selinux-policy/policy/modules/services/bitlbee.te
2010-05-24 15:32:01 -04:00

92 lines
2.6 KiB
Plaintext

policy_module(bitlbee, 1.3.0)
########################################
#
# Declarations
#
type bitlbee_t;
type bitlbee_exec_t;
init_daemon_domain(bitlbee_t, bitlbee_exec_t)
inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t)
type bitlbee_conf_t;
files_config_file(bitlbee_conf_t)
type bitlbee_initrc_exec_t;
init_script_file(bitlbee_initrc_exec_t)
type bitlbee_tmp_t;
files_tmp_file(bitlbee_tmp_t)
type bitlbee_var_t;
files_type(bitlbee_var_t)
########################################
#
# Local policy
#
#
allow bitlbee_t self:udp_socket create_socket_perms;
allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
allow bitlbee_t self:fifo_file rw_fifo_file_perms;
allow bitlbee_t self:process signal;
bitlbee_read_config(bitlbee_t)
# tmp files
manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file)
# user account information is read and edited at runtime; give the usual
# r/w access to bitlbee_var_t
manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
kernel_read_system_state(bitlbee_t)
corenet_all_recvfrom_unlabeled(bitlbee_t)
corenet_udp_sendrecv_generic_if(bitlbee_t)
corenet_udp_sendrecv_generic_node(bitlbee_t)
corenet_tcp_sendrecv_generic_if(bitlbee_t)
corenet_tcp_sendrecv_generic_node(bitlbee_t)
# Allow bitlbee to connect to jabber servers
corenet_tcp_connect_jabber_client_port(bitlbee_t)
corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
# to AIM servers:
corenet_tcp_connect_aol_port(bitlbee_t)
corenet_tcp_sendrecv_aol_port(bitlbee_t)
# and to MMCC (Yahoo IM) servers:
corenet_tcp_connect_mmcc_port(bitlbee_t)
corenet_tcp_sendrecv_mmcc_port(bitlbee_t)
# and to MSNP (MSN Messenger) servers:
corenet_tcp_connect_msnp_port(bitlbee_t)
corenet_tcp_sendrecv_msnp_port(bitlbee_t)
# MSN can use passport auth, which is over http:
corenet_tcp_connect_http_port(bitlbee_t)
corenet_tcp_sendrecv_http_port(bitlbee_t)
corenet_tcp_connect_http_cache_port(bitlbee_t)
corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
dev_read_rand(bitlbee_t)
dev_read_urand(bitlbee_t)
files_read_etc_files(bitlbee_t)
files_search_pids(bitlbee_t)
# grant read-only access to the user help files
files_read_usr_files(bitlbee_t)
libs_legacy_use_shared_libs(bitlbee_t)
miscfiles_read_localization(bitlbee_t)
sysnet_dns_name_resolve(bitlbee_t)
optional_policy(`
# normally started from inetd using tcpwrappers, so use those entry points
tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
')