policy_module(xchat, 1.0.0) ######################################## # # Declarations # require{ type user_t; type staff_t; } type xchat_t; type xchat_exec_t; type xchat_userdata_t; userdom_user_home_content(xchat_userdata_t); type xchat_tmpfs_t; files_tmpfs_file(xchat_tmpfs_t) type xchat_tmp_t; files_tmp_file(xchat_tmp_t) application_domain(xchat_t, xchat_exec_t) xchat_role(user_r, user_t) xchat_role(staff_r, staff_t) ######################################## # # Local FS policy # manage_files_pattern(xchat_t, xchat_userdata_t, xchat_userdata_t) miscfiles_read_localization(xchat_t); #read usr share files_read_usr_files(xchat_t) corecmd_list_bin(xchat_t) corecmd_exec_bin(xchat_t) fs_list_inotifyfs(xchat_t) userdom_search_user_home_dirs(xchat_t) userdom_read_user_home_content_files(xchat_t) fs_rw_tmpfs_files(xchat_t) manage_files_pattern(xchat_t, xchat_tmp_t, xchat_tmp_t) manage_dirs_pattern(xchat_t, xchat_tmp_t, xchat_tmp_t) files_tmp_filetrans(xchat_t, xchat_tmp_t, file) files_tmp_filetrans(xchat_t, xchat_tmp_t, dir) allow xchat_t user_home_t:dir read; allow xchat_t user_home_dir_t:file { read getattr }; #dont know why xchat want to getattr / fs_dontaudit_getattr_xattr_fs(xchat_t) ######################################## # # X Serveur and co # xserver_user_x_domain_template(xchat, xchat_t , xchat_tmpfs_t) miscfiles_read_fonts(xchat_t) can_read_etc_gtk(xchat_t) ######################################## # # process, kernel and /proc, /sys # auth_use_nsswitch(xchat_t); allow xchat_t self:fifo_file { write read getattr }; allow xchat_t self:process sigkill; #read /proc/meminfo kernel_read_system_state(xchat_t) allow xchat_t self:process getsched; ######################################## # # network # sysnet_dns_name_resolve(xchat_t) corenet_tcp_connect_ircd_port(xchat_t) corenet_tcp_sendrecv_ircd_port(xchat_t) optional_policy(` dbus_system_bus_client(xchat_t) dbus_session_bus_client(xchat_t) ') #temp gconfd allow staff_t xchat_t:unix_stream_socket connectto; allow xchat_t staff_t:unix_stream_socket connectto; ## ##

## Allow xchat to launch mozilla when clicking on links ##

## gen_tunable(xchat_can_launch_mozilla, false) tunable_policy(`xchat_can_launch_mozilla',` corecmd_exec_shell(xchat_t) ')