Index: policy/modules/kernel/corenetwork.te.in===================================================================--- policy/modules/kernel/corenetwork.te.in (revision 2488)+++ policy/modules/kernel/corenetwork.te.in (working copy)@@ -178,6 +178,9 @@ network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0, tcp,6020,s0) network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0) network_port(zope, tcp,8021,s0)+network_port(eggdrop, tcp,3333,s0)+network_port(eggdropdcc, tcp,2010,s0, tcp,2011,s0, tcp,2012,s0, tcp,2013,s0, tcp,2014,s0, tcp,2015,s0, tcp,2016,s0, tcp,2017,s0, tcp,2018,s0, tcp,2019,s0, tcp,2020,s0)+network_port(ircdcc, tcp,4990,s0, tcp,4991,s0, tcp,4992,s0, tcp,4993,s0, tcp,4994,s0, tcp,4995,s0, tcp,4996,s0, tcp,4997,s0, tcp,4998,s0, tcp,4999,s0, tcp,5000,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; # these entries just cover any remaining reserved ports not otherwise declared.Index: policy/modules/apps/irssi.fc===================================================================--- policy/modules/apps/irssi.fc (revision 0)+++ policy/modules/apps/irssi.fc (revision 0)@@ -0,0 +1,6 @@+/usr/bin/irssi -- gen_context(system_u:object_r:irssi_exec_t,s0)++HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:ROLE_irssi_home_t,s0)++/etc/irssi.conf -- gen_context(system_u:object_r:irssi_etc_t,s0)+Index: policy/modules/apps/eggdrop.if===================================================================--- policy/modules/apps/eggdrop.if (revision 0)+++ policy/modules/apps/eggdrop.if (revision 0)@@ -0,0 +1,318 @@+## <summary>SELinux policy module</summary>+## <desc>+## <p>+## SELinux policy module for Eggdrop+## </p>+## </desc>++#######################################+## <summary>+## The per role template for the Eggdrop module.+## </summary>+## <desc>+## <p>+## This template creates derived domains which are used+## for Eggdrop.+## </p>+## <p>+## This template is invoked automatically for each user, and+## generally does not need to be invoked directly+## by policy writers.+## </p>+## </desc>+## <param name="userdomain_prefix">+## <summary>+## The prefix of the user domain (e.g., user+## is the prefix for user_t).+## </summary>+## </param>+## <param name="user_domain">+## <summary>+## The type of the user domain.+## </summary>+## </param>+## <param name="user_role">+## <summary>+## The role associated with the user domain.+## </summary>+## </param>+#+template(`eggdrop_per_role_template',`+ gen_require(`+ type eggdrop_exec_t;+ ')++ ## <desc>+ ## <p>+ ## Confine Eggdrop for user groups+ ## </p>+ ## </desc>+ gen_tunable(eggdrop_confine_$1,false)++ ########################################+ #+ # Declarations+ #+ type $1_eggdrop_t;+ application_domain($1_eggdrop_t,eggdrop_exec_t)+ role $3 types $1_eggdrop_t;++ type $1_eggdrop_home_t;+ files_poly_member($1_eggdrop_home_t)+ userdom_user_home_content($1,$1_eggdrop_home_t)++ type $1_eggdrop_tmp_t;+ files_poly_member_tmp($1_eggdrop_t,$1_eggdrop_tmp_t)+ files_tmp_file($1_eggdrop_tmp_t)++ ########################################+ #+ # Local Policy+ #+ allow $1_eggdrop_t self:fifo_file rw_fifo_file_perms;+ allow $1_eggdrop_t self:process setpgid;+ allow $1_eggdrop_t self:tcp_socket { setopt read bind create write getattr connect listen accept };+ allow $1_eggdrop_t self:udp_socket { write bind create read setopt connect };++ allow $1_eggdrop_t $2:process sigchld;++ allow $2 $1_eggdrop_t:process { ptrace signal_perms };++ manage_dirs_pattern($1_eggdrop_t,$1_eggdrop_home_t,$1_eggdrop_home_t)+ manage_files_pattern($1_eggdrop_t,$1_eggdrop_home_t,$1_eggdrop_home_t)+ manage_lnk_files_pattern($1_eggdrop_t,$1_eggdrop_home_t,$1_eggdrop_home_t)++ userdom_user_home_dir_filetrans($1,$1_eggdrop_t,$1_eggdrop_home_t,{ dir file lnk_file })++ userdom_search_user_home_dirs($1,$1_eggdrop_t)++ manage_dirs_pattern($2,$1_eggdrop_home_t,$1_eggdrop_home_t)+ manage_files_pattern($2,$1_eggdrop_home_t,$1_eggdrop_home_t)+ manage_lnk_files_pattern($2,$1_eggdrop_home_t,$1_eggdrop_home_t)++ relabel_dirs_pattern($2,$1_eggdrop_home_t,$1_eggdrop_home_t)+ relabel_files_pattern($2,$1_eggdrop_home_t,$1_eggdrop_home_t)+ relabel_lnk_files_pattern($2,$1_eggdrop_home_t,$1_eggdrop_home_t)++ manage_dirs_pattern($1_eggdrop_t,$1_eggdrop_tmp_t,$1_eggdrop_tmp_t)+ manage_files_pattern($1_eggdrop_t,$1_eggdrop_tmp_t,$1_eggdrop_tmp_t)+ manage_sock_files_pattern($1_eggdrop_t,$1_eggdrop_tmp_t,$1_eggdrop_tmp_t)+ manage_lnk_files_pattern($1_eggdrop_t,$1_eggdrop_tmp_t,$1_eggdrop_tmp_t)+ manage_fifo_files_pattern($1_eggdrop_t,$1_eggdrop_tmp_t,$1_eggdrop_tmp_t) ++ files_tmp_filetrans($1_eggdrop_t,$1_eggdrop_tmp_t,{ file dir lnk_file fifo_file sock_file })++ ps_process_pattern($2,$1_eggdrop_t)++ userdom_use_user_terminals($1,$1_eggdrop_t)++ corenet_tcp_bind_eggdrop_port($1_eggdrop_t)+ corenet_tcp_connect_eggdrop_port($1_eggdrop_t)+ corenet_sendrecv_eggdrop_server_packets($1_eggdrop_t)+ corenet_sendrecv_eggdrop_client_packets($1_eggdrop_t)++ corenet_tcp_connect_ircd_port($1_eggdrop_t)+ corenet_sendrecv_ircd_client_packets($1_eggdrop_t)++ corenet_tcp_connect_auth_port($1_eggdrop_t)+ corenet_sendrecv_auth_client_packets($1_eggdrop_t)++ corenet_all_recvfrom_netlabel($1_eggdrop_t)+ corenet_all_recvfrom_unlabeled($1_eggdrop_t)+ corenet_tcp_sendrecv_all_if($1_eggdrop_t)+ corenet_tcp_sendrecv_all_nodes($1_eggdrop_t)+ corenet_tcp_bind_all_nodes($1_eggdrop_t)+ corenet_udp_bind_all_nodes($1_eggdrop_t)++ fs_search_auto_mountpoints($1_eggdrop_t)++ sysnet_read_config($1_eggdrop_t)++ libs_exec_lib_files($1_eggdrop_t)+ libs_use_ld_so($1_eggdrop_t)++ files_read_etc_files($1_eggdrop_t)++ files_read_usr_files($1_eggdrop_t)++ miscfiles_read_localization($1_eggdrop_t)++ nscd_read_pid($1_eggdrop_t)++ corecmd_search_bin($1_eggdrop_t)+ corecmd_read_bin_symlinks($1_eggdrop_t)++ optional_policy(`+ nis_use_ypbind($1_eggdrop_t)+ ') ++ tunable_policy(`eggdrop_confine_$1',`+ domain_auto_trans($2,eggdrop_exec_t,$1_eggdrop_t)+ ',`+ can_exec($2,eggdrop_exec_t)+ ')++ # Server 2010-2020:tcp/ Client 4990-5000:tcp+ tunable_policy(`eggdrop_can_dcc',`+ corenet_tcp_bind_eggdropdcc_port($1_eggdrop_t)+ corenet_tcp_connect_eggdropdcc_port($1_eggdrop_t)+ corenet_sendrecv_eggdropdcc_client_packets($1_eggdrop_t) + corenet_sendrecv_eggdropdcc_client_packets($1_eggdrop_t)++ corenet_tcp_connect_ircdcc_port($1_eggdrop_t)+ corenet_sendrecv_ircdcc_client_packets($1_eggdrop_t)+ ')++ tunable_policy(`eggdrop_can_unreserved_tcp_network',`+ corenet_tcp_bind_all_unreserved_ports($1_eggdrop_t)+ corenet_tcp_connect_all_ports($1_eggdrop_t)+ corenet_sendrecv_all_server_packets($1_eggdrop_t)+ corenet_sendrecv_all_client_packets($1_eggdrop_t)+ ')++ tunable_policy(`use_nfs_home_dirs',`+ fs_manage_nfs_dirs($1_eggdrop_t)+ fs_manage_nfs_files($1_eggdrop_t)+ fs_manage_nfs_symlinks($1_eggdrop_t)+ ')++ tunable_policy(`use_samba_home_dirs',`+ fs_manage_cifs_dirs($1_eggdrop_t)+ fs_manage_cifs_files($1_eggdrop_t)+ fs_manage_cifs_symlinks($1_eggdrop_t)+ ')+')++########################################+## <summary>+## Read Eggdrop per user homedir+## </summary>+## <desc>+## <p>+## Read Eggdrop per user homedir+## </p>+## <p>+## This is a templated interface, and should only+## be called from a per-userdomain template.+## </p>+## </desc>+## <param name="userdomain_prefix">+## <summary>+## The prefix of the user domain (e.g., user+## is the prefix for user_t).+## </summary>+## </param>+## <param name="domain">+## <summary>+## Domain allowed access.+## </summary>+## </param>+#+template(`eggdrop_read_user_home_files',`+ gen_require(`+ type $1_eggdrop_home_t;+ ')++ allow $2 $1_eggdrop_home_t:dir list_dir_perms;+ allow $2 $1_eggdrop_home_t:file read_file_perms;+')++########################################+## <summary>+## Write Eggdrop per user homedir+## </summary>+## <desc>+## <p>+## Write Eggdrop per user homedir+## </p>+## <p>+## This is a templated interface, and should only+## be called from a per-userdomain template.+## </p>+## </desc>+## <param name="userdomain_prefix">+## <summary>+## The prefix of the user domain (e.g., user+## is the prefix for user_t).+## </summary>+## </param>+## <param name="domain">+## <summary>+## Domain allowed access.+## </summary>+## </param>+#+template(`eggdrop_write_user_home_files',`+ gen_require(`+ type $1_eggdrop_home_t;+ ')++ allow $2 $1_eggdrop_home_t:dir list_dir_perms;+ allow $2 $1_eggdrop_home_t:file write;+')++########################################+## <summary>+## Run Eggdrop in user Eggdrop domain.+## </summary>+## <desc>+## <p>+## Run Eggdrop in user Eggdrop domain.+## </p>+## <p>+## This is a templated interface, and should only+## be called from a per-userdomain template.+## </p>+## </desc>+## <param name="userdomain_prefix">+## <summary>+## The prefix of the user domain (e.g., user+## is the prefix for user_t).+## </summary>+## </param>+## <param name="domain">+## <summary>+## Domain allowed access.+## </summary>+## </param>+#+template(`eggdrop_domtrans_user_eggdrop',`+ gen_require(`+ type $1_eggdrop_t,eggdrop_exec_t;+ ')++ domtrans_pattern($2,eggdrop_exec_t,$1_eggdrop_t)+')++########################################+## <summary>+## Read/write Eggdrop per user tcp_socket+## </summary>+## <desc>+## <p>+## Read/write Eggdrop per user tcp_socket+## </p>+## <p>+## This is a templated interface, and should only+## be called from a per-userdomain template.+## </p>+## </desc>+## <param name="userdomain_prefix">+## <summary>+## The prefix of the user domain (e.g., user+## is the prefix for user_t).+## </summary>+## </param>+## <param name="domain">+## <summary>+## Domain allowed access.+## </summary>+## </param>+#+template(`eggdrop_rw_user_tcp_sockets',`+ gen_require(`+ type $1_eggdrop_t;+ ')++ allow $2 $1_eggdrop_t:tcp_socket rw_socket_perms;+')Index: policy/modules/apps/eggdrop.fc===================================================================--- policy/modules/apps/eggdrop.fc (revision 0)+++ policy/modules/apps/eggdrop.fc (revision 0)@@ -0,0 +1,4 @@+/usr/bin/eggdrop -- gen_context(system_u:object_r:eggdrop_exec_t,s0)++HOME_DIR/\eggdrop(/.*)? gen_context(system_u:object_r:ROLE_eggdrop_home_t,s0)+Index: policy/modules/apps/irssi.te===================================================================--- policy/modules/apps/irssi.te (revision 0)+++ policy/modules/apps/irssi.te (revision 0)@@ -0,0 +1,28 @@+policy_module(irssi,1.0.0) ++########################################+#+# Declarations+#++## <desc>+## <p>+## Allow Irssi unreserved TCP networking+## </p>+## </desc>+gen_tunable(irssi_can_unreserved_tcp_network,false)++## <desc>+## <p>+## Allow Irssi to send and receive server and client TCP packets on IRC DCC +## network port range 4990 to 5000 and allow Irssi to send and receive client TCP packets+## on Eggdrop DCC network port range 2010 to 2020 plus the default Eggdrop network port 3333. +## </p>+## </desc>+gen_tunable(irssi_can_dcc,false)++type irssi_exec_t;+application_executable_file(irssi_exec_t)++type irssi_etc_t;+files_config_file(irssi_etc_t)Index: policy/modules/apps/irssi.if===================================================================--- policy/modules/apps/irssi.if (revision 0)+++ policy/modules/apps/irssi.if (revision 0)@@ -0,0 +1,307 @@+## <summary>SELinux policy module</summary>+## <desc>+## <p>+## SELinux policy module for Irssi+## </p>+## </desc>++#######################################+## <summary>+## The per role template for the Irssi module.+## </summary>+## <desc>+## <p>+## This template creates derived domains which are used+## for Irssi.+## </p>+## <p>+## This template is invoked automatically for each user, and+## generally does not need to be invoked directly+## by policy writers.+## </p>+## </desc>+## <param name="userdomain_prefix">+## <summary>+## The prefix of the user domain (e.g., user+## is the prefix for user_t).+## </summary>+## </param>+## <param name="user_domain">+## <summary>+## The type of the user domain.+## </summary>+## </param>+## <param name="user_role">+## <summary>+## The role associated with the user domain.+## </summary>+## </param>+#+template(`irssi_per_role_template',`+ gen_require(`+ type irssi_exec_t;+ type irssi_etc_t;+ ')++ ## <desc>+ ## <p>+ ## Confine Irssi for user groups+ ## </p>+ ## </desc>+ gen_tunable(irssi_confine_$1,false)++ ########################################+ #+ # Declarations+ #+ type $1_irssi_t;+ application_domain($1_irssi_t,irssi_exec_t)+ role $3 types $1_irssi_t;++ type $1_irssi_home_t;+ files_poly_member($1_irssi_home_t)+ userdom_user_home_content($1,$1_irssi_home_t)++ ########################################+ #+ # Local Policy+ #+ allow $1_irssi_t self:fifo_file rw_fifo_file_perms;+ allow $1_irssi_t self:process signal;+ allow $1_irssi_t self:netlink_route_socket { write getattr read bind create nlmsg_read };+ allow $1_irssi_t self:tcp_socket { write accept getattr bind listen setopt read getopt create connect };+ allow $1_irssi_t self:udp_socket { write read create connect getattr };++ allow $1_irssi_t $2:process sigchld;++ allow $2 $1_irssi_t:process { ptrace signal_perms };++ allow $1_irssi_t irssi_etc_t:file { getattr read };++ manage_dirs_pattern($1_irssi_t,$1_irssi_home_t,$1_irssi_home_t)+ manage_files_pattern($1_irssi_t,$1_irssi_home_t,$1_irssi_home_t)+ manage_lnk_files_pattern($1_irssi_t,$1_irssi_home_t,$1_irssi_home_t)++ userdom_user_home_dir_filetrans($1,$1_irssi_t,$1_irssi_home_t,{ dir file lnk_file })++ userdom_search_user_home_dirs($1,$1_irssi_t)++ manage_dirs_pattern($2,$1_irssi_home_t,$1_irssi_home_t)+ manage_files_pattern($2,$1_irssi_home_t,$1_irssi_home_t)+ manage_lnk_files_pattern($2,$1_irssi_home_t,$1_irssi_home_t)++ relabel_dirs_pattern($2,$1_irssi_home_t,$1_irssi_home_t)+ relabel_files_pattern($2,$1_irssi_home_t,$1_irssi_home_t)+ relabel_lnk_files_pattern($2,$1_irssi_home_t,$1_irssi_home_t)++ corenet_tcp_connect_ircd_port($1_irssi_t)+ corenet_sendrecv_ircd_client_packets($1_irssi_t)++ corenet_all_recvfrom_netlabel($1_irssi_t)+ corenet_all_recvfrom_unlabeled($1_irssi_t)+ corenet_tcp_sendrecv_all_if($1_irssi_t)+ corenet_tcp_sendrecv_all_nodes($1_irssi_t)+ corenet_tcp_bind_all_nodes($1_irssi_t)+ corenet_udp_bind_all_nodes($1_irssi_t)++ fs_search_auto_mountpoints($1_irssi_t)++ ps_process_pattern($2,$1_irssi_t)++ sysnet_read_config($1_irssi_t)++ libs_exec_lib_files($1_irssi_t)+ libs_use_ld_so($1_irssi_t)++ files_read_etc_files($1_irssi_t)++ files_read_usr_files($1_irssi_t)++ miscfiles_read_localization($1_irssi_t)++ nscd_read_pid($1_irssi_t)++ corecmd_search_bin($1_irssi_t)+ corecmd_read_bin_symlinks($1_irssi_t)++ userdom_use_user_terminals($1,$1_irssi_t)++ optional_policy(`+ nis_use_ypbind($1_irssi_t)+ ')++ tunable_policy(`irssi_confine_$1',`+ domain_auto_trans($2,irssi_exec_t,$1_irssi_t)+ ',`+ can_exec($2,irssi_exec_t)+ ')++ # Server 4990-5000:tcp/ Client 2010-2020:tcp, 3333:tcp+ tunable_policy(`irssi_can_dcc',`+ corenet_tcp_bind_ircdcc_port($1_irssi_t)+ corenet_tcp_connect_ircdcc_port($1_irssi_t)+ corenet_sendrecv_ircdcc_server_packets($1_irssi_t)+ corenet_sendrecv_ircdcc_client_packets($1_irssi_t)++ corenet_tcp_connect_eggdropdcc_port($1_irssi_t)+ corenet_sendrecv_eggdropdcc_client_packets($1_irssi_t)++ corenet_tcp_connect_eggdrop_port($1_irssi_t)+ corenet_sendrecv_eggdrop_client_packets($1_irssi_t) + ')++ tunable_policy(`irssi_can_unreserved_tcp_network',`+ corenet_tcp_bind_all_unreserved_ports($1_irssi_t)+ corenet_tcp_connect_all_ports($1_irssi_t)+ corenet_sendrecv_all_server_packets($1_irssi_t)+ corenet_sendrecv_all_client_packets($1_irssi_t)+ ')++ tunable_policy(`use_nfs_home_dirs',`+ fs_manage_nfs_dirs($1_irssi_t)+ fs_manage_nfs_files($1_irssi_t)+ fs_manage_nfs_symlinks($1_irssi_t)+ ')++ tunable_policy(`use_samba_home_dirs',`+ fs_manage_cifs_dirs($1_irssi_t)+ fs_manage_cifs_files($1_irssi_t)+ fs_manage_cifs_symlinks($1_irssi_t)+ ')+')++########################################+## <summary>+## Read Irssi per user homedir+## </summary>+## <desc>+## <p>+## Read Irssi per user homedir+## </p>+## <p>+## This is a templated interface, and should only+## be called from a per-userdomain template.+## </p>+## </desc>+## <param name="userdomain_prefix">+## <summary>+## The prefix of the user domain (e.g., user+## is the prefix for user_t).+## </summary>+## </param>+## <param name="domain">+## <summary>+## Domain allowed access.+## </summary>+## </param>+#+template(`irssi_read_user_home_files',`+ gen_require(`+ type $1_irssi_home_t;+ ')++ allow $2 $1_irssi_home_t:dir list_dir_perms;+ allow $2 $1_irssi_home_t:file read_file_perms;+')++########################################+## <summary>+## Write Irssi per user homedir+## </summary>+## <desc>+## <p>+## Write Irssi per user homedir+## </p>+## <p>+## This is a templated interface, and should only+## be called from a per-userdomain template.+## </p>+## </desc>+## <param name="userdomain_prefix">+## <summary>+## The prefix of the user domain (e.g., user+## is the prefix for user_t).+## </summary>+## </param>+## <param name="domain">+## <summary>+## Domain allowed access.+## </summary>+## </param>+#+template(`irssi_write_user_home_files',`+ gen_require(`+ type $1_irssi_home_t;+ ')++ allow $2 $1_irssi_home_t:dir list_dir_perms;+ allow $2 $1_irssi_home_t:file write;+')++########################################+## <summary>+## Run Irssi in user Irssi domain.+## </summary>+## <desc>+## <p>+## Run Irssi in user Irssi domain.+## </p>+## <p>+## This is a templated interface, and should only+## be called from a per-userdomain template.+## </p>+## </desc>+## <param name="userdomain_prefix">+## <summary>+## The prefix of the user domain (e.g., user+## is the prefix for user_t).+## </summary>+## </param>+## <param name="domain">+## <summary>+## Domain allowed access.+## </summary>+## </param>+#+template(`irssi_domtrans_user_irssi',`+ gen_require(`+ type $1_irssi_t,irssi_exec_t;+ ')++ domtrans_pattern($2,irssi_exec_t,$1_irssi_t)+')++########################################+## <summary>+## Read/write Irssi per user tcp_socket+## </summary>+## <desc>+## <p>+## Read/write Irssi per user tcp_socket+## </p>+## <p>+## This is a templated interface, and should only+## be called from a per-userdomain template.+## </p>+## </desc>+## <param name="userdomain_prefix">+## <summary>+## The prefix of the user domain (e.g., user+## is the prefix for user_t).+## </summary>+## </param>+## <param name="domain">+## <summary>+## Domain allowed access.+## </summary>+## </param>+#+template(`irssi_rw_user_tcp_sockets',`+ gen_require(`+ type $1_irssi_t;+ ')++ allow $2 $1_irssi_t:tcp_socket rw_socket_perms;+')++Index: policy/modules/apps/eggdrop.te===================================================================--- policy/modules/apps/eggdrop.te (revision 0)+++ policy/modules/apps/eggdrop.te (revision 0)@@ -0,0 +1,25 @@+policy_module(eggdrop,1.0.0) ++########################################+#+# Declarations+#++## <desc>+## <p>+## Allow Eggdrop unreserved TCP networking+## </p>+## </desc>+gen_tunable(eggdrop_can_unreserved_tcp_network,false)++## <desc>+## <p>+## Allow Eggdrop to send and receive server and client TCP packets on Eggdrop DCC +## network port range 2010 to 2020, and allow Eggdrop to send and receive client TCP packets+## on IRC DCC network port range 4990 to 5000.+## </p>+## </desc>+gen_tunable(eggdrop_can_dcc,false)++type eggdrop_exec_t;+application_executable_file(eggdrop_exec_t)Index: man/man8/eggdrop_selinux.8===================================================================--- man/man8/eggdrop_selinux.8 (revision 0)+++ man/man8/eggdrop_selinux.8 (revision 0)@@ -0,0 +1,56 @@+.TH "eggdrop_selinux" "8" "9 Nov 2007" "domg444@gmail.com" "Eggdrop Selinux Policy documentation"+.SH "NAME"+eggdrop_selinux \- Security Enhanced Linux Policy for the Eggdrop daemon+.SH "DESCRIPTION"+Security-Enhanced Linux secures the Eggdrop daemon via flexible mandatory access control. +If SELinux Eggdrop protection is enabled for a SELinux user group, SELinux Eggdrop policy defaults to least privilege access.+Several Booleans, and file contexts are available to customize the way Eggdrop SELinux works.+.SH BOOLEANS+.br+By default SELinux policy does not confine Eggdrop daemons for any SELinux user groups.+You are required to first set the eggdrop_confine_$1 boolean.+where $1 is the SELinux user group prefix of the SELinux user group that you want to enable SELinux Eggdrop protection for.+.TP+For example if you wish to confine the Eggdrop daemon for the user_u SELinux user group.+.br++setsebool -P eggdrop_confine_user 1+.TP+When SELinux Eggdrop is enabled for a SELinux user group, SELinux policy does not allow the Eggdrop daemon to share files via DCC by default.+If you plan on using a single Eggdrop instance, if you are located behind a fire wall, or if you are using Network Address Translation, and you wish to enable SELinux Eggdrop DCC file sharing, you are required to set the eggdrop_can_dcc boolean.+.TP+This boolean will allow the Eggdrop daemon to send, and receive server, and client TCP packets on a default Eggdrop DCC port range of ports: 2010 to 2020.+.TP+This will also allow Eggdrop to send, and receive client TCP packets on a default IRC DCC port range of ports: 4990 to 5000.+.br++setsebool -P eggdrop_can_dcc 1+.TP+If you are hosting multiple Eggdrop daemons on a server, or if the server is located in a DeMilitarizedZone, and you want to allow any Eggdrop instance full tcp network access, than you are required to besides, set eggdrop_can_dcc, also set the eggdrop_can_tcp_unreserved_network boolean.+.TP+This will allow any secured Eggdrop instance to send, and receive TCP server packets on all unreserved ports of: 1024, and above.+.TP+This will also Eggdrop to send, and receive TCP client packets on all ports.+.br++setsebool -P eggdrop_can_unreserved_tcp_network 1+.SH FILE_CONTEXTS+SELinux requires files to have an extended attribute to define the file type. +Policy governs the access daemons have to these files. +When sharing files with the Eggdrop daemon you have many options on how to label the files.+You should label these files/directories as $1_eggdrop_home_t.+where $1 is the SELinux user group prefix. +.TP+For example if you are a user in the user_u SELinux user group, and you want to share a file /home/joe/picture.png via the Eggdrop daemon, you can label it with the chcon tool.+.br++chcon -t user_eggdrop_home_t /home/joe/picture.png+.TP+system-config-selinux is a GUI tool available to customize SELinux policy settings.+.SH AUTHOR +This manual page was written by Dominick Grift <domg444@gmail.com>.++.SH "SEE ALSO"+selinux(8), chcon(1), setsebool(8)++Index: man/man8/irssi_selinux.8===================================================================--- man/man8/irssi_selinux.8 (revision 0)+++ man/man8/irssi_selinux.8 (revision 0)@@ -0,0 +1,57 @@+.TH "irssi_selinux" "8" "9 Nov 2007" "domg444@gmail.com" "Irssi Selinux Policy documentation"+.SH "NAME"+irssi_selinux \- Security Enhanced Linux Policy for the Irssi daemon+.SH "DESCRIPTION"+Security-Enhanced Linux secures the Irssi daemon via flexible mandatory access control. +If SELinux Irssi protection is enabled for a SELinux user group, SELinux Irssi policy defaults to least privilege access.+Several Booleans, and file contexts are available to customize the way Irssi SELinux works.+.SH BOOLEANS+.br+By default SELinux policy does not confine Irssi daemons for any SELinux user groups.+You are required to first set the irssi_confine_$1 boolean.+where $1 is the SELinux user group prefix of the SELinux user group that you want to enable SELinux Irssi protection for.+.TP+For example if you wish to confine the Irssi daemon for the user_u SELinux user group.+.br++setsebool -P irssi_confine_user 1+.TP+When SELinux Irssi is enabled for a SELinux user group, SELinux policy does not allow the Irssi daemon to share files via DCC by default.+.TP+If you plan on using a single Irssi instance, if you are located behind a fire wall, or if you are using Network Address Translation, and you wish to enable SELinux Irssi DCC file sharing, you are required to set the irssi_can_dcc boolean.+.TP+This boolean will allow the Irssi daemon to send, and receive server, and client TCP packets on a default IRC DCC port range of ports: 4990 to 5000.+.TP+This will also allow Irssi to send, and receive client TCP packets on the Eggdrop main port: 3333, plus on a default Eggdrop DCC port range of ports: 2010 to 2020.+.br++setsebool -P irssi_can_dcc 1+.TP+If you are hosting multiple Irssi daemons on a server, or if the server is located in a DeMilitarizedZone, and you want to allow any Irssi instance full tcp network access, you are required to, besides set irssi_can_dcc, also set the irssi_can_tcp_unreserved_network boolean.+.TP+This will allow any secured Irssi instance to send, and receive TCP server packets on all unreserved ports of: 1024, and above.+.TP+This will also Irssi to send, and receive TCP client packets on all ports.+.br++setsebool -P irssi_can_unreserved_tcp_network 1+.SH FILE_CONTEXTS+SELinux requires files to have an extended attribute to define the file type. +Policy governs the access daemons have to these files. +When sharing files with the Irssi daemon you have many options on how to label the files.+You should label these files/directories as $1_irssi_home_t.+where $1 is the SELinux user group prefix. +.TP+For example if you are a user in the user_u SELinux user group, and you want to share a file /home/joe/picture.png via the Irssi daemon, you can label it with the chcon tool.+.br++chcon -t user_irssi_home_t /home/joe/picture.png+.TP+system-config-selinux is a GUI tool available to customize SELinux policy settings.+.SH AUTHOR +This manual page was written by Dominick Grift <domg444@gmail.com>.++.SH "SEE ALSO"+selinux(8), chcon(1), setsebool(8)++