policy_module(amsn, 1.0.0) ######################################## # # Declarations # require{ type user_t; type staff_t; type port_t; type http_port_t; type msnp_port_t; } type amsn_t; type amsn_exec_t; type amsn_userdata_t; userdom_user_home_content(amsn_userdata_t); type amsn_tmpfs_t; files_tmpfs_file(amsn_tmpfs_t) application_domain(amsn_t, amsn_exec_t) amsn_role(user_r, user_t) amsn_role(staff_r, staff_t) permissive amsn_t; ######################################## # # Local FS policy # manage_files_pattern(amsn_t, amsn_userdata_t, amsn_userdata_t) manage_dirs_pattern(amsn_t, amsn_userdata_t, amsn_userdata_t) miscfiles_read_localization(amsn_t) #usr share files_read_usr_files(amsn_t) corecmd_list_bin(amsn_t) corecmd_exec_bin(amsn_t) corecmd_exec_shell(amsn_t) userdom_read_user_home_content_files(amsn_t) usermanage_read_crack_db(amsn_t) type amsn_tmp_t; files_tmp_file(amsn_tmp_t) manage_files_pattern(amsn_t, amsn_tmp_t, amsn_tmp_t) manage_dirs_pattern(amsn_t, amsn_tmp_t, amsn_tmp_t) files_tmp_filetrans(amsn_t, amsn_tmp_t, file) files_tmp_filetrans(amsn_t, amsn_tmp_t, dir) optional_policy(` can_read_etc_gtk(amsn_t) # read_home_local(amsn_t) ') fs_dontaudit_getattr_xattr_fs(amsn_t) ######################################## # # X Serveur and co # xserver_user_x_domain_template(amsn, amsn_t , amsn_tmpfs_t) miscfiles_read_fonts(amsn_t) ######################################## # # process kernel and proc # auth_use_nsswitch(amsn_t); #lit /proc/meminfo kernel_read_system_state(amsn_t) kernel_read_kernel_sysctls(amsn_t) ######################################## # # network # sysnet_dns_name_resolve(amsn_t) #allow amsn_t lo_node_t:tcp_socket node_bind; corenet_tcp_bind_generic_node(amsn_t) #allow amsn_t port_t:tcp_socket name_bind; corenet_tcp_bind_generic_port(amsn_t) allow amsn_t self:tcp_socket listen; allow amsn_t self:fifo_file read; #allow amsn_t http_port_t:tcp_socket { name_connect recv_msg }; corenet_tcp_connect_http_port(amsn_t) corenet_tcp_sendrecv_http_port(amsn_t) #allow amsn_t msnp_port_t:tcp_socket { name_connect recv_msg }; corenet_tcp_connect_msnp_port(amsn_t) corenet_tcp_sendrecv_msnp_port(amsn_t) #temp gconfd allow staff_t amsn_t:unix_stream_socket connectto; allow amsn_t staff_t:unix_stream_socket connectto; #lors dun transfert c2c corenet_tcp_connect_generic_port(amsn_t) ## ##

## Allow xchat to launch mozilla when clicking on links ##

## gen_tunable(amsn_can_launch_mozilla, false) tunable_policy(`amsn_can_launch_mozilla',` mozilla_domtrans(amsn_t) allow mozilla_t amsn_userdata_t:dir search; allow mozilla_t amsn_userdata_t:file { read getattr }; ')