diff options
| author | John Turner <jturner.usa@gmail.com> | 2025-08-28 02:47:39 -0400 |
|---|---|---|
| committer | John Turner <jturner.usa@gmail.com> | 2025-08-28 02:47:39 -0400 |
| commit | 1d7157312ea2b853a8bda4f33042f2d8d40e7ad6 (patch) | |
| tree | 80a9779ef5aee57c9eadd90375d289046dfe8619 /src/agent | |
| parent | 9a91e4bcfa0cd55e338a8ede881f2529e7acfb47 (diff) | |
| download | selinux-policy-master.tar.gz | |
Diffstat (limited to 'src/agent')
| -rw-r--r-- | src/agent/weechat.cil | 144 |
1 files changed, 95 insertions, 49 deletions
diff --git a/src/agent/weechat.cil b/src/agent/weechat.cil index 4fd8a64..bfb9f99 100644 --- a/src/agent/weechat.cil +++ b/src/agent/weechat.cil @@ -15,23 +15,49 @@ (in agent (block weechat - (blockinherit .subj.common.template) - (call subj.common.type (subj)) (roletype .sys.role subj) + (allow subj self (file (setattr getattr))) + + ;; allow execing ourself and allow type transition (call exec.subj_type_transition (.sys.subj subj)) (call exec.entrypoint_file_files (subj)) (call exec.mapexecute_file_files (subj)) (call exec.read_file_files (subj)) - ;; unix socket + ;; allow accessing our own data files + (call data.search_file_dirs (subj)) + (call data.create_file_dirs (subj)) + (call data.create_file_files (subj)) + (call data.delete_file_files (subj)) + (call data.readwrite_file_files (subj)) + (call data.rename_file_files (subj)) + (call data.addname_file_dirs (subj)) + (call data.deletename_file_dirs (subj)) + (call data.rename_file_dirs (subj)) + + ;; allow accessing our own runtime files + (call run.search_file_dirs (subj)) + (call run.create_file_dirs (subj)) + (call run.create_file_files (subj)) + (call run.delete_file_files (subj)) + (call run.readwrite_file_files (subj)) + (call run.rename_file_files (subj)) + (call run.addname_file_dirs (subj)) + (call run.deletename_file_dirs (subj)) + (call run.rename_file_dirs (subj)) + + ;; allow using unix sockets so long as they are the same type as ourself (allow subj self (unix_dgram_socket (create sendto read write))) - ;; network + ;; allowing using the network but only irc ports specifically (allow subj self create_tcp_socket) (call irc.nameconnect_port_tcp_sockets (subj)) + + ;; use pipes + (call .sys.readwriteinherited_subj_fifo_files (subj)) ;; use ssl certs (call .cert.search_file_dirs (subj)) @@ -40,66 +66,86 @@ ;; use terminal (call .sys.use_subj_fds (subj)) (call .dev.readwriteinherited_file_chr_files (subj)) - (call .ptytermdev.readwriteinherited_all_chr_files (subj)) - - ;; use pipes - (call .sys.readwriteinherited_subj_fifo_files (subj)) - - ;; read root - (call .root.search_file_dirs (subj)) + (call .ptytermdev.readwriteinherited_all_chr_files (subj)) - ;; read /etc - (call .conf.search_file_dirs (subj)) - (call .conf.read_file_files (subj)) - (call .conf.read_file_lnk_files (subj)) - ;; read /usr/share (call .data.search_file_dirs (subj)) (call .data.read_file_files (subj)) - - ;; access config stuff + + ;; traverse /home (call .home.search_file_dirs (subj)) + + ;; traverse user home files (call .user.home.search_file_dirs (subj)) - (call .user.home.create_file_dirs (subj)) - (call .agent.weechat.home.search_file_dirs (subj)) - (call .agent.weechat.home.readwrite_file_files (subj)) - ;; access /run/user - (call .run.search_file_dirs (subj)) - (call .runuser.search_file_dirs (subj)) - (call .user.run.search_file_dirs (subj)) - (call .user.run.create_file_dirs (subj)) - (call .user.run.addname_file_dirs (subj)) + ;; allow creating dirs in ~/.config + (call .xdg.config.user.home.search_file_dirs (subj)) + (call .xdg.config.user.home.create_file_dirs (subj)) + (call .xdg.config.user.home.addname_file_dirs (subj)) + + ;; allow creating dirs in ~/.cache + (call .xdg.cache.user.home.search_file_dirs (subj)) + (call .xdg.cache.user.home.create_file_dirs (subj)) + (call .xdg.cache.user.home.addname_file_dirs (subj)) + + ;; allow creating dirs in ~/.local/share + (call .xdg.share.user.home.search_file_dirs (subj)) + (call .xdg.share.user.home.create_file_dirs (subj)) + (call .xdg.share.user.home.addname_file_dirs (subj)) - ;; access /run/user/${UID}/weechat - (call .agent.weechat.run.search_file_dirs (subj)) - (call .agent.weechat.run.create_file_dirs (subj)) - (call .agent.weechat.run.write_file_dirs (subj)) - (call .agent.weechat.run.readwrite_file_files (subj)) + ;; allow creating dirs in ~/.local/state + (call .xdg.state.user.home.search_file_dirs (subj)) + (call .xdg.state.user.home.create_file_dirs (subj)) + (call .xdg.state.user.home.addname_file_dirs (subj)) + ;; allow creating files in the runtime directory + (call .run.search_file_dirs (subj)) + (call .runuser.search_file_dirs (subj)) + (call .runuser.create_file_dirs (subj)) + (call .runuser.addname_file_dirs (subj)) + (block exec - - (filecon "/usr/bin/weechat" file file_context) - - (blockinherit .file.exec.template)) - - (block home - - (filecon "HOME_DIR/\.config/weechat(/.*)?" any file_context) - (filecon "HOME_DIR/\.local/share/weechat(/.*)?" any file_context) - (filecon "HOME_DIR/\.local/state/weechat(/.*)?" any file_context) - (filecon "HOME_DIR/\.cache/weechat(/.*)?" any file_context) - - (blockinherit .file.home.user.template)) + (blockinherit .file.exec.template) + + ;; Label the weechat executable itself. + ;; This along with some macros we called earlier cause executing weechat to transition to + ;; the .weechat.subj context. + (filecon "/usr/bin/weechat" file file_context)) + + (block data + ;; This macro will be called at some point and is what makes the files and directories + ;; weechat creates in ~/.config and such transition to .weechat.data.file type from + ;; .user.home.file. + (macro xdg_file_type_transition_file ((type ARG1) (class ARG2) (name ARG3)) + (call .xdg.config.user.home.file_type_transition (ARG1 file ARG2 ARG3)) + (call .xdg.cache.user.home.file_type_transition (ARG1 file ARG2 ARG3)) + (call .xdg.share.user.home.file_type_transition (ARG1 file ARG2 ARG3)) + (call .xdg.state.user.home.file_type_transition (ARG1 file ARG2 ARG3))) + + (blockinherit .file.home.template) + + (filecon "HOME_DIR/\.config/weechat" dir file_context) + (filecon "HOME_DIR/\.config/weechat/.*" file file_context) + (filecon "HOME_DIR/\.local/share/weechat" dir file_context) + (filecon "HOME_DIR/\.local/share/weechat/.*" file file_context) + (filecon "HOME_DIR/\.local/state/weechat" dir file_context) + (filecon "HOME_DIR/\.local/state/weechat/.*?" file file_context) + (filecon "HOME_DIR/\.cache/weechat" dir file_context) + (filecon "HOME_DIR/\.cache/weechat/.*" file file_context)) (block run + ;; This is similar to the file type transition macro above, but for runtime files instead + ;; of config and state files. (macro file_type_transition_file ((type ARG1) (class ARG2) (name ARG3)) - (call .user.run.file_type_transition (ARG1 file ARG2 ARG3))) - - (blockinherit .file.user.run.template) - + (call .run.file_type_transition (ARG1 file ARG2 ARG3))) + + (blockinherit .file.run.template) + (filecon "/run/user/%{USERID}/weechat" dir file_context) (filecon "/run/user/%{USERID}/weechat/.*" any file_context)))) +(call .agent.weechat.data.xdg_file_type_transition_file (.agent.weechat.subj dir "*")) +(call .agent.weechat.data.xdg_file_type_transition_file (.agent.weechat.subj file "*")) + (call .agent.weechat.run.file_type_transition_file (.agent.weechat.subj dir "weechat")) (call .agent.weechat.run.file_type_transition_file (.agent.weechat.subj file "*")) |