## IRC client policy ####################################### ## ## The per role template for the irc module. ## ## ##

## This template creates a derived domains which are used ## for an irc client sessions. ##

##

## This template is invoked automatically for each user, and ## generally does not need to be invoked directly ## by policy writers. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## The type of the user domain. ## ## ## ## ## The role associated with the user domain. ## ## # template(`irc_per_role_template',` gen_require(` type irc_exec_t; ') ######################################## # # Declarations # type $1_irc_t; application_domain($1_irc_t, irc_exec_t) role $3 types $1_irc_t; type $1_irc_exec_t; userdom_user_home_content($1, $1_irc_exec_t) application_domain($1_irc_t, $1_irc_exec_t) type $1_irc_home_t; userdom_user_home_content($1, $1_irc_home_t) type $1_irc_tmp_t; userdom_user_home_content($1, $1_irc_tmp_t) ######################################## # # Local policy # allow $1_irc_t self:unix_stream_socket create_stream_socket_perms; allow $1_irc_t self:tcp_socket create_socket_perms; allow $1_irc_t self:udp_socket create_socket_perms; manage_dirs_pattern($1_irc_t, $1_irc_home_t, $1_irc_home_t) manage_files_pattern($1_irc_t, $1_irc_home_t, $1_irc_home_t) manage_lnk_files_pattern($1_irc_t, $1_irc_home_t, $1_irc_home_t) userdom_user_home_dir_filetrans($1, $1_irc_t, $1_irc_home_t,{ dir file lnk_file }) # access files under /tmp manage_dirs_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t) manage_files_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t) manage_lnk_files_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t) manage_fifo_files_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t) manage_sock_files_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t) files_tmp_filetrans($1_irc_t, $1_irc_tmp_t, { file dir lnk_file sock_file fifo_file }) # Transition from the user domain to the derived domain. domtrans_pattern($2, irc_exec_t, $1_irc_t) allow $2 $1_irc_exec_t:file { relabelfrom relabelto manage_file_perms }; # allow ps to show irc ps_process_pattern($2, $1_irc_t) allow $2 $1_irc_t:process signal; kernel_read_proc_symlinks($1_irc_t) corenet_all_recvfrom_unlabeled($1_irc_t) corenet_all_recvfrom_netlabel($1_irc_t) corenet_tcp_sendrecv_generic_if($1_irc_t) corenet_udp_sendrecv_generic_if($1_irc_t) corenet_tcp_sendrecv_all_nodes($1_irc_t) corenet_udp_sendrecv_all_nodes($1_irc_t) corenet_tcp_sendrecv_all_ports($1_irc_t) corenet_udp_sendrecv_all_ports($1_irc_t) corenet_sendrecv_ircd_client_packets($1_irc_t) # cjp: this seems excessive: corenet_tcp_connect_all_ports($1_irc_t) corenet_sendrecv_all_client_packets($1_irc_t) domain_use_interactive_fds($1_irc_t) files_dontaudit_search_pids($1_irc_t) files_search_var($1_irc_t) files_read_etc_files($1_irc_t) files_read_usr_files($1_irc_t) fs_getattr_xattr_fs($1_irc_t) fs_search_auto_mountpoints($1_irc_t) term_use_controlling_term($1_irc_t) term_list_ptys($1_irc_t) # allow utmp access init_read_utmp($1_irc_t) init_dontaudit_lock_utmp($1_irc_t) miscfiles_read_localization($1_irc_t) # Inherit and use descriptors from newrole. seutil_use_newrole_fds($1_irc_t) sysnet_read_config($1_irc_t) # Write to the user domain tty. userdom_use_user_terminals($1, $1_irc_t) tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs($1_irc_t) fs_manage_nfs_files($1_irc_t) fs_manage_nfs_symlinks($1_irc_t) ') tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs($1_irc_t) fs_manage_cifs_files($1_irc_t) fs_manage_cifs_symlinks($1_irc_t) ') optional_policy(` nis_use_ypbind($1_irc_t) ') ')