Signed-off-by: LABBE Corentin <[email protected]>
---
policy/modules/apps/xchat.fc | 6 +++
policy/modules/apps/xchat.if | 94 ++++++++++++++++++++++++++++++++++++++++++
policy/modules/apps/xchat.te | 92 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 192 insertions(+), 0 deletions(-)
create mode 100644 policy/modules/apps/xchat.fc
create mode 100644 policy/modules/apps/xchat.if
create mode 100644 policy/modules/apps/xchat.te
diff --git a/policy/modules/apps/xchat.fc b/policy/modules/apps/xchat.fc
new file mode 100644
index 0000000..f5092ad
--- /dev/null
+++ b/policy/modules/apps/xchat.fc
@@ -0,0 +1,6 @@
+#
+# XChat file contexts
+#
+HOME_DIR/.xchat2.* gen_context(system_u:object_r:xchat_userdata_t,s0)
+/usr/bin/xchat -- gen_context(system_u:object_r:xchat_exec_t,s0)
+
diff --git a/policy/modules/apps/xchat.if b/policy/modules/apps/xchat.if
new file mode 100644
index 0000000..e60b18c
--- /dev/null
+++ b/policy/modules/apps/xchat.if
@@ -0,0 +1,94 @@
+## <summary>Xchat IRC client</summary>
+
+########################################
+## <summary>
+## Role access for xchat
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`xchat_role',`
+ gen_require(`
+ type xchat_t, xchat_exec_t, xchat_userdata_t;
+ ')
+
+ role $1 types xchat_t;
+
+ domtrans_pattern($2, xchat_exec_t, xchat_t)
+
+ ps_process_pattern($2, xchat_t)
+ allow $2 xchat_t:process signal_perms;
+
+ manage_dirs_pattern($2, xchat_userdata_t, xchat_userdata_t)
+ manage_lnk_files_pattern($2, xchat_userdata_t, xchat_userdata_t)
+ manage_files_pattern($2, xchat_userdata_t, xchat_userdata_t)
+
+ relabel_dirs_pattern($2, xchat_userdata_t, xchat_userdata_t)
+ relabel_lnk_files_pattern($2, xchat_userdata_t, xchat_userdata_t)
+ relabel_files_pattern($2, xchat_userdata_t, xchat_userdata_t)
+
+ xchat_stream_connect($2)
+')
+
+########################################
+## <summary>
+## Stream connect to XChat
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xchat_stream_connect', `
+ gen_require(`
+ type xchat_t;
+ ')
+ allow $1 xchat_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Stream chat with XChat
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xchat_stream_chat', `
+ gen_require(`
+ type xchat_t;
+ ')
+
+ allow $1 xchat_t:unix_stream_socket connectto;
+ allow xchat_t $1:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Can read xchat user data
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xchat_read_content', `
+ gen_require(`
+ type xchat_userdata_t;
+ ')
+ search_dirs_pattern($1, xchat_userdata_t, xchat_userdata_t)
+ read_files_pattern($1, xchat_userdata_t, xchat_userdata_t)
+')
+
diff --git a/policy/modules/apps/xchat.te b/policy/modules/apps/xchat.te
new file mode 100644
index 0000000..292da5d
--- /dev/null
+++ b/policy/modules/apps/xchat.te
@@ -0,0 +1,92 @@
+policy_module(xchat, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type xchat_t;
+type xchat_exec_t;
+application_domain(xchat_t, xchat_exec_t)
+ubac_constrained(xchat_t)
+
+type xchat_userdata_t;
+userdom_user_home_content(xchat_userdata_t)
+
+type xchat_tmpfs_t;
+files_tmpfs_file(xchat_tmpfs_t)
+ubac_constrained(xchat_tmpfs_t)
+
+type xchat_tmp_t;
+files_tmp_file(xchat_tmp_t)
+ubac_constrained(xchat_tmp_t)
+
+########################################
+#
+# Local FS policy
+#
+
+allow xchat_t self:fifo_file rw_fifo_file_perms;
+allow xchat_t self:process { sigkill getsched };
+
+kernel_read_system_state(xchat_t)
+
+auth_use_nsswitch(xchat_t)
+
+corecmd_exec_bin(xchat_t)
+
+dev_read_urand(xchat_t)
+
+files_read_usr_files(xchat_t)
+files_read_etc_files(xchat_t)
+
+files_tmp_filetrans(xchat_t, xchat_tmp_t, { dir file })
+
+fs_getattr_xattr_fs(xchat_t)
+fs_list_inotifyfs(xchat_t)
+fs_rw_tmpfs_files(xchat_t)
+
+manage_files_pattern(xchat_t, xchat_userdata_t, xchat_userdata_t)
+manage_dirs_pattern(xchat_t, xchat_userdata_t, xchat_userdata_t)
+manage_files_pattern(xchat_t, xchat_tmp_t, xchat_tmp_t)
+manage_dirs_pattern(xchat_t, xchat_tmp_t, xchat_tmp_t)
+manage_files_pattern(xchat_t, xchat_tmpfs_t, xchat_tmpfs_t)
+manage_dirs_pattern(xchat_t, xchat_tmpfs_t, xchat_tmpfs_t)
+
+miscfiles_read_fonts(xchat_t)
+miscfiles_read_localization(xchat_t)
+
+read_files_pattern(xchat_t, user_home_t, user_home_t)
+read_files_pattern(xchat_t, user_home_dir_t, user_home_dir_t)
+
+userdom_read_user_home_content_files(xchat_t)
+userdom_search_user_home_dirs(xchat_t)
+userdom_user_home_dir_filetrans(xchat_t, xchat_userdata_t, { dir file })
+userdom_user_home_content_filetrans(xchat_t, xchat_userdata_t, { dir file })
+
+optional_policy(`
+ xserver_user_x_domain_template(xchat, xchat_t, xchat_tmpfs_t)
+')
+
+########################################
+#
+# network
+#
+sysnet_dns_name_resolve(xchat_t)
+
+corenet_tcp_connect_ircd_port(xchat_t)
+corenet_tcp_sendrecv_ircd_port(xchat_t)
+
+optional_policy(`
+ dbus_system_bus_client(xchat_t)
+ dbus_session_bus_client(xchat_t)
+')
+
+optional_policy(`
+ gnome_stream_connect_gconf(xchat_t)
+')
+
+optional_policy(`
+ mozilla_domtrans(xchat_t)
+')
+
--
1.6.4.4
On 03/02/2010 02:08 PM, LABBE Corentin wrote:
<snip>
attached is a patch with changes i would suggest to your patch.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 0001-Edit-XChat-policy.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20100302/98afbbfe/attachment.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100302/98afbbfe/attachment.bin
On 03/02/2010 02:08 PM, LABBE Corentin wrote:
<snip>
Forgot to require xchat_tmp_t in xchat_stream_connect.
See attached patch.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 0001-Forgot-to-require-xchat_tmp_t-in-xchat_stream_connec.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20100302/252389e9/attachment-0001.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100302/252389e9/attachment-0001.bin