(in agent (block weechat (blockinherit .subj.common.template) (call subj.common.type (subj)) (roletype .sys.role subj) (call exec.subj_type_transition (.sys.subj subj)) (call exec.entrypoint_file_files (subj)) (call exec.mapexecute_file_files (subj)) (call exec.read_file_files (subj)) ;; unix socket (allow subj self (unix_dgram_socket (create sendto read write))) ;; network (allow subj self create_tcp_socket) (call irc.nameconnect_port_tcp_sockets (subj)) ;; use ssl certs (call .cert.search_file_dirs (subj)) (call .cert.read_file_files (subj)) ;; use terminal (call .sys.use_subj_fds (subj)) (call .dev.readwriteinherited_file_chr_files (subj)) (call .ptytermdev.readwriteinherited_all_chr_files (subj)) ;; use pipes (call .sys.readwriteinherited_subj_fifo_files (subj)) ;; read root (call .root.search_file_dirs (subj)) ;; read /etc (call .conf.search_file_dirs (subj)) (call .conf.read_file_files (subj)) (call .conf.read_file_lnk_files (subj)) ;; read /usr/share (call data.search_file_dirs (subj)) (call data.read_file_files (subj)) ;; access config stuff (call .home.search_file_dirs (subj)) (call .user.home.search_file_dirs (subj)) (call .user.home.create_file_dirs (subj)) (call home.search_file_dirs (subj)) (call home.readwrite_file_files (subj)) ;; access /run/user (call .run.search_file_dirs (subj)) (call .runuser.search_file_dirs (subj)) (call .runuser.create_file_dirs (subj)) (block exec (filecon "/usr/bin/weechat" file file_context) (blockinherit .file.exec.template)) (block home (filecon "HOME_DIR/\.config/weechat(/.*)?" any file_context) (filecon "HOME_DIR/\.local/share/weechat(/.*)?" any file_context) (filecon "HOME_DIR/\.local/state/weechat(/.*)?" any file_context) (filecon "HOME_DIR/\.cache/weechat(/.*)?" any file_context) (blockinherit .file.home.user.template))))