From: stefan@seekline.net (Stefan Schulze Frielinghaus) Date: Mon, 21 Dec 2009 20:53:59 +0100 Subject: [refpolicy] [PATCH 1/1] New policy module for PyICQt. Message-ID: <1261425239-4138-1-git-send-email-stefan@seekline.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Resending this policy. Signed-off-by: Stefan Schulze Frielinghaus --- policy/modules/services/pyicqt.fc | 7 ++++ policy/modules/services/pyicqt.if | 1 + policy/modules/services/pyicqt.te | 63 +++++++++++++++++++++++++++++++++++++ 3 files changed, 71 insertions(+), 0 deletions(-) create mode 100644 policy/modules/services/pyicqt.fc create mode 100644 policy/modules/services/pyicqt.if create mode 100644 policy/modules/services/pyicqt.te diff --git a/policy/modules/services/pyicqt.fc b/policy/modules/services/pyicqt.fc new file mode 100644 index 0000000..491fe8f --- /dev/null +++ b/policy/modules/services/pyicqt.fc @@ -0,0 +1,7 @@ +/etc/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_conf_t,s0) + +/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0) + +/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0) + +/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_spool_t,s0) diff --git a/policy/modules/services/pyicqt.if b/policy/modules/services/pyicqt.if new file mode 100644 index 0000000..9604b6a --- /dev/null +++ b/policy/modules/services/pyicqt.if @@ -0,0 +1 @@ +## PyICQt is an ICQ transport for XMPP server. diff --git a/policy/modules/services/pyicqt.te b/policy/modules/services/pyicqt.te new file mode 100644 index 0000000..df989a3 --- /dev/null +++ b/policy/modules/services/pyicqt.te @@ -0,0 +1,63 @@ + +policy_module(pyicqt, 1.0.0) + +######################################## +# +# Declarations +# + +type pyicqt_t; +type pyicqt_exec_t; +init_daemon_domain(pyicqt_t, pyicqt_exec_t) + +type pyicqt_conf_t; +files_config_file(pyicqt_conf_t) + +type pyicqt_spool_t; +files_type(pyicqt_spool_t) + +type pyicqt_var_run_t; +files_pid_file(pyicqt_var_run_t) + +######################################## +# +# PyICQt policy +# + +allow pyicqt_t self:fifo_file rw_fifo_file_perms; +allow pyicqt_t self:tcp_socket create_socket_perms; +allow pyicqt_t self:udp_socket create_socket_perms; + +read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t) + +manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t) +manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t) + +manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t) + +kernel_read_system_state(pyicqt_t) + +corecmd_exec_bin(pyicqt_t) + +corenet_all_recvfrom_unlabeled(pyicqt_t) +corenet_all_recvfrom_netlabel(pyicqt_t) +corenet_tcp_connect_generic_port(pyicqt_t) +corenet_tcp_sendrecv_generic_if(pyicqt_t) +corenet_tcp_sendrecv_generic_node(pyicqt_t) +corenet_sendrecv_generic_client_packets(pyicqt_t) +corenet_sendrecv_unlabeled_packets(pyicqt_t) + +dev_read_urand(pyicqt_t) + +files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file) +files_read_etc_files(pyicqt_t) +files_read_usr_files(pyicqt_t) +files_spool_filetrans(pyicqt_t, pyicqt_spool_t, { dir file }) + +libs_read_lib_files(pyicqt_t) +libs_use_ld_so(pyicqt_t) +libs_use_shared_libs(pyicqt_t) + +miscfiles_read_localization(pyicqt_t) + +sysnet_read_config(pyicqt_t) -- 1.6.5.2