eggdrop policy module

Luciano Furtado lrfurtado at yahoo.com.br
Wed Mar 30 11:46:43 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11-03-28 05:06, Dominick Grift wrote:
> On 03/28/2011 02:32 AM, Luciano Furtado wrote:
> 
>> Hi guys,
> 
>> I started creating my policy module for the eggdrop irc bot. I am
>> getting stuck on simple task. I want to add a transition from
>> unconfined_t to eggdrop_t when I run a eggdrop_exec_t file.
> 
>> This is what I have:
> 
>> policy_module(eggdrop, 1.0.0)
> 
>> ########################################
>> ## Declarations#gen_require(`
>>    type unconfined_t;
>> ')
>> type eggdrop_t;
>> type eggdrop_exec_t;
> 
>> application_executable_file(eggdrop_exec_t)
> 
> This is not required, it is in "application_domain() which you should
> call. lack of application_domain(eggdrop_t, eggdrop_exec_t) is whats
> causing the constraint violation.
> 
> Also allow the unconfined_r role the eggdrop_t domain:
> 
> role unconfined_r types eggdrop_t;
> 
> (you also will need to require "role unconfined_r;")
> 
> 
>> type eggdrop_conf_t;
>> files_config_file(eggdrop_conf_t)
> 
>> corenet_tcp_connect_ircd_port(eggdrop_t)
>> corenet_tcp_sendrecv_ircd_port(eggdrop_t)
> 
>> domain_auto_trans(unconfined_t,eggdrop_exec_t,eggdrop_t)
> 
> Better use domtrans_pattern() instead of domain_auto_trans. It better
> fits the requirements:
> 
> domtrans_pattern(unconfined_t, eggdrop_exec_t, eggdrop_t)
> 
> 
> so a basic standard template to start is:
> 
> ----------->8--------------
> 
> policy_module(eggdrop, 1.0.0)
> 
> gen_require(`
>     type unconfined_t;
>     role unconfined_r;
> ')
> 
> type eggdrop_t;
> type eggdrop_exec_t;
> application_domain(eggdrop_t, eggdrop_exec_t)
> role unconfined_r types eggdrop_t;
> 
> type eggdrop_etc_t;
> files_config_file(eggdrop_etc_t)
> 
> domtrans_pattern(unconfined_t, eggdrop_exec_t, eggdrop_t
> 
> -------------8<------------
> 
> 
> 
> 
>> This is what I get when I try to load this policy module:
> 
> 
>> lrfurtado:~/selinux/eggdrop# make load
>> Loading default modules: eggdrop
>> /usr/sbin/semodule -i eggdrop.pp
>> libsepol.check_assertion_helper: neverallow violated by allow
>> unconfined_t eggdrop_t:process { transition };
>> libsemanage.semanage_expand_sandbox: Expand module failed
>> /usr/sbin/semodule:  Failed!
>> make: *** [tmp/loaded] Error 1
>> lrfurtado:~/selinux/eggdrop#
> 
> 
>> What's the proper way of accomplishing this?
> 
> 
> 
>> On 11-03-25 15:24, Dominick Grift wrote:
>>> On 03/25/2011 08:16 PM, Luciano Furtado wrote:
>>>> Thanks Dominick,
> 
>>>> I will use this as an exercise on how to create a new policy module. I
>>>> hope you guys can tolerate my newbie questions for a while.
> 
>>> I created some screen casts and put them on youtube that show some of this:
> 
>>> Write a policy module part 1 to 4 (on fedora):
> 
>>> part 1: http://www.youtube.com/watch?v=s4EyoW_7riQ
>>> part 2: http://www.youtube.com/watch?v=G5gUt1-ttGg
>>> part 3: http://www.youtube.com/watch?v=nbFnchVAgYs
>>> part 4: http://www.youtube.com/watch?v=rUGBgzTr92A
> 
>>> Some other examples:
> 
>>> part 1: http://www.youtube.com/watch?v=sBI50O84NLo
>>> part 2: http://www.youtube.com/watch?v=ATTJ5xUKH1E
>>> part 3: http://www.youtube.com/watch?v=e3cQNi3bi70
> 
>>> may or may not be helpful.
> 
>>>> Best Regards.
>>>> Luciano
> 
> 
>>>> On 11-03-25 14:29, Dominick Grift wrote:
>>>>> On 03/25/2011 07:09 PM, Luciano Furtado wrote:
>>>>>> Hi Group,
> 
>>>>>> Does eggdrop has a selinux policy module? if so starting on which fedora
>>>>>> version?
> 
> 
>>>>> The only reference that i could find to it was:
> 
>>>>> "You can find a copy of my irssi policy here
>>>>> http://pastebin.ca/768256?srch=irssi_exec_t it also includes policy for
>>>>> eggdrop and manual pages"
> 
>>>>> - From my 2008 article
>>>>> "http://domg472.blogspot.com/2008/05/how-to-create-integrate-and-rebuild.html"
> 
>>>>> Unfortunately seems "pastebin.ca" no longer exists. I can no longer
>>>>> access the site.
> 
> 
>>>>>> I am looking to get the sources for it , build / install it on my Debian
>>>>>> installation which doesn't seem to have a module for it.
> 
> 
>>>>>> Best Regards.
>>>>>> Luciano
> 
> 


On my policy right now I have this which I think would allow eggdrop to
sendrecv packet to any host/port combination

corenet_tcp_sendrecv_all_ports(eggdrop_t)


If wanted to limit eggdrop to talk only to specific host/port would it
possible to use iptables to label the packets to to something like
eggdrop_packet_t and them add a rule like this.

corenet_tcp_recvfrom_labeled(eggdrop_t, eggdrop_packet_t)


Is this the right approach to accomplish this.


My WIP policy is locate at http://lrfurtado.vps.bitfolk.com/eggdrop/



Best Regards.
Luciano
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEbBAEBAgAGBQJNkxgjAAoJEEJ82UW2Ovvth4EH9RFaWKY5i5gQr+yj2yCodYWr
A2qHiED4nmJssIPhGe3WCkwwkbgT1ETE+ifuhQVTa26huAHWyvnEKMld0oAJVrY8
GPkjePh/u+DOS0MwAjPlLJqv4tZcSgtkzcxgm9dEDgYVdJmxpSm/pyRXAY2va9k/
Y0L/6HlGoF+QXpjKUKbb45GwUW6aZtbBQq66dxKaZE+/FZuZczkxjjXTJcDvPJJB
yW/HPSHtMzAx2WiiGy/OEembU5XzEafd+UTYtrJCdggZgFx/uryInckwF2sIfKf9
tNj+EAs/+ORfOHlBrZkGnG/r6FSMM2vetm26Gx3L3p158jHEmLLLFLmTyyGLWw==
=VTSy
-----END PGP SIGNATURE-----

More information about the selinux mailing list