Hi,
I have written a policy for rtorrent a while ago, and I thought it
might be a good idea to submit it to the refpolicy project. Here it
is.
The policy defines the rtorrent_data_t type, but does not declare a
fcontext for it. Users who want to use it have to manually tag the
data directory. Another idea might be to provide a "reasonable"
default... on my machine, that's declared in the host specific policy
.fc file.
Max
-------------- next part --------------
policy_module(rtorrent,1.0.0)
type rtorrent_t;
type rtorrent_exec_t;
application_domain(rtorrent_t, rtorrent_exec_t)
ubac_constrained(rtorrent_t)
type rtorrent_conf_t;
files_config_file(rtorrent_conf_t)
type rtorrent_data_t;
files_type(rtorrent_data_t)
# shared libraries
libs_use_ld_so(rtorrent_t)
libs_use_shared_libs(rtorrent_t)
# rtorrent is an interactive program
domain_use_interactive_fds(rtorrent_t)
userdom_use_user_terminals(rtorrent_t)
# grant locale + resolver read access
miscfiles_read_localization(rtorrent_t)
sysnet_read_config(rtorrent_t)
sysnet_dns_name_resolve(rtorrent_t)
optional_policy(`
nscd_socket_use(rtorrent_t)
')
# read config files
userdom_search_user_home_dirs(rtorrent_t)
userdom_dontaudit_list_user_home_dirs(rtorrent_t)
read_files_pattern(rtorrent_t, rtorrent_conf_t, rtorrent_conf_t)
# manage data files
allow rtorrent_t rtorrent_data_t:dir manage_dir_perms;
allow rtorrent_t rtorrent_data_t:file manage_file_perms;
# network access
allow rtorrent_t self:tcp_socket create_stream_socket_perms;
allow rtorrent_t self:udp_socket create_socket_perms;
corenet_tcp_bind_all_ports(rtorrent_t)
corenet_tcp_bind_all_nodes(rtorrent_t)
corenet_tcp_connect_all_ports(rtorrent_t)
corenet_tcp_sendrecv_all_ports(rtorrent_t)
corenet_udp_bind_all_ports(rtorrent_t)
corenet_udp_bind_all_nodes(rtorrent_t)
corenet_udp_sendrecv_all_ports(rtorrent_t)
# rtorrent wants to know how much disk space is available
fs_getattr_xattr_fs(rtorrent_t)
files_dontaudit_getattr_all_dirs(rtorrent_t)
# misc
allow rtorrent_t self:process signal;
dev_read_urand(rtorrent_t)
# some dontaudit rules
gen_require(`
type etc_t;
')
dontaudit rtorrent_t etc_t:file read_file_perms;
dontaudit rtorrent_t self:netlink_route_socket create_stream_socket_perms;
-------------- next part --------------
## <summary>rtorrent client policy</summary>
########################################
## <summary>
## Role access for rtorrent
## </summary>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
template(`rtorrent_role',`
gen_require(`
type rtorrent_t;
type rtorrent_exec_t;
type rtorrent_conf_t;
type rtorrent_data_t;
')
role $1 types rtorrent_t;
# Transition from the user domain to the derived domain.
domtrans_pattern($2, rtorrent_exec_t, rtorrent_t)
# allow ps to show rtorrent
ps_process_pattern($2, rtorrent_t)
allow $2 rtorrent_t:process signal;
# user can manage config
manage_files_pattern($2, rtorrent_conf_t, rtorrent_conf_t)
# Access the torrent data files.
allow $2 rtorrent_data_t:dir manage_dir_perms;
allow $2 rtorrent_data_t:file manage_file_perms;
')
-------------- next part --------------
/usr/bin/rtorrent -- gen_context(system_u:object_r:rtorrent_exec_t,s0)
HOME_DIR/\.rtorrent.rc gen_context(system_u:object_r:rtorrent_conf_t,s0)
On Thu, 2009-07-09 at 11:58 +0200, Max Kellermann wrote:
> Hi,
>
> I have written a policy for rtorrent a while ago, and I thought it
> might be a good idea to submit it to the refpolicy project. Here it
> is.
>
> The policy defines the rtorrent_data_t type, but does not declare a
> fcontext for it. Users who want to use it have to manually tag the
> data directory. Another idea might be to provide a "reasonable"
> default... on my machine, that's declared in the host specific policy
> .fc file.
Here is my take on the policy:
http://82.197.205.60/~dgrift/stuff/modules/rtorrent.te
http://82.197.205.60/~dgrift/stuff/modules/rtorrent.if
http://82.197.205.60/~dgrift/stuff/modules/rtorrent.fc
Some notes:
These are deprecated i believe:
libs_use_ld_so(rtorrent_t)
libs_use_shared_libs(rtorrent_t)
I would not prefer this to be default behavior ( could be tunable ):
corenet_tcp_bind_all_nodes(rtorrent_t)
corenet_tcp_connect_all_ports(rtorrent_t)
Added nfs/samba/nis home support
Added filetrans pattern for rtorrent_t rtorrent_data_t
Added relabel patterns for $2 rtorrent home content
Added signal child permission for rtorrent_t
Added signal permissions for $2 to rtorrent_t
Declared port for bittorrent
Added policy for rtorrent to bind connect bittorrent ports.
Added boolean for rtorrent unrestricted network access
I am aware that the bittorrent port declaration should be done in
corenetwork.te.in and that interfaces should be called for interaction
between rtorrent_t and bittorrent_port_t
and more...
But to be honest i think user app policy might get adopted by refpolicy.
There are some complications i believe.
> Max
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090709/146ac0cc/attachment.bin
On Thu, 2009-07-09 at 14:21 +0200, Dominick Grift wrote:
> On Thu, 2009-07-09 at 11:58 +0200, Max Kellermann wrote:
> > Hi,
> >
> > I have written a policy for rtorrent a while ago, and I thought it
> > might be a good idea to submit it to the refpolicy project. Here it
> > is.
> >
> > The policy defines the rtorrent_data_t type, but does not declare a
> > fcontext for it. Users who want to use it have to manually tag the
> > data directory. Another idea might be to provide a "reasonable"
> > default... on my machine, that's declared in the host specific policy
> > .fc file.
>
> Here is my take on the policy:
>
> http://82.197.205.60/~dgrift/stuff/modules/rtorrent.te
> http://82.197.205.60/~dgrift/stuff/modules/rtorrent.if
> http://82.197.205.60/~dgrift/stuff/modules/rtorrent.fc
>
> Some notes:
>
> These are deprecated i believe:
>
> libs_use_ld_so(rtorrent_t)
> libs_use_shared_libs(rtorrent_t)
>
> I would not prefer this to be default behavior ( could be tunable ):
>
> corenet_tcp_bind_all_nodes(rtorrent_t)
> corenet_tcp_connect_all_ports(rtorrent_t)
>
> Added nfs/samba/nis home support
> Added filetrans pattern for rtorrent_t rtorrent_data_t
> Added relabel patterns for $2 rtorrent home content
> Added signal child permission for rtorrent_t
> Added signal permissions for $2 to rtorrent_t
> Declared port for bittorrent
> Added policy for rtorrent to bind connect bittorrent ports.
> Added boolean for rtorrent unrestricted network access
> I am aware that the bittorrent port declaration should be done in
> corenetwork.te.in and that interfaces should be called for interaction
> between rtorrent_t and bittorrent_port_t
>
> and more...
>
> But to be honest i think user app policy might get adopted by refpolicy.
> There are some complications i believe.
ignore my network policy... it is messed up. obviously it does use UDP.
And it does not bind sockets to tcp ports...
> > Max
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090709/eaa06a27/attachment.bin
On Thu, 2009-07-09 at 11:58 +0200, Max Kellermann wrote:
> Hi,
>
> I have written a policy for rtorrent a while ago, and I thought it
> might be a good idea to submit it to the refpolicy project. Here it
> is.
>
> The policy defines the rtorrent_data_t type, but does not declare a
> fcontext for it. Users who want to use it have to manually tag the
> data directory. Another idea might be to provide a "reasonable"
> default... on my machine, that's declared in the host specific policy
> .fc file.
If there is some default or suggested location in rtorrent's docs, then
that would be the best choice.
The style needs to be fixed before this could be added to refpolicy.
Look at other modules for guidance. In particular there needs to be
some headers (declarations, local policy, etc) and interface calls need
to be reorganized. More comments inline:
>
>
>
>
>
>
> plain text
> document
> attachment
> (rtorrent.te)
>
> policy_module(rtorrent,1.0.0)
>
> type rtorrent_t;
> type rtorrent_exec_t;
> application_domain(rtorrent_t, rtorrent_exec_t)
> ubac_constrained(rtorrent_t)
> type rtorrent_conf_t;
> files_config_file(rtorrent_conf_t)
>
> type rtorrent_data_t;
> files_type(rtorrent_data_t)
These two need to be userdom_user_home_content().
> # shared libraries
> libs_use_ld_so(rtorrent_t)
> libs_use_shared_libs(rtorrent_t)
Redundant; all domains have these permissions.
> # rtorrent is an interactive program
> domain_use_interactive_fds(rtorrent_t)
> userdom_use_user_terminals(rtorrent_t)
>
> # grant locale + resolver read access
> miscfiles_read_localization(rtorrent_t)
> sysnet_read_config(rtorrent_t)
> sysnet_dns_name_resolve(rtorrent_t)
> optional_policy(`
> nscd_socket_use(rtorrent_t)
> ')
>
> # read config files
> userdom_search_user_home_dirs(rtorrent_t)
> userdom_dontaudit_list_user_home_dirs(rtorrent_t)
> read_files_pattern(rtorrent_t, rtorrent_conf_t, rtorrent_conf_t)
>
> # manage data files
> allow rtorrent_t rtorrent_data_t:dir manage_dir_perms;
> allow rtorrent_t rtorrent_data_t:file manage_file_perms;
>
> # network access
> allow rtorrent_t self:tcp_socket create_stream_socket_perms;
> allow rtorrent_t self:udp_socket create_socket_perms;
>
> corenet_tcp_bind_all_ports(rtorrent_t)
> corenet_tcp_bind_all_nodes(rtorrent_t)
> corenet_tcp_connect_all_ports(rtorrent_t)
> corenet_tcp_sendrecv_all_ports(rtorrent_t)
>
> corenet_udp_bind_all_ports(rtorrent_t)
> corenet_udp_bind_all_nodes(rtorrent_t)
> corenet_udp_sendrecv_all_ports(rtorrent_t)
This needs to be reduced. This is excessive network access. For
example, you wouldn't want this to bind to port 22. As for nodes, it
should only be using generic nodes.
> # rtorrent wants to know how much disk space is available
> fs_getattr_xattr_fs(rtorrent_t)
> files_dontaudit_getattr_all_dirs(rtorrent_t)
>
> # misc
> allow rtorrent_t self:process signal;
> dev_read_urand(rtorrent_t)
>
> # some dontaudit rules
> gen_require(`
> type etc_t;
> ')
>
> dontaudit rtorrent_t etc_t:file read_file_perms;
Referring to other module's types by name is not allowed.
> dontaudit rtorrent_t self:netlink_route_socket
> create_stream_socket_perms;
This is allowed by the dns name resolve above.
>
>
>
>
>
>
> plain text
> document
> attachment
> (rtorrent.if)
>
> ## <summary>rtorrent client policy</summary>
>
> ########################################
> ## <summary>
> ## Role access for rtorrent
> ## </summary>
> ## <param name="role">
> ## <summary>
> ## Role allowed access
> ## </summary>
> ## </param>
> ## <param name="domain">
> ## <summary>
> ## User domain for the role
> ## </summary>
> ## </param>
> #
> template(`rtorrent_role',`
> gen_require(`
> type rtorrent_t;
> type rtorrent_exec_t;
> type rtorrent_conf_t;
> type rtorrent_data_t;
> ')
>
> role $1 types rtorrent_t;
>
> # Transition from the user domain to the derived domain.
> domtrans_pattern($2, rtorrent_exec_t, rtorrent_t)
>
> # allow ps to show rtorrent
> ps_process_pattern($2, rtorrent_t)
> allow $2 rtorrent_t:process signal;
>
> # user can manage config
> manage_files_pattern($2, rtorrent_conf_t, rtorrent_conf_t)
>
> # Access the torrent data files.
> allow $2 rtorrent_data_t:dir manage_dir_perms;
> allow $2 rtorrent_data_t:file manage_file_perms;
> ')
>
>
>
>
>
>
>
> plain text
> document
> attachment
> (rtorrent.fc)
>
> /usr/bin/rtorrent -- gen_context(system_u:object_r:rtorrent_exec_t,s0)
>
> HOME_DIR/\.rtorrent.rc
> gen_context(system_u:object_r:rtorrent_conf_t,s0)
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
On 2009/07/09 14:21, Dominick Grift <[email protected]> wrote:
> On Thu, 2009-07-09 at 11:58 +0200, Max Kellermann wrote:
> > Hi,
> >
> > I have written a policy for rtorrent a while ago, and I thought it
> > might be a good idea to submit it to the refpolicy project. Here it
> > is.
> >
> > The policy defines the rtorrent_data_t type, but does not declare a
> > fcontext for it. Users who want to use it have to manually tag the
> > data directory. Another idea might be to provide a "reasonable"
> > default... on my machine, that's declared in the host specific policy
> > .fc file.
>
> Here is my take on the policy:
> allow rtorrent_t self:netlink_route_socket create_stream_socket_perms;
Why this? I had a "dontaudit" there.
> # semanage port -a -t bittorrent_port_t 6881:6999
> # This type should be declared in kernel/corenetwork.te.in
Do we have to add 119 network_port() arguments there? That's what the
xserver line suggests. Are ranges allowed?
> files_read_etc_files(rtorrent_t)
Works without this line on my machines, although it fails to read
/etc/nsswitch.conf. I believe etc_t is too wide, because nearly every
application needs read access; etc_t should be split further.
You removed lots of explaining comments from my policy. Why?
Max
On 2009/07/14 15:22, "Christopher J. PeBenito" <[email protected]> wrote:
> If there is some default or suggested location in rtorrent's docs, then
> that would be the best choice.
Unfortunately, there is none. rtorrent defaults to the current
directory.
> > dontaudit rtorrent_t etc_t:file read_file_perms;
>
> Referring to other module's types by name is not allowed.
During my work with the refpolicy, I've been confused many times, and
with each release, new styles get adopted, new rules are set. Where
can I find documentation? There is a lot of outdated
selinux/refpolicy documentation on the net, but it's very hard to find
something which is still valid today.
Max
On Fri, 2009-07-17 at 11:09 +0200, Max Kellermann wrote:
> On 2009/07/09 14:21, Dominick Grift <[email protected]> wrote:
> > On Thu, 2009-07-09 at 11:58 +0200, Max Kellermann wrote:
> > > Hi,
> > >
> > > I have written a policy for rtorrent a while ago, and I thought it
> > > might be a good idea to submit it to the refpolicy project. Here it
> > > is.
> > >
> > > The policy defines the rtorrent_data_t type, but does not declare a
> > > fcontext for it. Users who want to use it have to manually tag the
> > > data directory. Another idea might be to provide a "reasonable"
> > > default... on my machine, that's declared in the host specific policy
> > > .fc file.
> >
> > Here is my take on the policy:
>
> > allow rtorrent_t self:netlink_route_socket create_stream_socket_perms;
I suspect that it requires this. I might be wrong.
> Why this? I had a "dontaudit" there.
>
> > # semanage port -a -t bittorrent_port_t 6881:6999
> > # This type should be declared in kernel/corenetwork.te.in
>
> Do we have to add 119 network_port() arguments there? That's what the
> xserver line suggests. Are ranges allowed?
Good point, maybe it supports ranges. But one or more of the ports in
range 6881:6999 probably conflicts with other services..
Bittorrent docs say it needs 6881 to 6999
> > files_read_etc_files(rtorrent_t)
>
> Works without this line on my machines, although it fails to read
> /etc/nsswitch.conf. I believe etc_t is too wide, because nearly every
> application needs read access; etc_t should be split further.
That is going to be mayor surgery as many existing domains needs access
to it. You would have to edit all those.
If you want to create policy conform upstream then keep it etc_t and
allow your domain access to it.
> You removed lots of explaining comments from my policy. Why?
Many of those comments were obvious to me. But also because i like to
keep policy as simple/clean as possible.
not like this for example:
# rtorrent log file
type rtorrent_log_t;
logging_log_file(rtorrent_log_t)
...
# rtorrent log file
create_files_pattern(rtorrent_t, rtorrent_log_t, rtorrent_log_t)
...
Thats too obvious ...
> Max
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090717/5cc79b82/attachment.bin
On Fri, 2009-07-17 at 11:13 +0200, Max Kellermann wrote:
> On 2009/07/14 15:22, "Christopher J. PeBenito" <[email protected]> wrote:
> > If there is some default or suggested location in rtorrent's docs, then
> > that would be the best choice.
>
> Unfortunately, there is none. rtorrent defaults to the current
> directory.
>
> > > dontaudit rtorrent_t etc_t:file read_file_perms;
> >
> > Referring to other module's types by name is not allowed.
>
> During my work with the refpolicy, I've been confused many times, and
> with each release, new styles get adopted, new rules are set. Where
> can I find documentation? There is a lot of outdated
> selinux/refpolicy documentation on the net, but it's very hard to find
> something which is still valid today.
You could maybe solve this by patching a new interface to files.if
########################################
## <summary>
## Do not audit attempts to read files
## in /etc that are generic
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`files_dontaudit_read_etc_files',`
gen_require(`
type etc_t;
')
dontaudit $1 etc_t:file { getattr read };
')
And call that from your rtorrent.te file:
files_dontaudit_read_etc_files(rtorrent_t)
I have been considering writing some guidelines to refpolicy style
requirements, but i also still make mistakes...
Style issues can be learned by *carefully* studying refpolicy.
> Max
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090717/1f263b7a/attachment.bin