From: corentin.labbe@geomatys.fr (LABBE Corentin)
Date: Tue,  2 Mar 2010 14:08:08 +0100
Subject: [refpolicy] [PATCH 1/1] XChat IRC client policy
Message-ID: <1267535288-11792-1-git-send-email-corentin.labbe@geomatys.fr>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com


Signed-off-by: LABBE Corentin <corentin.labbe@geomatys.fr>
---
 policy/modules/apps/xchat.fc |    6 +++
 policy/modules/apps/xchat.if |   94 ++++++++++++++++++++++++++++++++++++++++++
 policy/modules/apps/xchat.te |   92 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 192 insertions(+), 0 deletions(-)
 create mode 100644 policy/modules/apps/xchat.fc
 create mode 100644 policy/modules/apps/xchat.if
 create mode 100644 policy/modules/apps/xchat.te

diff --git a/policy/modules/apps/xchat.fc b/policy/modules/apps/xchat.fc
new file mode 100644
index 0000000..f5092ad
--- /dev/null
+++ b/policy/modules/apps/xchat.fc
@@ -0,0 +1,6 @@
+#
+# XChat file contexts
+#
+HOME_DIR/.xchat2.* 	 	gen_context(system_u:object_r:xchat_userdata_t,s0)
+/usr/bin/xchat		--	gen_context(system_u:object_r:xchat_exec_t,s0)
+
diff --git a/policy/modules/apps/xchat.if b/policy/modules/apps/xchat.if
new file mode 100644
index 0000000..e60b18c
--- /dev/null
+++ b/policy/modules/apps/xchat.if
@@ -0,0 +1,94 @@
+## <summary>Xchat IRC client</summary>
+
+########################################
+## <summary>
+##	Role access for xchat
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`xchat_role',`
+	gen_require(`
+		type xchat_t, xchat_exec_t, xchat_userdata_t;
+	')
+
+	role $1 types xchat_t;
+
+	domtrans_pattern($2, xchat_exec_t, xchat_t)
+
+	ps_process_pattern($2, xchat_t)
+	allow $2 xchat_t:process signal_perms;
+
+	manage_dirs_pattern($2, xchat_userdata_t, xchat_userdata_t)
+	manage_lnk_files_pattern($2, xchat_userdata_t, xchat_userdata_t)
+	manage_files_pattern($2, xchat_userdata_t, xchat_userdata_t)
+
+	relabel_dirs_pattern($2, xchat_userdata_t, xchat_userdata_t)
+	relabel_lnk_files_pattern($2, xchat_userdata_t, xchat_userdata_t)
+	relabel_files_pattern($2, xchat_userdata_t, xchat_userdata_t)
+
+	xchat_stream_connect($2)
+')
+
+########################################
+## <summary>
+##	Stream connect to XChat
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xchat_stream_connect', `
+	gen_require(`
+		type xchat_t;
+	')
+	allow $1 xchat_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Stream chat with XChat
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xchat_stream_chat', `
+	gen_require(`
+		type xchat_t;
+	')
+
+	allow $1 xchat_t:unix_stream_socket connectto;
+	allow xchat_t $1:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Can read xchat user data
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xchat_read_content', `
+	gen_require(`
+		type xchat_userdata_t;
+	')
+	search_dirs_pattern($1, xchat_userdata_t, xchat_userdata_t)
+	read_files_pattern($1, xchat_userdata_t, xchat_userdata_t)
+')
+
diff --git a/policy/modules/apps/xchat.te b/policy/modules/apps/xchat.te
new file mode 100644
index 0000000..292da5d
--- /dev/null
+++ b/policy/modules/apps/xchat.te
@@ -0,0 +1,92 @@
+policy_module(xchat, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type xchat_t;
+type xchat_exec_t;
+application_domain(xchat_t, xchat_exec_t)
+ubac_constrained(xchat_t)  
+
+type xchat_userdata_t;
+userdom_user_home_content(xchat_userdata_t)
+
+type xchat_tmpfs_t;
+files_tmpfs_file(xchat_tmpfs_t)
+ubac_constrained(xchat_tmpfs_t)  
+
+type xchat_tmp_t;
+files_tmp_file(xchat_tmp_t)
+ubac_constrained(xchat_tmp_t)
+
+########################################
+#
+# Local FS policy
+#
+
+allow xchat_t self:fifo_file rw_fifo_file_perms;
+allow xchat_t self:process { sigkill getsched };
+
+kernel_read_system_state(xchat_t)
+
+auth_use_nsswitch(xchat_t)
+
+corecmd_exec_bin(xchat_t)
+
+dev_read_urand(xchat_t)
+
+files_read_usr_files(xchat_t)
+files_read_etc_files(xchat_t)
+
+files_tmp_filetrans(xchat_t, xchat_tmp_t, { dir file })
+
+fs_getattr_xattr_fs(xchat_t)
+fs_list_inotifyfs(xchat_t)
+fs_rw_tmpfs_files(xchat_t)
+
+manage_files_pattern(xchat_t, xchat_userdata_t, xchat_userdata_t)
+manage_dirs_pattern(xchat_t, xchat_userdata_t, xchat_userdata_t)
+manage_files_pattern(xchat_t, xchat_tmp_t, xchat_tmp_t)
+manage_dirs_pattern(xchat_t, xchat_tmp_t, xchat_tmp_t)
+manage_files_pattern(xchat_t, xchat_tmpfs_t, xchat_tmpfs_t)
+manage_dirs_pattern(xchat_t, xchat_tmpfs_t, xchat_tmpfs_t)
+
+miscfiles_read_fonts(xchat_t)
+miscfiles_read_localization(xchat_t)
+
+read_files_pattern(xchat_t, user_home_t, user_home_t)
+read_files_pattern(xchat_t, user_home_dir_t, user_home_dir_t)
+
+userdom_read_user_home_content_files(xchat_t)
+userdom_search_user_home_dirs(xchat_t)
+userdom_user_home_dir_filetrans(xchat_t, xchat_userdata_t, { dir file })
+userdom_user_home_content_filetrans(xchat_t, xchat_userdata_t, { dir file })
+
+optional_policy(`
+	xserver_user_x_domain_template(xchat, xchat_t, xchat_tmpfs_t)
+')
+
+########################################
+#
+# network
+#
+sysnet_dns_name_resolve(xchat_t)
+
+corenet_tcp_connect_ircd_port(xchat_t)
+corenet_tcp_sendrecv_ircd_port(xchat_t)
+
+optional_policy(`
+	dbus_system_bus_client(xchat_t)
+	dbus_session_bus_client(xchat_t)
+')
+
+optional_policy(`
+	gnome_stream_connect_gconf(xchat_t)
+')
+
+optional_policy(`
+	mozilla_domtrans(xchat_t)
+')
+
-- 
1.6.4.4