selinux-policy/policy/modules/apps/irc.if
2007-07-19 18:57:48 +00:00

151 lines
3.9 KiB
Plaintext

## <summary>IRC client policy</summary>
#######################################
## <summary>
## The per role template for the irc module.
## </summary>
## <desc>
## <p>
## This template creates a derived domains which are used
## for an irc client sessions.
## </p>
## <p>
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
#
template(`irc_per_role_template',`
gen_require(`
type irc_exec_t;
')
########################################
#
# Declarations
#
type $1_irc_t;
application_domain($1_irc_t,irc_exec_t)
role $3 types $1_irc_t;
type $1_irc_exec_t;
userdom_user_home_content($1,$1_irc_exec_t)
application_domain($1_irc_t,$1_irc_exec_t)
type $1_irc_home_t;
userdom_user_home_content($1,$1_irc_home_t)
type $1_irc_tmp_t;
userdom_user_home_content($1,$1_irc_tmp_t)
########################################
#
# Local policy
#
allow $1_irc_t self:unix_stream_socket create_stream_socket_perms;
allow $1_irc_t self:tcp_socket create_socket_perms;
allow $1_irc_t self:udp_socket create_socket_perms;
manage_dirs_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t)
manage_files_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t)
manage_lnk_files_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t)
userdom_user_home_dir_filetrans($1,$1_irc_t,$1_irc_home_t,{ dir file lnk_file })
# access files under /tmp
manage_dirs_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
manage_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
manage_lnk_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
manage_fifo_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
manage_sock_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
files_tmp_filetrans($1_irc_t,$1_irc_tmp_t,{ file dir lnk_file sock_file fifo_file })
# Transition from the user domain to the derived domain.
domtrans_pattern($2,irc_exec_t,$1_irc_t)
allow $2 $1_irc_exec_t:file { relabelfrom relabelto manage_file_perms };
# allow ps to show irc
ps_process_pattern($2,$1_irc_t)
allow $2 $1_irc_t:process signal;
kernel_read_proc_symlinks($1_irc_t)
corenet_all_recvfrom_unlabeled($1_irc_t)
corenet_all_recvfrom_netlabel($1_irc_t)
corenet_tcp_sendrecv_generic_if($1_irc_t)
corenet_udp_sendrecv_generic_if($1_irc_t)
corenet_tcp_sendrecv_all_nodes($1_irc_t)
corenet_udp_sendrecv_all_nodes($1_irc_t)
corenet_tcp_sendrecv_all_ports($1_irc_t)
corenet_udp_sendrecv_all_ports($1_irc_t)
corenet_sendrecv_ircd_client_packets($1_irc_t)
# cjp: this seems excessive:
corenet_tcp_connect_all_ports($1_irc_t)
corenet_sendrecv_all_client_packets($1_irc_t)
domain_use_interactive_fds($1_irc_t)
files_dontaudit_search_pids($1_irc_t)
files_search_var($1_irc_t)
files_read_etc_files($1_irc_t)
files_read_usr_files($1_irc_t)
fs_getattr_xattr_fs($1_irc_t)
fs_search_auto_mountpoints($1_irc_t)
term_use_controlling_term($1_irc_t)
term_list_ptys($1_irc_t)
# allow utmp access
init_read_utmp($1_irc_t)
init_dontaudit_lock_utmp($1_irc_t)
libs_use_ld_so($1_irc_t)
libs_use_shared_libs($1_irc_t)
miscfiles_read_localization($1_irc_t)
# Inherit and use descriptors from newrole.
seutil_use_newrole_fds($1_irc_t)
sysnet_read_config($1_irc_t)
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_irc_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_irc_t)
fs_manage_nfs_files($1_irc_t)
fs_manage_nfs_symlinks($1_irc_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs($1_irc_t)
fs_manage_cifs_files($1_irc_t)
fs_manage_cifs_symlinks($1_irc_t)
')
optional_policy(`
nis_use_ypbind($1_irc_t)
')
')