]>
Commit | Line | Data |
---|---|---|
826d0142 | 1 | policy_module(bitlbee, 1.4.0) |
8242f5a6 CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
8 | type bitlbee_t; | |
9 | type bitlbee_exec_t; | |
10 | init_daemon_domain(bitlbee_t, bitlbee_exec_t) | |
11 | inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t) | |
12 | ||
13 | type bitlbee_conf_t; | |
14 | files_config_file(bitlbee_conf_t) | |
15 | ||
e87221ce CP |
16 | type bitlbee_initrc_exec_t; |
17 | init_script_file(bitlbee_initrc_exec_t) | |
18 | ||
19 | type bitlbee_tmp_t; | |
20 | files_tmp_file(bitlbee_tmp_t) | |
21 | ||
8242f5a6 CP |
22 | type bitlbee_var_t; |
23 | files_type(bitlbee_var_t) | |
24 | ||
57ce3836 DW |
25 | type bitlbee_var_run_t; |
26 | files_type(bitlbee_var_run_t) | |
27 | ||
8242f5a6 CP |
28 | ######################################## |
29 | # | |
30 | # Local policy | |
31 | # | |
3d3d47e4 | 32 | |
11cd2b73 | 33 | allow bitlbee_t self:capability { dac_override setgid setuid sys_nice }; |
169061a7 | 34 | allow bitlbee_t self:process { setsched signal }; |
45624aa8 MG |
35 | |
36 | allow bitlbee_t self:fifo_file rw_fifo_file_perms; | |
8242f5a6 CP |
37 | allow bitlbee_t self:udp_socket create_socket_perms; |
38 | allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms }; | |
39 | allow bitlbee_t self:unix_stream_socket create_stream_socket_perms; | |
45624aa8 | 40 | allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms; |
8242f5a6 CP |
41 | |
42 | bitlbee_read_config(bitlbee_t) | |
43 | ||
e87221ce CP |
44 | # tmp files |
45 | manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) | |
45624aa8 MG |
46 | manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) |
47 | files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file }) | |
e87221ce | 48 | |
8242f5a6 CP |
49 | # user account information is read and edited at runtime; give the usual |
50 | # r/w access to bitlbee_var_t | |
51 | manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) | |
52 | files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file) | |
53 | ||
57ce3836 DW |
54 | manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) |
55 | manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) | |
56 | manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) | |
a96edc2f | 57 | files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file }) |
57ce3836 | 58 | |
20272c2b CP |
59 | kernel_read_system_state(bitlbee_t) |
60 | ||
8242f5a6 CP |
61 | corenet_all_recvfrom_unlabeled(bitlbee_t) |
62 | corenet_udp_sendrecv_generic_if(bitlbee_t) | |
63 | corenet_udp_sendrecv_generic_node(bitlbee_t) | |
8242f5a6 CP |
64 | corenet_tcp_sendrecv_generic_if(bitlbee_t) |
65 | corenet_tcp_sendrecv_generic_node(bitlbee_t) | |
45624aa8 | 66 | corenet_tcp_bind_generic_node(bitlbee_t) |
8242f5a6 CP |
67 | # Allow bitlbee to connect to jabber servers |
68 | corenet_tcp_connect_jabber_client_port(bitlbee_t) | |
69 | corenet_tcp_sendrecv_jabber_client_port(bitlbee_t) | |
70 | # to AIM servers: | |
71 | corenet_tcp_connect_aol_port(bitlbee_t) | |
72 | corenet_tcp_sendrecv_aol_port(bitlbee_t) | |
73 | # and to MMCC (Yahoo IM) servers: | |
74 | corenet_tcp_connect_mmcc_port(bitlbee_t) | |
75 | corenet_tcp_sendrecv_mmcc_port(bitlbee_t) | |
76 | # and to MSNP (MSN Messenger) servers: | |
77 | corenet_tcp_connect_msnp_port(bitlbee_t) | |
78 | corenet_tcp_sendrecv_msnp_port(bitlbee_t) | |
04d28610 CP |
79 | # MSN can use passport auth, which is over http: |
80 | corenet_tcp_connect_http_port(bitlbee_t) | |
81 | corenet_tcp_sendrecv_http_port(bitlbee_t) | |
a7d60686 CP |
82 | corenet_tcp_connect_http_cache_port(bitlbee_t) |
83 | corenet_tcp_sendrecv_http_cache_port(bitlbee_t) | |
11cd2b73 DG |
84 | corenet_tcp_bind_ircd_port(bitlbee_t) |
85 | corenet_tcp_sendrecv_ircd_port(bitlbee_t) | |
86 | corenet_sendrecv_ircd_server_packets(bitlbee_t) | |
8242f5a6 | 87 | |
e87221ce CP |
88 | dev_read_rand(bitlbee_t) |
89 | dev_read_urand(bitlbee_t) | |
90 | ||
8242f5a6 CP |
91 | files_read_etc_files(bitlbee_t) |
92 | files_search_pids(bitlbee_t) | |
93 | # grant read-only access to the user help files | |
94 | files_read_usr_files(bitlbee_t) | |
95 | ||
96 | libs_legacy_use_shared_libs(bitlbee_t) | |
8242f5a6 | 97 | |
3eaa9939 DW |
98 | auth_use_nsswitch(bitlbee_t) |
99 | ||
100 | logging_send_syslog_msg(bitlbee_t) | |
101 | ||
e87221ce CP |
102 | miscfiles_read_localization(bitlbee_t) |
103 | ||
8242f5a6 CP |
104 | sysnet_dns_name_resolve(bitlbee_t) |
105 | ||
106 | optional_policy(` | |
107 | # normally started from inetd using tcpwrappers, so use those entry points | |
108 | tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t) | |
109 | ') |