[people/stevee/selinux-policy.git] / policy / modules / services / bitlbee.te


policy_module(bitlbee, 1.1.0)

########################################
#
# Declarations
#

type bitlbee_t;
type bitlbee_exec_t;
init_daemon_domain(bitlbee_t, bitlbee_exec_t)
inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t)

type bitlbee_conf_t;
files_config_file(bitlbee_conf_t)

type bitlbee_initrc_exec_t;
init_script_file(bitlbee_initrc_exec_t)

type bitlbee_tmp_t;
files_tmp_file(bitlbee_tmp_t)

type bitlbee_var_t;
files_type(bitlbee_var_t)

########################################
#
# Local policy
#
#

allow bitlbee_t self:udp_socket create_socket_perms;
allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
allow bitlbee_t self:fifo_file rw_fifo_file_perms;
allow bitlbee_t self:process signal;

bitlbee_read_config(bitlbee_t)

# tmp files
manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file)

# user account information is read and edited at runtime; give the usual
# r/w access to bitlbee_var_t
manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)

corenet_all_recvfrom_unlabeled(bitlbee_t)
corenet_udp_sendrecv_generic_if(bitlbee_t)
corenet_udp_sendrecv_generic_node(bitlbee_t)
corenet_udp_sendrecv_lo_node(bitlbee_t)
corenet_tcp_sendrecv_generic_if(bitlbee_t)
corenet_tcp_sendrecv_generic_node(bitlbee_t)
corenet_tcp_sendrecv_lo_node(bitlbee_t)
# Allow bitlbee to connect to jabber servers
corenet_tcp_connect_jabber_client_port(bitlbee_t)
corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
# to AIM servers:
corenet_tcp_connect_aol_port(bitlbee_t)
corenet_tcp_sendrecv_aol_port(bitlbee_t)
# and to MMCC (Yahoo IM) servers:
corenet_tcp_connect_mmcc_port(bitlbee_t)
corenet_tcp_sendrecv_mmcc_port(bitlbee_t)
# and to MSNP (MSN Messenger) servers:
corenet_tcp_connect_msnp_port(bitlbee_t)
corenet_tcp_sendrecv_msnp_port(bitlbee_t)
# MSN can use passport auth, which is over http:
corenet_tcp_connect_http_port(bitlbee_t)
corenet_tcp_sendrecv_http_port(bitlbee_t)

dev_read_rand(bitlbee_t)
dev_read_urand(bitlbee_t)

files_read_etc_files(bitlbee_t)
files_search_pids(bitlbee_t)
# grant read-only access to the user help files
files_read_usr_files(bitlbee_t)

libs_legacy_use_shared_libs(bitlbee_t)
libs_use_ld_so(bitlbee_t)

miscfiles_read_localization(bitlbee_t)

sysnet_dns_name_resolve(bitlbee_t)

optional_policy(`
	# normally started from inetd using tcpwrappers, so use those entry points
	tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
')
Commit	Line	Data
8242f5a6	1
5d4f4b53	2	policy_module(bitlbee, 1.1.0)
8242f5a6 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type bitlbee_t;
	10	type bitlbee_exec_t;
	11	init_daemon_domain(bitlbee_t, bitlbee_exec_t)
	12	inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t)
	13
	14	type bitlbee_conf_t;
	15	files_config_file(bitlbee_conf_t)
	16
e87221ce CP	17	type bitlbee_initrc_exec_t;
	18	init_script_file(bitlbee_initrc_exec_t)
	19
	20	type bitlbee_tmp_t;
	21	files_tmp_file(bitlbee_tmp_t)
	22
8242f5a6 CP	23	type bitlbee_var_t;
	24	files_type(bitlbee_var_t)
	25
	26	########################################
	27	#
	28	# Local policy
	29	#
	30	#
	31
	32	allow bitlbee_t self:udp_socket create_socket_perms;
	33	allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
	34	allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
e87221ce CP	35	allow bitlbee_t self:fifo_file rw_fifo_file_perms;
e87221ce CP	36	allow bitlbee_t self:process signal;
8242f5a6 CP	37
	38	bitlbee_read_config(bitlbee_t)
	39
e87221ce CP	40	# tmp files
	41	manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
	42	files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file)
	43
8242f5a6 CP	44	# user account information is read and edited at runtime; give the usual
	45	# r/w access to bitlbee_var_t
	46	manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
	47	files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
	48
	49	corenet_all_recvfrom_unlabeled(bitlbee_t)
	50	corenet_udp_sendrecv_generic_if(bitlbee_t)
	51	corenet_udp_sendrecv_generic_node(bitlbee_t)
	52	corenet_udp_sendrecv_lo_node(bitlbee_t)
	53	corenet_tcp_sendrecv_generic_if(bitlbee_t)
	54	corenet_tcp_sendrecv_generic_node(bitlbee_t)
	55	corenet_tcp_sendrecv_lo_node(bitlbee_t)
	56	# Allow bitlbee to connect to jabber servers
	57	corenet_tcp_connect_jabber_client_port(bitlbee_t)
	58	corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
	59	# to AIM servers:
	60	corenet_tcp_connect_aol_port(bitlbee_t)
	61	corenet_tcp_sendrecv_aol_port(bitlbee_t)
	62	# and to MMCC (Yahoo IM) servers:
	63	corenet_tcp_connect_mmcc_port(bitlbee_t)
	64	corenet_tcp_sendrecv_mmcc_port(bitlbee_t)
	65	# and to MSNP (MSN Messenger) servers:
	66	corenet_tcp_connect_msnp_port(bitlbee_t)
	67	corenet_tcp_sendrecv_msnp_port(bitlbee_t)
04d28610 CP	68	# MSN can use passport auth, which is over http:
	69	corenet_tcp_connect_http_port(bitlbee_t)
	70	corenet_tcp_sendrecv_http_port(bitlbee_t)
8242f5a6	71
e87221ce CP	72	dev_read_rand(bitlbee_t)
	73	dev_read_urand(bitlbee_t)
	74
8242f5a6 CP	75	files_read_etc_files(bitlbee_t)
	76	files_search_pids(bitlbee_t)
	77	# grant read-only access to the user help files
	78	files_read_usr_files(bitlbee_t)
	79
	80	libs_legacy_use_shared_libs(bitlbee_t)
	81	libs_use_ld_so(bitlbee_t)
	82
e87221ce CP	83	miscfiles_read_localization(bitlbee_t)
e87221ce CP	84
8242f5a6 CP	85	sysnet_dns_name_resolve(bitlbee_t)
	86
	87	optional_policy(`
	88	# normally started from inetd using tcpwrappers, so use those entry points
	89	tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
	90	')