create policy for weechat

author: John Turner <jturner.usa@gmail.com> 2025-08-17 13:27:32 -0400
committer: John Turner <jturner.usa@gmail.com> 2025-08-17 20:07:11 -0400
commit: 3b53f1ccdf2fd177410369e0dc707979d0cb902b (patch)
tree: f64015f15cac922aa79e7624d6b79c4d545e9d26 /src/agent
parent: 7581d5c94345b76f709e6bc60af2db98f46de9c6 (diff)
download: selinux-policy-3b53f1ccdf2fd177410369e0dc707979d0cb902b.tar.gz
2 files changed, 66 insertions, 0 deletions
diff --git a/src/agent/meson.build b/src/agent/meson.build
new file mode 100644
index 0000000..6252199
--- /dev/null
+++ b/src/agent/meson.build
@@ -0,0 +1 @@
+modules += files('weechat.cil')
diff --git a/src/agent/weechat.cil b/src/agent/weechat.cil
new file mode 100644
index 0000000..ea5791b
--- /dev/null
+++ b/src/agent/weechat.cil
@@ -0,0 +1,65 @@
+(in agent
+    (block weechat
+
+        (blockinherit .subj.common.template)
+        (call subj.common.type (subj))
+
+        (roletype .sys.role subj)
+
+        (call exec.subj_type_transition (.sys.subj subj))
+        (call exec.entrypoint_file_files (subj))
+        (call exec.mapexecute_file_files (subj))
+        (call exec.read_file_files (subj))
+
+        ;; unix socket
+        (allow subj self (unix_dgram_socket (create sendto read write)))
+
+        ;; network
+        (allow subj self create_tcp_socket)
+        (call irc.nameconnect_port_tcp_sockets (subj))
+        
+        ;; use ssl certs
+        (call .cert.search_file_dirs (subj))
+        (call .cert.read_file_files (subj))
+
+        ;; use terminal
+        (call .sys.use_subj_fds (subj))
+        (call .dev.readwriteinherited_file_chr_files (subj))
+        (call .ptytermdev.readwriteinherited_all_chr_files (subj))
+
+        ;; use pipes
+        (call .sys.readwriteinherited_subj_fifo_files (subj))
+        
+        ;; read root
+        (call .root.search_file_dirs (subj))
+
+        ;; read /usr/share
+        (call data.search_file_dirs (subj))
+        (call data.read_file_files (subj))
+        
+        ;; access config stuff
+        (call .home.search_file_dirs (subj))
+        (call .user.home.search_file_dirs (subj))
+        (call .user.home.create_file_dirs (subj))
+        (call home.search_file_dirs (subj))
+        (call home.readwrite_file_files (subj))
+
+        ;; access /run/user
+        (call .run.search_file_dirs (subj))
+        (call .runuser.search_file_dirs (subj))
+        (call .runuser.create_file_dirs (subj))
+
+        (block exec
+            
+            (filecon "/usr/bin/weechat" file file_context)
+
+            (blockinherit .file.exec.template))
+
+        (block home
+
+            (filecon "HOME_DIR/\.config/weechat(/.*)?" any file_context)
+            (filecon "HOME_DIR/\.local/share/weechat(/.*)?" any file_context)
+            (filecon "HOME_DIR/\.local/state/weechat(/.*)?" any file_context)
+            (filecon "HOME_DIR/\.cache/weechat(/.*)?" any file_context)
+
+            (blockinherit .file.home.user.template))))
author	John Turner <jturner.usa@gmail.com>	2025-08-17 13:27:32 -0400
committer	John Turner <jturner.usa@gmail.com>	2025-08-17 20:07:11 -0400
commit	3b53f1ccdf2fd177410369e0dc707979d0cb902b (patch)
tree	f64015f15cac922aa79e7624d6b79c4d545e9d26 /src/agent
parent	7581d5c94345b76f709e6bc60af2db98f46de9c6 (diff)
download	selinux-policy-3b53f1ccdf2fd177410369e0dc707979d0cb902b.tar.gz