- Fixes for jabberd_router policy (router can use kerberos)

- Fixes for myjabberd.sh script

3 files changed, 60 insertions, 6 deletions

diff --git a/myjabberd.fc b/myjabberd.fc
index db5ad27..b718a09 100644
--- a/myjabberd.fc
+++ b/myjabberd.fc
@@ -3,4 +3,4 @@
 /usr/bin/c2s		--      gen_context(system_u:object_r:jabberd_exec_t,s0)
 /usr/bin/s2s		--      gen_context(system_u:object_r:jabberd_exec_t,s0)
 
-
+/var/lib/jabberd(/.*)?           gen_context(system_u:object_r:jabberd_var_lib_t,s0)
diff --git a/myjabberd.sh b/myjabberd.sh
index f8d8a76..835de8d 100755
--- a/myjabberd.sh
+++ b/myjabberd.sh
@@ -12,5 +12,6 @@ echo "Building and Loading Policy"
 set -x
 make -f /usr/share/selinux/devel/Makefile
 /usr/sbin/semodule -i myjabberd.pp
+/usr/sbin/semanage port -a -t jabber_router_port_t -p tcp 5347 2> /dev/null
 
-/sbin/restorecon -F -R -v /usr/bin/router /usr/bin/sm /usr/bin/c2s /usr/bin/s2s
+/sbin/restorecon -F -R -v /usr/bin/router /usr/bin/sm /usr/bin/c2s /usr/bin/s2s /var/lib/jabberd
diff --git a/myjabberd.te b/myjabberd.te
index 15dbe67..2d6fd5a 100644
--- a/myjabberd.te
+++ b/myjabberd.te
@@ -6,15 +6,68 @@ policy_module(myjabberd, 1.0)
 # Declarations
 #
 
-type jabberd_router_t;
-type jabberd_router_exec_t;
-init_daemon_domain(jabberd_router_t, jabberd_router_exec_t)
+attribute jabberd_domain;
 
 require{
+ attribute port_type;
+ type jabberd_t;
  type jabberd_exec_t;
+ type jabberd_var_lib_t;
 }
 
+type jabberd_router_t, jabberd_domain;
+type jabberd_router_exec_t;
+init_daemon_domain(jabberd_router_t, jabberd_router_exec_t)
+
+type jabber_router_port_t, port_type;
+
 ########################################
 #
-# Local policy
+# Local policy router
 #
+
+#allow jabberd_router_t self:process setfscreate;
+
+allow jabberd_router_t self:process signal_perms;
+allow jabberd_router_t self:fifo_file read_fifo_file_perms;
+allow jabberd_router_t self:tcp_socket create_stream_socket_perms;
+allow jabberd_router_t self:udp_socket create_socket_perms;
+allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_files_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
+manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
+
+kernel_read_system_state(jabberd_t)
+
+files_read_etc_files(jabberd_router_t)
+files_read_etc_runtime_files(jabberd_router_t)
+
+corenet_all_recvfrom_unlabeled(jabberd_router_t)
+corenet_all_recvfrom_netlabel(jabberd_router_t)
+corenet_tcp_sendrecv_generic_if(jabberd_router_t)
+corenet_udp_sendrecv_generic_if(jabberd_router_t)
+corenet_tcp_sendrecv_generic_node(jabberd_router_t)
+corenet_udp_sendrecv_generic_node(jabberd_router_t)
+corenet_tcp_sendrecv_all_ports(jabberd_router_t)
+corenet_udp_sendrecv_all_ports(jabberd_router_t)
+corenet_tcp_bind_generic_node(jabberd_router_t)
+corenet_tcp_bind_jabber_client_port(jabberd_router_t)
+corenet_tcp_bind_jabber_interserver_port(jabberd_router_t)
+corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
+corenet_sendrecv_jabber_interserver_server_packets(jabberd_router_t)
+
+allow jabberd_router_t jabber_router_port_t:tcp_socket name_bind;
+allow jabberd_t jabber_router_port_t:tcp_socket name_connect;
+
+dev_read_urand(jabberd_router_t)
+dev_read_urand(jabberd_t)
+
+logging_send_syslog_msg(jabberd_router_t)
+
+miscfiles_read_localization(jabberd_router_t)
+
+sysnet_read_config(jabberd_router_t)
+
+optional_policy(`
+	kerberos_use(jabberd_router_t)
+')