diff options
Diffstat (limited to 'myjabberd.te')
-rw-r--r-- | myjabberd.te | 61 |
1 files changed, 57 insertions, 4 deletions
diff --git a/myjabberd.te b/myjabberd.te index 15dbe67..2d6fd5a 100644 --- a/myjabberd.te +++ b/myjabberd.te @@ -6,15 +6,68 @@ policy_module(myjabberd, 1.0) # Declarations # -type jabberd_router_t; -type jabberd_router_exec_t; -init_daemon_domain(jabberd_router_t, jabberd_router_exec_t) +attribute jabberd_domain; require{ + attribute port_type; + type jabberd_t; type jabberd_exec_t; + type jabberd_var_lib_t; } +type jabberd_router_t, jabberd_domain; +type jabberd_router_exec_t; +init_daemon_domain(jabberd_router_t, jabberd_router_exec_t) + +type jabber_router_port_t, port_type; + ######################################## # -# Local policy +# Local policy router # + +#allow jabberd_router_t self:process setfscreate; + +allow jabberd_router_t self:process signal_perms; +allow jabberd_router_t self:fifo_file read_fifo_file_perms; +allow jabberd_router_t self:tcp_socket create_stream_socket_perms; +allow jabberd_router_t self:udp_socket create_socket_perms; +allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms; + +manage_files_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t) +manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t) + +kernel_read_system_state(jabberd_t) + +files_read_etc_files(jabberd_router_t) +files_read_etc_runtime_files(jabberd_router_t) + +corenet_all_recvfrom_unlabeled(jabberd_router_t) +corenet_all_recvfrom_netlabel(jabberd_router_t) +corenet_tcp_sendrecv_generic_if(jabberd_router_t) +corenet_udp_sendrecv_generic_if(jabberd_router_t) +corenet_tcp_sendrecv_generic_node(jabberd_router_t) +corenet_udp_sendrecv_generic_node(jabberd_router_t) +corenet_tcp_sendrecv_all_ports(jabberd_router_t) +corenet_udp_sendrecv_all_ports(jabberd_router_t) +corenet_tcp_bind_generic_node(jabberd_router_t) +corenet_tcp_bind_jabber_client_port(jabberd_router_t) +corenet_tcp_bind_jabber_interserver_port(jabberd_router_t) +corenet_sendrecv_jabber_client_server_packets(jabberd_router_t) +corenet_sendrecv_jabber_interserver_server_packets(jabberd_router_t) + +allow jabberd_router_t jabber_router_port_t:tcp_socket name_bind; +allow jabberd_t jabber_router_port_t:tcp_socket name_connect; + +dev_read_urand(jabberd_router_t) +dev_read_urand(jabberd_t) + +logging_send_syslog_msg(jabberd_router_t) + +miscfiles_read_localization(jabberd_router_t) + +sysnet_read_config(jabberd_router_t) + +optional_policy(` + kerberos_use(jabberd_router_t) +') |