From 5fb4db53adf5fb4f8d17057723f2cdfeb4ef47e1 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Tue, 31 Aug 2010 08:56:30 -0400
Subject: [PATCH] Add Miroslav Grepl patch for jabberd, adding new type for
 jabberd router.

---
 policy/modules/kernel/corenetwork.te.in |   1 +
 policy/modules/services/jabber.fc       |   9 ++
 policy/modules/services/jabber.if       |  97 ++++++++++++++++++++--
 policy/modules/services/jabber.te       | 104 ++++++++++++++++--------
 4 files changed, 170 insertions(+), 41 deletions(-)

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index d739fc3d..f1188737 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -131,6 +131,7 @@ network_port(iscsi, tcp,3260,s0)
 network_port(isns, tcp,3205,s0, udp,3205,s0)
 network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
 network_port(jabber_interserver, tcp,5269,s0)
+network_port(jabber_router, tcp,5347,s0)
 network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
 network_port(kerberos_admin, tcp,749,s0)
 network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
diff --git a/policy/modules/services/jabber.fc b/policy/modules/services/jabber.fc
index 4c9acec1..908eb91c 100644
--- a/policy/modules/services/jabber.fc
+++ b/policy/modules/services/jabber.fc
@@ -2,5 +2,14 @@
 
 /usr/sbin/jabberd	--	gen_context(system_u:object_r:jabberd_exec_t,s0)
 
+# for new version of jabberd
+/usr/bin/router         --      gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/sm             --      gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/c2s            --      gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/s2s            --      gen_context(system_u:object_r:jabberd_exec_t,s0)
+
+/var/lib/jabberd(/.*)?           gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+
+
 /var/lib/jabber(/.*)?		gen_context(system_u:object_r:jabberd_var_lib_t,s0)
 /var/log/jabber(/.*)?		gen_context(system_u:object_r:jabberd_log_t,s0)
diff --git a/policy/modules/services/jabber.if b/policy/modules/services/jabber.if
index 98784995..2873e8f8 100644
--- a/policy/modules/services/jabber.if
+++ b/policy/modules/services/jabber.if
@@ -1,17 +1,96 @@
 ## <summary>Jabber instant messaging server</summary>
 
-########################################
+#######################################
 ## <summary>
-##	Connect to jabber over a TCP socket  (Deprecated)
+##      Execute a domain transition to run jabberd services
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+## <summary>
+##      Domain allowed to transition.
+## </summary>
 ## </param>
 #
-interface(`jabber_tcp_connect',`
-	refpolicywarn(`$0($*) has been deprecated.')
+interface(`jabber_domtrans_jabberd',`
+        gen_require(`
+                type jabberd_t, jabberd_exec_t;
+        ')
+
+        domtrans_pattern($1, jabberd_exec_t, jabberd_t)
+')
+
+######################################
+## <summary>
+##      Execute a domain transition to run jabberd router service
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`jabber_domtrans_jabberd_router',`
+        gen_require(`
+                type jabberd_router_t, jabberd_router_exec_t;
+        ')
+
+        domtrans_pattern($1, jabberd_router_exec_t, jabberd_router_t)
+')
+
+#######################################
+## <summary>
+##      Read jabberd lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`jabberd_read_lib_files',`
+        gen_require(`
+                type jabberd_var_lib_t;
+        ')
+
+        files_search_var_lib($1)
+        read_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
+')
+
+#######################################
+## <summary>
+##      Dontaudit inherited read jabberd lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`jabberd_dontaudit_read_lib_files',`
+        gen_require(`
+                type jabberd_var_lib_t;
+        ')
+
+        dontaudit $1 jabberd_var_lib_t:file read_inherited_file_perms;
+')
+
+#######################################
+## <summary>
+##      Create, read, write, and delete
+##      jabberd lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`jabberd_manage_lib_files',`
+        gen_require(`
+                type jabberd_var_lib_t;
+        ')
+
+        files_search_var_lib($1)
+        manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
 ')
 
 ########################################
@@ -35,11 +114,15 @@ interface(`jabber_admin',`
 	gen_require(`
 		type jabberd_t, jabberd_log_t, jabberd_var_lib_t;
 		type jabberd_var_run_t, jabberd_initrc_exec_t;
+		type jabberd_router_t;
 	')
 
 	allow $1 jabberd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, jabberd_t)
 
+	allow $1 jabberd_router_t:process { ptrace signal_perms };
+        ps_process_pattern($1, jabberd_router_t)
+
 	init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 jabberd_initrc_exec_t system_r;
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index da2127e5..975bbcde 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -1,3 +1,4 @@
+
 policy_module(jabber, 1.8.0)
 
 ########################################
@@ -5,13 +6,19 @@ policy_module(jabber, 1.8.0)
 # Declarations
 #
 
-type jabberd_t;
+attribute jabberd_domain;
+
+type jabberd_t, jabberd_domain;
 type jabberd_exec_t;
 init_daemon_domain(jabberd_t, jabberd_exec_t)
 
 type jabberd_initrc_exec_t;
 init_script_file(jabberd_initrc_exec_t)
 
+type jabberd_router_t, jabberd_domain;
+type jabberd_router_exec_t;
+init_daemon_domain(jabberd_router_t, jabberd_router_exec_t)
+
 type jabberd_log_t;
 logging_log_file(jabberd_log_t)
 
@@ -21,40 +28,78 @@ files_type(jabberd_var_lib_t)
 type jabberd_var_run_t;
 files_pid_file(jabberd_var_run_t)
 
+permissive jabberd_router_t;
+permissive jabberd_t;
+
+#######################################
+#
+# Local policy for jabberd domains
+#
+
+allow jabberd_domain self:process signal_perms;
+allow jabberd_domain self:fifo_file read_fifo_file_perms;
+allow jabberd_domain self:tcp_socket create_stream_socket_perms;
+allow jabberd_domain self:udp_socket create_socket_perms;
+
+manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
+manage_dirs_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
+
+# log and pid files are moved into /var/lib/jabberd in the newer version of jabberd
+manage_files_pattern(jabberd_domain, jabberd_log_t, jabberd_log_t)
+logging_log_filetrans(jabberd_domain, jabberd_log_t, { file dir })
+
+manage_files_pattern(jabberd_domain, jabberd_var_run_t, jabberd_var_run_t)
+files_pid_filetrans(jabberd_domain, jabberd_var_run_t, file)
+
+corenet_all_recvfrom_unlabeled(jabberd_domain)
+corenet_all_recvfrom_netlabel(jabberd_domain)
+corenet_tcp_sendrecv_generic_if(jabberd_domain)
+corenet_udp_sendrecv_generic_if(jabberd_domain)
+corenet_tcp_sendrecv_generic_node(jabberd_domain)
+corenet_udp_sendrecv_generic_node(jabberd_domain)
+corenet_tcp_sendrecv_all_ports(jabberd_domain)
+corenet_udp_sendrecv_all_ports(jabberd_domain)
+corenet_tcp_bind_generic_node(jabberd_domain)
+
+dev_read_urand(jabberd_domain)
+dev_read_urand(jabberd_domain)
+
+files_read_etc_files(jabberd_domain)
+files_read_etc_runtime_files(jabberd_domain)
+
+logging_send_syslog_msg(jabberd_domain)
+
+miscfiles_read_localization(jabberd_domain)
+
+sysnet_read_config(jabberd_domain)
+
+######################################
+#
+# Local policy for jabberd-router
+#
+
+allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
+
+corenet_tcp_bind_jabber_router_port(jabberd_router_t)
+corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
+
+optional_policy(`
+        kerberos_use(jabberd_router_t)
+')
+
 ########################################
 #
-# Local policy
+# Local policy for jabberd
 #
 
 allow jabberd_t self:capability dac_override;
 dontaudit jabberd_t self:capability sys_tty_config;
-allow jabberd_t self:process signal_perms;
-allow jabberd_t self:fifo_file read_fifo_file_perms;
-allow jabberd_t self:tcp_socket create_stream_socket_perms;
-allow jabberd_t self:udp_socket create_socket_perms;
-
-manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
-files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file)
-
-manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
-logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
-
-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
-files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
 
 kernel_read_kernel_sysctls(jabberd_t)
-kernel_list_proc(jabberd_t)
 kernel_read_proc_symlinks(jabberd_t)
+kernel_read_system_state(jabberd_t)
 
-corenet_all_recvfrom_unlabeled(jabberd_t)
-corenet_all_recvfrom_netlabel(jabberd_t)
-corenet_tcp_sendrecv_generic_if(jabberd_t)
-corenet_udp_sendrecv_generic_if(jabberd_t)
-corenet_tcp_sendrecv_generic_node(jabberd_t)
-corenet_udp_sendrecv_generic_node(jabberd_t)
-corenet_tcp_sendrecv_all_ports(jabberd_t)
-corenet_udp_sendrecv_all_ports(jabberd_t)
-corenet_tcp_bind_generic_node(jabberd_t)
+corenet_tcp_connect_jabber_router_port(jabberd_t)
 corenet_tcp_bind_jabber_client_port(jabberd_t)
 corenet_tcp_bind_jabber_interserver_port(jabberd_t)
 corenet_sendrecv_jabber_client_server_packets(jabberd_t)
@@ -66,18 +111,9 @@ dev_read_rand(jabberd_t)
 
 domain_use_interactive_fds(jabberd_t)
 
-files_read_etc_files(jabberd_t)
-files_read_etc_runtime_files(jabberd_t)
-
 fs_getattr_all_fs(jabberd_t)
 fs_search_auto_mountpoints(jabberd_t)
 
-logging_send_syslog_msg(jabberd_t)
-
-miscfiles_read_localization(jabberd_t)
-
-sysnet_read_config(jabberd_t)
-
 userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
 userdom_dontaudit_search_user_home_dirs(jabberd_t)