]>
Commit | Line | Data |
---|---|---|
8242f5a6 | 1 | |
5d4f4b53 | 2 | policy_module(bitlbee, 1.1.0) |
8242f5a6 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type bitlbee_t; | |
10 | type bitlbee_exec_t; | |
11 | init_daemon_domain(bitlbee_t, bitlbee_exec_t) | |
12 | inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t) | |
13 | ||
14 | type bitlbee_conf_t; | |
15 | files_config_file(bitlbee_conf_t) | |
16 | ||
e87221ce CP |
17 | type bitlbee_initrc_exec_t; |
18 | init_script_file(bitlbee_initrc_exec_t) | |
19 | ||
20 | type bitlbee_tmp_t; | |
21 | files_tmp_file(bitlbee_tmp_t) | |
22 | ||
8242f5a6 CP |
23 | type bitlbee_var_t; |
24 | files_type(bitlbee_var_t) | |
25 | ||
26 | ######################################## | |
27 | # | |
28 | # Local policy | |
29 | # | |
30 | # | |
31 | ||
32 | allow bitlbee_t self:udp_socket create_socket_perms; | |
33 | allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms }; | |
34 | allow bitlbee_t self:unix_stream_socket create_stream_socket_perms; | |
e87221ce CP |
35 | allow bitlbee_t self:fifo_file rw_fifo_file_perms; |
36 | allow bitlbee_t self:process signal; | |
8242f5a6 CP |
37 | |
38 | bitlbee_read_config(bitlbee_t) | |
39 | ||
e87221ce CP |
40 | # tmp files |
41 | manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) | |
42 | files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file) | |
43 | ||
8242f5a6 CP |
44 | # user account information is read and edited at runtime; give the usual |
45 | # r/w access to bitlbee_var_t | |
46 | manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) | |
47 | files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file) | |
48 | ||
49 | corenet_all_recvfrom_unlabeled(bitlbee_t) | |
50 | corenet_udp_sendrecv_generic_if(bitlbee_t) | |
51 | corenet_udp_sendrecv_generic_node(bitlbee_t) | |
52 | corenet_udp_sendrecv_lo_node(bitlbee_t) | |
53 | corenet_tcp_sendrecv_generic_if(bitlbee_t) | |
54 | corenet_tcp_sendrecv_generic_node(bitlbee_t) | |
55 | corenet_tcp_sendrecv_lo_node(bitlbee_t) | |
56 | # Allow bitlbee to connect to jabber servers | |
57 | corenet_tcp_connect_jabber_client_port(bitlbee_t) | |
58 | corenet_tcp_sendrecv_jabber_client_port(bitlbee_t) | |
59 | # to AIM servers: | |
60 | corenet_tcp_connect_aol_port(bitlbee_t) | |
61 | corenet_tcp_sendrecv_aol_port(bitlbee_t) | |
62 | # and to MMCC (Yahoo IM) servers: | |
63 | corenet_tcp_connect_mmcc_port(bitlbee_t) | |
64 | corenet_tcp_sendrecv_mmcc_port(bitlbee_t) | |
65 | # and to MSNP (MSN Messenger) servers: | |
66 | corenet_tcp_connect_msnp_port(bitlbee_t) | |
67 | corenet_tcp_sendrecv_msnp_port(bitlbee_t) | |
04d28610 CP |
68 | # MSN can use passport auth, which is over http: |
69 | corenet_tcp_connect_http_port(bitlbee_t) | |
70 | corenet_tcp_sendrecv_http_port(bitlbee_t) | |
8242f5a6 | 71 | |
e87221ce CP |
72 | dev_read_rand(bitlbee_t) |
73 | dev_read_urand(bitlbee_t) | |
74 | ||
8242f5a6 CP |
75 | files_read_etc_files(bitlbee_t) |
76 | files_search_pids(bitlbee_t) | |
77 | # grant read-only access to the user help files | |
78 | files_read_usr_files(bitlbee_t) | |
79 | ||
80 | libs_legacy_use_shared_libs(bitlbee_t) | |
81 | libs_use_ld_so(bitlbee_t) | |
82 | ||
e87221ce CP |
83 | miscfiles_read_localization(bitlbee_t) |
84 | ||
8242f5a6 CP |
85 | sysnet_dns_name_resolve(bitlbee_t) |
86 | ||
87 | optional_policy(` | |
88 | # normally started from inetd using tcpwrappers, so use those entry points | |
89 | tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t) | |
90 | ') |