;; Copyright (C) 2025 John Turner ;; This program is free software: you can redistribute it and/or modify ;; it under the terms of the GNU General Public License as published by ;; the Free Software Foundation, either version 3 of the License, or ;; (at your option) any later version. ;; This program is distributed in the hope that it will be useful, ;; but WITHOUT ANY WARRANTY; without even the implied warranty of ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ;; GNU General Public License for more details. ;; You should have received a copy of the GNU General Public License ;; along with this program. If not, see . (in agent (block weechat (blockinherit .subj.common.template) (roletype .sys.role subj) (allow subj self (file (setattr getattr))) ;; allow execing ourself and allow type transition (call exec.subj_type_transition (.sys.subj subj)) (call exec.entrypoint_file_files (subj)) (call exec.mapexecute_file_files (subj)) (call exec.read_file_files (subj)) ;; allow accessing our own data files (call data.search_file_dirs (subj)) (call data.create_file_dirs (subj)) (call data.create_file_files (subj)) (call data.delete_file_files (subj)) (call data.readwrite_file_files (subj)) (call data.rename_file_files (subj)) (call data.addname_file_dirs (subj)) (call data.deletename_file_dirs (subj)) (call data.rename_file_dirs (subj)) ;; allow accessing our own runtime files (call run.search_file_dirs (subj)) (call run.create_file_dirs (subj)) (call run.create_file_files (subj)) (call run.delete_file_files (subj)) (call run.readwrite_file_files (subj)) (call run.rename_file_files (subj)) (call run.addname_file_dirs (subj)) (call run.deletename_file_dirs (subj)) (call run.rename_file_dirs (subj)) ;; allow using unix sockets so long as they are the same type as ourself (allow subj self (unix_dgram_socket (create sendto read write))) ;; allowing using the network but only irc ports specifically (allow subj self create_tcp_socket) (call irc.nameconnect_port_tcp_sockets (subj)) ;; use pipes (call .sys.readwriteinherited_subj_fifo_files (subj)) ;; use ssl certs (call .cert.search_file_dirs (subj)) (call .cert.read_file_files (subj)) ;; use terminal (call .sys.use_subj_fds (subj)) (call .dev.readwriteinherited_file_chr_files (subj)) (call .ptytermdev.readwriteinherited_all_chr_files (subj)) ;; read /usr/share (call .data.search_file_dirs (subj)) (call .data.read_file_files (subj)) ;; traverse /home (call .home.search_file_dirs (subj)) ;; traverse user home files (call .user.home.search_file_dirs (subj)) ;; allow creating dirs in ~/.config (call .xdg.config.user.home.search_file_dirs (subj)) (call .xdg.config.user.home.create_file_dirs (subj)) (call .xdg.config.user.home.addname_file_dirs (subj)) ;; allow creating dirs in ~/.cache (call .xdg.cache.user.home.search_file_dirs (subj)) (call .xdg.cache.user.home.create_file_dirs (subj)) (call .xdg.cache.user.home.addname_file_dirs (subj)) ;; allow creating dirs in ~/.local/share (call .xdg.share.user.home.search_file_dirs (subj)) (call .xdg.share.user.home.create_file_dirs (subj)) (call .xdg.share.user.home.addname_file_dirs (subj)) ;; allow creating dirs in ~/.local/state (call .xdg.state.user.home.search_file_dirs (subj)) (call .xdg.state.user.home.create_file_dirs (subj)) (call .xdg.state.user.home.addname_file_dirs (subj)) ;; allow creating files in the runtime directory (call .run.search_file_dirs (subj)) (call .runuser.search_file_dirs (subj)) (call .runuser.create_file_dirs (subj)) (call .runuser.addname_file_dirs (subj)) (block exec (blockinherit .file.exec.template) ;; Label the weechat executable itself. ;; This along with some macros we called earlier cause executing weechat to transition to ;; the .weechat.subj context. (filecon "/usr/bin/weechat" file file_context)) (block data ;; This macro will be called at some point and is what makes the files and directories ;; weechat creates in ~/.config and such transition to .weechat.data.file type from ;; .user.home.file. (macro xdg_file_type_transition_file ((type ARG1) (class ARG2) (name ARG3)) (call .xdg.config.user.home.file_type_transition (ARG1 file ARG2 ARG3)) (call .xdg.cache.user.home.file_type_transition (ARG1 file ARG2 ARG3)) (call .xdg.share.user.home.file_type_transition (ARG1 file ARG2 ARG3)) (call .xdg.state.user.home.file_type_transition (ARG1 file ARG2 ARG3))) (blockinherit .file.home.template) (filecon "HOME_DIR/\.config/weechat" dir file_context) (filecon "HOME_DIR/\.config/weechat/.*" file file_context) (filecon "HOME_DIR/\.local/share/weechat" dir file_context) (filecon "HOME_DIR/\.local/share/weechat/.*" file file_context) (filecon "HOME_DIR/\.local/state/weechat" dir file_context) (filecon "HOME_DIR/\.local/state/weechat/.*?" file file_context) (filecon "HOME_DIR/\.cache/weechat" dir file_context) (filecon "HOME_DIR/\.cache/weechat/.*" file file_context)) (block run ;; This is similar to the file type transition macro above, but for runtime files instead ;; of config and state files. (macro file_type_transition_file ((type ARG1) (class ARG2) (name ARG3)) (call .run.file_type_transition (ARG1 file ARG2 ARG3))) (blockinherit .file.run.template) (filecon "/run/user/%{USERID}/weechat" dir file_context) (filecon "/run/user/%{USERID}/weechat/.*" any file_context)))) (call .agent.weechat.data.xdg_file_type_transition_file (.agent.weechat.subj dir "*")) (call .agent.weechat.data.xdg_file_type_transition_file (.agent.weechat.subj file "*")) (call .agent.weechat.run.file_type_transition_file (.agent.weechat.subj dir "weechat")) (call .agent.weechat.run.file_type_transition_file (.agent.weechat.subj file "*"))