoo.org>; Sat,  6 Oct 2012 15:56:38 +0000 (UTC)
From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be>
Message-ID: <1349538867.cfce25eb92cdba33707213e0e975d20804daa4cc.SwifT@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/irc.fc policy/modules/contrib/irc.if policy/modules/contrib/irc.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: SwifT
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: cfce25eb92cdba33707213e0e975d20804daa4cc
X-VCS-Branch: master
Date: Sat,  6 Oct 2012 15:56:38 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 86d9a50d-8a40-4ba6-803f-eafcc324e139
X-Archives-Hash: 87fff280b8f36969b82a0d4b16254df8

commit:     cfce25eb92cdba33707213e0e975d20804daa4cc
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sat Oct  6 11:45:41 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Oct  6 15:54:27 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cfce25eb

Changes to the irc policy module

Ported from Fedora with changes

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/contrib/irc.fc |   12 +++----
 policy/modules/contrib/irc.if |   34 ++++++++++++++-----
 policy/modules/contrib/irc.te |   70 +++++++++++++++++++++++++++-------------
 3 files changed, 77 insertions(+), 39 deletions(-)

diff --git a/policy/modules/contrib/irc.fc b/policy/modules/contrib/irc.fc
index 65ece18..cec4a98 100644
--- a/policy/modules/contrib/irc.fc
+++ b/policy/modules/contrib/irc.fc
@@ -1,11 +1,9 @@
-#
-# /home
-#
 HOME_DIR/\.ircmotd	--	gen_context(system_u:object_r:irc_home_t,s0)
+HOME_DIR/\.irssi(/.*)?	gen_context(system_u:object_r:irc_home_t,s0)
+
+/etc/irssi\.conf	--	gen_context(system_u:object_r:irc_conf_t,s0)
 
-#
-# /usr
-#
 /usr/bin/[st]irc	--	gen_context(system_u:object_r:irc_exec_t,s0)
-/usr/bin/ircII		--	gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/ircII	--	gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/irssi	--	gen_context(system_u:object_r:irc_exec_t,s0)
 /usr/bin/tinyirc	--	gen_context(system_u:object_r:irc_exec_t,s0)

diff --git a/policy/modules/contrib/irc.if b/policy/modules/contrib/irc.if
index 4f9dc90..b4930b3 100644
--- a/policy/modules/contrib/irc.if
+++ b/policy/modules/contrib/irc.if
@@ -1,31 +1,47 @@
-## <summary>IRC client policy</summary>
+## <summary>IRC client policy.</summary>
 
 ########################################
 ## <summary>
-##	Role access for IRC
+##	Role access for IRC.
 ## </summary>
 ## <param name="role">
 ##	<summary>
-##	Role allowed access
+##	Role allowed access.
 ##	</summary>
 ## </param>
 ## <param name="domain">
 ##	<summary>
-##	User domain for the role
+##	User domain for the role.
 ##	</summary>
 ## </param>
 #
 interface(`irc_role',`
 	gen_require(`
-		type irc_t, irc_exec_t;
+		attribute_role irc_roles;
+		type irc_t, irc_exec_t, irc_home_t;
+		type irc_tmp_t;
 	')
 
-	role $1 types irc_t;
+	########################################
+	#
+	# Declarations
+	#
+
+	roleattribute $1 irc_roles;
+
+	########################################
+	#
+	# Policy
+	#
 
-	# Transition from the user domain to the derived domain.
 	domtrans_pattern($2, irc_exec_t, irc_t)
 
-	# allow ps to show irc
 	ps_process_pattern($2, irc_t)
-	allow $2 irc_t:process signal;
+	allow $2 irc_t:process { ptrace signal_perms };
+
+	allow $2 { irc_home_t irc_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
+	allow $2 { irc_home_t irc_tmp_t }:file { manage_file_perms relabel_file_perms };
+	allow $2 { irc_home_t irc_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+	userdom_user_home_dir_filetrans(irc_t, irc_home_t, dir, ".irssi")
+	userdom_user_home_dir_filetrans(irc_t, irc_home_t, file, ".ircmotd")
 ')

diff --git a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te
index 6e2dbd2..643f49b 100644
--- a/policy/modules/contrib/irc.te
+++ b/policy/modules/contrib/irc.te
@@ -1,15 +1,30 @@
-policy_module(irc, 2.2.0)
+policy_module(irc, 2.2.1)
 
 ########################################
 #
 # Declarations
 #
 
+## <desc>
+##	<p>
+##	Determine whether irc clients can
+##	listen on and connect to any
+##	unreserved TCP ports.
+##	</p>
+## </desc>
+gen_tunable(irc_use_any_tcp_ports, false)
+
+attribute_role irc_roles;
+
 type irc_t;
 type irc_exec_t;
 typealias irc_t alias { user_irc_t staff_irc_t sysadm_irc_t };
 typealias irc_t alias { auditadm_irc_t secadm_irc_t };
 userdom_user_application_domain(irc_t, irc_exec_t)
+role irc_roles types irc_t;
+
+type irc_conf_t;
+files_config_file(irc_conf_t)
 
 type irc_home_t;
 typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t };
@@ -26,16 +41,17 @@ userdom_user_tmp_file(irc_tmp_t)
 # Local policy
 #
 
-allow irc_t self:unix_stream_socket create_stream_socket_perms;
-allow irc_t self:tcp_socket create_socket_perms;
-allow irc_t self:udp_socket create_socket_perms;
+allow irc_t self:process { signal sigkill };
+allow irc_t self:fifo_file rw_fifo_file_perms;
+allow irc_t self:unix_stream_socket { accept listen };
+
+allow irc_t irc_conf_t:file read_file_perms;
 
 manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
 manage_files_pattern(irc_t, irc_home_t, irc_home_t)
 manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
 userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file })
 
-# access files under /tmp
 manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
 manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
 manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
@@ -43,26 +59,31 @@ manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
 manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
 files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
 
-kernel_read_proc_symlinks(irc_t)
+kernel_read_system_state(irc_t)
 
 corenet_all_recvfrom_unlabeled(irc_t)
 corenet_all_recvfrom_netlabel(irc_t)
 corenet_tcp_sendrecv_generic_if(irc_t)
-corenet_udp_sendrecv_generic_if(irc_t)
 corenet_tcp_sendrecv_generic_node(irc_t)
-corenet_udp_sendrecv_generic_node(irc_t)
 corenet_tcp_sendrecv_all_ports(irc_t)
-corenet_udp_sendrecv_all_ports(irc_t)
+
+corenet_sendrecv_gatekeeper_client_packets(irc_t)
+corenet_tcp_sendrecv_gatekeeper_port(irc_t)
+corenet_tcp_connect_gatekeeper_port(irc_t)
+
+corenet_sendrecv_http_cache_client_packets(irc_t)
+corenet_tcp_connect_http_cache_port(irc_t)
+corenet_tcp_sendrecv_http_cache_port(irc_t)
+
 corenet_sendrecv_ircd_client_packets(irc_t)
-# cjp: this seems excessive:
-corenet_tcp_connect_all_ports(irc_t)
-corenet_sendrecv_all_client_packets(irc_t)
+corenet_tcp_connect_ircd_port(irc_t)
+corenet_tcp_sendrecv_ircd_port(irc_t)
+
+dev_read_urand(irc_t)
+dev_read_rand(irc_t)
 
 domain_use_interactive_fds(irc_t)
 
-files_dontaudit_search_pids(irc_t)
-files_search_var(irc_t)
-files_read_etc_files(irc_t)
 files_read_usr_files(irc_t)
 
 fs_getattr_xattr_fs(irc_t)
@@ -71,20 +92,23 @@ fs_search_auto_mountpoints(irc_t)
 term_use_controlling_term(irc_t)
 term_list_ptys(irc_t)
 
-# allow utmp access
+auth_use_nsswitch(irc_t)
+
 init_read_utmp(irc_t)
 init_dontaudit_lock_utmp(irc_t)
 
 miscfiles_read_localization(irc_t)
 
-# Inherit and use descriptors from newrole.
-seutil_use_newrole_fds(irc_t)
-
-sysnet_read_config(irc_t)
-
-# Write to the user domain tty.
 userdom_use_user_terminals(irc_t)
 
+tunable_policy(`irc_use_any_tcp_ports',`
+	corenet_sendrecv_all_server_packets(irc_t)
+	corenet_tcp_bind_all_unreserved_ports(irc_t)
+	corenet_sendrecv_all_client_packets(irc_t)
+	corenet_tcp_connect_all_unreserved_ports(irc_t)
+	corenet_tcp_sendrecv_all_ports(irc_t)
+')
+
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(irc_t)
 	fs_manage_nfs_files(irc_t)
@@ -98,5 +122,5 @@ tunable_policy(`use_samba_home_dirs',`
 ')
 
 optional_policy(`
-	nis_use_ypbind(irc_t)
+	seutil_use_newrole_fds(irc_t)
 ')