# # Macros for irc domains. # # # Author: Russell Coker <russell@coker.com.au> # # # irc_domain(domain_prefix) # # Define a derived domain for the irc program when executed # by a user domain. # # The type declaration for the executable type for this program is # provided separately in domains/program/irc.te. # undefine(`irc_domain') ifdef(`irc.te', ` define(`irc_domain',` # Home domain home_domain($1, irc) file_type_auto_trans($1_irc_t, $1_home_dir_t, $1_irc_home_t, dir) # Derived domain based on the calling user domain and the program. type $1_irc_t, domain; type $1_irc_exec_t, file_type, sysadmfile, $1_file_type; allow $1_t $1_irc_exec_t:file { relabelfrom relabelto create_file_perms }; # Transition from the user domain to this domain. domain_auto_trans($1_t, { irc_exec_t $1_irc_exec_t }, $1_irc_t) # The user role is authorized for this domain. role $1_r types $1_irc_t; # Inherit and use descriptors from gnome-pty-helper. ifdef(`gnome-pty-helper.te', `allow $1_irc_t $1_gph_t:fd use;') # Inherit and use descriptors from newrole. ifdef(`newrole.te', `allow $1_irc_t newrole_t:fd use;') # allow ps to show irc can_ps($1_t, $1_irc_t) allow $1_t $1_irc_t:process signal; # Use the network. can_network_client($1_irc_t) allow $1_irc_t port_type:tcp_socket name_connect; can_ypbind($1_irc_t) allow $1_irc_t usr_t:file { getattr read }; access_terminal($1_irc_t, $1) uses_shlib($1_irc_t) allow $1_irc_t etc_t:file { read getattr }; read_locale($1_irc_t) allow $1_irc_t fs_t:filesystem getattr; allow $1_irc_t var_t:dir search; allow $1_irc_t device_t:dir search; allow $1_irc_t self:unix_stream_socket create_stream_socket_perms; allow $1_irc_t privfd:fd use; allow $1_irc_t proc_t:dir search; allow $1_irc_t { self proc_t }:lnk_file read; allow $1_irc_t self:dir search; dontaudit $1_irc_t var_run_t:dir search; # allow utmp access allow $1_irc_t initrc_var_run_t:file { getattr read }; dontaudit $1_irc_t initrc_var_run_t:file lock; # access files under /tmp file_type_auto_trans($1_irc_t, tmp_t, $1_tmp_t) ifdef(`ircd.te', ` can_tcp_connect($1_irc_t, ircd_t) ')dnl end ifdef irc.te ')dnl end macro definition ', ` define(`irc_domain',`') ')dnl end ifdef irc.te