[people/stevee/selinux-policy.git] / policy / modules / services / bitlbee.te

policy_module(bitlbee, 1.4.0)

########################################
#
# Declarations
#

type bitlbee_t;
type bitlbee_exec_t;
init_daemon_domain(bitlbee_t, bitlbee_exec_t)
inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t)

type bitlbee_conf_t;
files_config_file(bitlbee_conf_t)

type bitlbee_initrc_exec_t;
init_script_file(bitlbee_initrc_exec_t)

type bitlbee_tmp_t;
files_tmp_file(bitlbee_tmp_t)

type bitlbee_var_t;
files_type(bitlbee_var_t)

type bitlbee_var_run_t;
files_type(bitlbee_var_run_t)

########################################
#
# Local policy
#

allow bitlbee_t self:capability { dac_override setgid setuid sys_nice };
allow bitlbee_t self:process { setsched signal };

allow bitlbee_t self:fifo_file rw_fifo_file_perms;
allow bitlbee_t self:udp_socket create_socket_perms;
allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms;

bitlbee_read_config(bitlbee_t)

# tmp files
manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file })

# user account information is read and edited at runtime; give the usual
# r/w access to bitlbee_var_t
manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)

manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })

kernel_read_system_state(bitlbee_t)

corenet_all_recvfrom_unlabeled(bitlbee_t)
corenet_udp_sendrecv_generic_if(bitlbee_t)
corenet_udp_sendrecv_generic_node(bitlbee_t)
corenet_tcp_sendrecv_generic_if(bitlbee_t)
corenet_tcp_sendrecv_generic_node(bitlbee_t)
corenet_tcp_bind_generic_node(bitlbee_t)
# Allow bitlbee to connect to jabber servers
corenet_tcp_connect_jabber_client_port(bitlbee_t)
corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
# to AIM servers:
corenet_tcp_connect_aol_port(bitlbee_t)
corenet_tcp_sendrecv_aol_port(bitlbee_t)
# and to MMCC (Yahoo IM) servers:
corenet_tcp_connect_mmcc_port(bitlbee_t)
corenet_tcp_sendrecv_mmcc_port(bitlbee_t)
# and to MSNP (MSN Messenger) servers:
corenet_tcp_connect_msnp_port(bitlbee_t)
corenet_tcp_sendrecv_msnp_port(bitlbee_t)
# MSN can use passport auth, which is over http:
corenet_tcp_connect_http_port(bitlbee_t)
corenet_tcp_sendrecv_http_port(bitlbee_t)
corenet_tcp_connect_http_cache_port(bitlbee_t)
corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
corenet_tcp_bind_ircd_port(bitlbee_t)
corenet_tcp_sendrecv_ircd_port(bitlbee_t)
corenet_sendrecv_ircd_server_packets(bitlbee_t)

dev_read_rand(bitlbee_t)
dev_read_urand(bitlbee_t)

files_read_etc_files(bitlbee_t)
files_search_pids(bitlbee_t)
# grant read-only access to the user help files
files_read_usr_files(bitlbee_t)

libs_legacy_use_shared_libs(bitlbee_t)

auth_use_nsswitch(bitlbee_t)

logging_send_syslog_msg(bitlbee_t)

miscfiles_read_localization(bitlbee_t)

sysnet_dns_name_resolve(bitlbee_t)

optional_policy(`
	# normally started from inetd using tcpwrappers, so use those entry points
	tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
')
Commit	Line	Data
826d0142	1	policy_module(bitlbee, 1.4.0)
8242f5a6 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
	8	type bitlbee_t;
	9	type bitlbee_exec_t;
	10	init_daemon_domain(bitlbee_t, bitlbee_exec_t)
	11	inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t)
	12
	13	type bitlbee_conf_t;
	14	files_config_file(bitlbee_conf_t)
	15
e87221ce CP	16	type bitlbee_initrc_exec_t;
	17	init_script_file(bitlbee_initrc_exec_t)
	18
	19	type bitlbee_tmp_t;
	20	files_tmp_file(bitlbee_tmp_t)
	21
8242f5a6 CP	22	type bitlbee_var_t;
	23	files_type(bitlbee_var_t)
	24
57ce3836 DW	25	type bitlbee_var_run_t;
	26	files_type(bitlbee_var_run_t)
	27
8242f5a6 CP	28	########################################
	29	#
	30	# Local policy
	31	#
3d3d47e4	32
11cd2b73	33	allow bitlbee_t self:capability { dac_override setgid setuid sys_nice };
169061a7	34	allow bitlbee_t self:process { setsched signal };
45624aa8 MG	35
45624aa8 MG	36	allow bitlbee_t self:fifo_file rw_fifo_file_perms;
8242f5a6 CP	37	allow bitlbee_t self:udp_socket create_socket_perms;
	38	allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
	39	allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
45624aa8	40	allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms;
8242f5a6 CP	41
	42	bitlbee_read_config(bitlbee_t)
	43
e87221ce CP	44	# tmp files
e87221ce CP	45	manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
45624aa8 MG	46	manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
45624aa8 MG	47	files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file })
e87221ce	48
8242f5a6 CP	49	# user account information is read and edited at runtime; give the usual
	50	# r/w access to bitlbee_var_t
	51	manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
	52	files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
	53
57ce3836 DW	54	manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
	55	manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
	56	manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
a96edc2f	57	files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
57ce3836	58
20272c2b CP	59	kernel_read_system_state(bitlbee_t)
20272c2b CP	60
8242f5a6 CP	61	corenet_all_recvfrom_unlabeled(bitlbee_t)
	62	corenet_udp_sendrecv_generic_if(bitlbee_t)
	63	corenet_udp_sendrecv_generic_node(bitlbee_t)
8242f5a6 CP	64	corenet_tcp_sendrecv_generic_if(bitlbee_t)
8242f5a6 CP	65	corenet_tcp_sendrecv_generic_node(bitlbee_t)
45624aa8	66	corenet_tcp_bind_generic_node(bitlbee_t)
8242f5a6 CP	67	# Allow bitlbee to connect to jabber servers
	68	corenet_tcp_connect_jabber_client_port(bitlbee_t)
	69	corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
	70	# to AIM servers:
	71	corenet_tcp_connect_aol_port(bitlbee_t)
	72	corenet_tcp_sendrecv_aol_port(bitlbee_t)
	73	# and to MMCC (Yahoo IM) servers:
	74	corenet_tcp_connect_mmcc_port(bitlbee_t)
	75	corenet_tcp_sendrecv_mmcc_port(bitlbee_t)
	76	# and to MSNP (MSN Messenger) servers:
	77	corenet_tcp_connect_msnp_port(bitlbee_t)
	78	corenet_tcp_sendrecv_msnp_port(bitlbee_t)
04d28610 CP	79	# MSN can use passport auth, which is over http:
	80	corenet_tcp_connect_http_port(bitlbee_t)
	81	corenet_tcp_sendrecv_http_port(bitlbee_t)
a7d60686 CP	82	corenet_tcp_connect_http_cache_port(bitlbee_t)
a7d60686 CP	83	corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
11cd2b73 DG	84	corenet_tcp_bind_ircd_port(bitlbee_t)
	85	corenet_tcp_sendrecv_ircd_port(bitlbee_t)
	86	corenet_sendrecv_ircd_server_packets(bitlbee_t)
8242f5a6	87
e87221ce CP	88	dev_read_rand(bitlbee_t)
	89	dev_read_urand(bitlbee_t)
	90
8242f5a6 CP	91	files_read_etc_files(bitlbee_t)
	92	files_search_pids(bitlbee_t)
	93	# grant read-only access to the user help files
	94	files_read_usr_files(bitlbee_t)
	95
	96	libs_legacy_use_shared_libs(bitlbee_t)
8242f5a6	97
3eaa9939 DW	98	auth_use_nsswitch(bitlbee_t)
	99
	100	logging_send_syslog_msg(bitlbee_t)
	101
e87221ce CP	102	miscfiles_read_localization(bitlbee_t)
e87221ce CP	103
8242f5a6 CP	104	sysnet_dns_name_resolve(bitlbee_t)
	105
	106	optional_policy(`
	107	# normally started from inetd using tcpwrappers, so use those entry points
	108	tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
	109	')