From: max@duempel.org (Max Kellermann)
Date: Thu, 9 Jul 2009 11:58:17 +0200
Subject: [refpolicy] new policy: rtorrent
Message-ID: <20090709095817.GA7703@squirrel.roonstrasse.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
Hi,
I have written a policy for rtorrent a while ago, and I thought it
might be a good idea to submit it to the refpolicy project. Here it
is.
The policy defines the rtorrent_data_t type, but does not declare a
fcontext for it. Users who want to use it have to manually tag the
data directory. Another idea might be to provide a "reasonable"
default... on my machine, that's declared in the host specific policy
.fc file.
Max
-------------- next part --------------
policy_module(rtorrent,1.0.0)
type rtorrent_t;
type rtorrent_exec_t;
application_domain(rtorrent_t, rtorrent_exec_t)
ubac_constrained(rtorrent_t)
type rtorrent_conf_t;
files_config_file(rtorrent_conf_t)
type rtorrent_data_t;
files_type(rtorrent_data_t)
# shared libraries
libs_use_ld_so(rtorrent_t)
libs_use_shared_libs(rtorrent_t)
# rtorrent is an interactive program
domain_use_interactive_fds(rtorrent_t)
userdom_use_user_terminals(rtorrent_t)
# grant locale + resolver read access
miscfiles_read_localization(rtorrent_t)
sysnet_read_config(rtorrent_t)
sysnet_dns_name_resolve(rtorrent_t)
optional_policy(`
nscd_socket_use(rtorrent_t)
')
# read config files
userdom_search_user_home_dirs(rtorrent_t)
userdom_dontaudit_list_user_home_dirs(rtorrent_t)
read_files_pattern(rtorrent_t, rtorrent_conf_t, rtorrent_conf_t)
# manage data files
allow rtorrent_t rtorrent_data_t:dir manage_dir_perms;
allow rtorrent_t rtorrent_data_t:file manage_file_perms;
# network access
allow rtorrent_t self:tcp_socket create_stream_socket_perms;
allow rtorrent_t self:udp_socket create_socket_perms;
corenet_tcp_bind_all_ports(rtorrent_t)
corenet_tcp_bind_all_nodes(rtorrent_t)
corenet_tcp_connect_all_ports(rtorrent_t)
corenet_tcp_sendrecv_all_ports(rtorrent_t)
corenet_udp_bind_all_ports(rtorrent_t)
corenet_udp_bind_all_nodes(rtorrent_t)
corenet_udp_sendrecv_all_ports(rtorrent_t)
# rtorrent wants to know how much disk space is available
fs_getattr_xattr_fs(rtorrent_t)
files_dontaudit_getattr_all_dirs(rtorrent_t)
# misc
allow rtorrent_t self:process signal;
dev_read_urand(rtorrent_t)
# some dontaudit rules
gen_require(`
type etc_t;
')
dontaudit rtorrent_t etc_t:file read_file_perms;
dontaudit rtorrent_t self:netlink_route_socket create_stream_socket_perms;
-------------- next part --------------
## rtorrent client policy
########################################
##
## Role access for rtorrent
##
##
##
## Role allowed access
##
##
##
##
## User domain for the role
##
##
#
template(`rtorrent_role',`
gen_require(`
type rtorrent_t;
type rtorrent_exec_t;
type rtorrent_conf_t;
type rtorrent_data_t;
')
role $1 types rtorrent_t;
# Transition from the user domain to the derived domain.
domtrans_pattern($2, rtorrent_exec_t, rtorrent_t)
# allow ps to show rtorrent
ps_process_pattern($2, rtorrent_t)
allow $2 rtorrent_t:process signal;
# user can manage config
manage_files_pattern($2, rtorrent_conf_t, rtorrent_conf_t)
# Access the torrent data files.
allow $2 rtorrent_data_t:dir manage_dir_perms;
allow $2 rtorrent_data_t:file manage_file_perms;
')
-------------- next part --------------
/usr/bin/rtorrent -- gen_context(system_u:object_r:rtorrent_exec_t,s0)
HOME_DIR/\.rtorrent.rc gen_context(system_u:object_r:rtorrent_conf_t,s0)