From 3b53f1ccdf2fd177410369e0dc707979d0cb902b Mon Sep 17 00:00:00 2001
From: John Turner <jturner.usa@gmail.com>
Date: Sun, 17 Aug 2025 13:27:32 -0400
Subject: create policy for weechat

---
 src/agent/meson.build |  1 +
 src/agent/weechat.cil | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 66 insertions(+)
 create mode 100644 src/agent/meson.build
 create mode 100644 src/agent/weechat.cil

(limited to 'src/agent')

diff --git a/src/agent/meson.build b/src/agent/meson.build
new file mode 100644
index 0000000..6252199
--- /dev/null
+++ b/src/agent/meson.build
@@ -0,0 +1 @@
+modules += files('weechat.cil')
diff --git a/src/agent/weechat.cil b/src/agent/weechat.cil
new file mode 100644
index 0000000..ea5791b
--- /dev/null
+++ b/src/agent/weechat.cil
@@ -0,0 +1,65 @@
+(in agent
+    (block weechat
+
+        (blockinherit .subj.common.template)
+        (call subj.common.type (subj))
+
+        (roletype .sys.role subj)
+
+        (call exec.subj_type_transition (.sys.subj subj))
+        (call exec.entrypoint_file_files (subj))
+        (call exec.mapexecute_file_files (subj))
+        (call exec.read_file_files (subj))
+
+        ;; unix socket
+        (allow subj self (unix_dgram_socket (create sendto read write)))
+
+        ;; network
+        (allow subj self create_tcp_socket)
+        (call irc.nameconnect_port_tcp_sockets (subj))
+        
+        ;; use ssl certs
+        (call .cert.search_file_dirs (subj))
+        (call .cert.read_file_files (subj))
+
+        ;; use terminal
+        (call .sys.use_subj_fds (subj))
+        (call .dev.readwriteinherited_file_chr_files (subj))
+        (call .ptytermdev.readwriteinherited_all_chr_files (subj))
+
+        ;; use pipes
+        (call .sys.readwriteinherited_subj_fifo_files (subj))
+        
+        ;; read root
+        (call .root.search_file_dirs (subj))
+
+        ;; read /usr/share
+        (call data.search_file_dirs (subj))
+        (call data.read_file_files (subj))
+        
+        ;; access config stuff
+        (call .home.search_file_dirs (subj))
+        (call .user.home.search_file_dirs (subj))
+        (call .user.home.create_file_dirs (subj))
+        (call home.search_file_dirs (subj))
+        (call home.readwrite_file_files (subj))
+
+        ;; access /run/user
+        (call .run.search_file_dirs (subj))
+        (call .runuser.search_file_dirs (subj))
+        (call .runuser.create_file_dirs (subj))
+
+        (block exec
+            
+            (filecon "/usr/bin/weechat" file file_context)
+
+            (blockinherit .file.exec.template))
+
+        (block home
+
+            (filecon "HOME_DIR/\.config/weechat(/.*)?" any file_context)
+            (filecon "HOME_DIR/\.local/share/weechat(/.*)?" any file_context)
+            (filecon "HOME_DIR/\.local/state/weechat(/.*)?" any file_context)
+            (filecon "HOME_DIR/\.cache/weechat(/.*)?" any file_context)
+
+            (blockinherit .file.home.user.template))))
-- 
cgit v1.2.3