From: max@duempel.org (Max Kellermann) Date: Thu, 9 Jul 2009 11:58:17 +0200 Subject: [refpolicy] new policy: rtorrent Message-ID: <20090709095817.GA7703@squirrel.roonstrasse.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi, I have written a policy for rtorrent a while ago, and I thought it might be a good idea to submit it to the refpolicy project. Here it is. The policy defines the rtorrent_data_t type, but does not declare a fcontext for it. Users who want to use it have to manually tag the data directory. Another idea might be to provide a "reasonable" default... on my machine, that's declared in the host specific policy .fc file. Max -------------- next part -------------- policy_module(rtorrent,1.0.0) type rtorrent_t; type rtorrent_exec_t; application_domain(rtorrent_t, rtorrent_exec_t) ubac_constrained(rtorrent_t) type rtorrent_conf_t; files_config_file(rtorrent_conf_t) type rtorrent_data_t; files_type(rtorrent_data_t) # shared libraries libs_use_ld_so(rtorrent_t) libs_use_shared_libs(rtorrent_t) # rtorrent is an interactive program domain_use_interactive_fds(rtorrent_t) userdom_use_user_terminals(rtorrent_t) # grant locale + resolver read access miscfiles_read_localization(rtorrent_t) sysnet_read_config(rtorrent_t) sysnet_dns_name_resolve(rtorrent_t) optional_policy(` nscd_socket_use(rtorrent_t) ') # read config files userdom_search_user_home_dirs(rtorrent_t) userdom_dontaudit_list_user_home_dirs(rtorrent_t) read_files_pattern(rtorrent_t, rtorrent_conf_t, rtorrent_conf_t) # manage data files allow rtorrent_t rtorrent_data_t:dir manage_dir_perms; allow rtorrent_t rtorrent_data_t:file manage_file_perms; # network access allow rtorrent_t self:tcp_socket create_stream_socket_perms; allow rtorrent_t self:udp_socket create_socket_perms; corenet_tcp_bind_all_ports(rtorrent_t) corenet_tcp_bind_all_nodes(rtorrent_t) corenet_tcp_connect_all_ports(rtorrent_t) corenet_tcp_sendrecv_all_ports(rtorrent_t) corenet_udp_bind_all_ports(rtorrent_t) corenet_udp_bind_all_nodes(rtorrent_t) corenet_udp_sendrecv_all_ports(rtorrent_t) # rtorrent wants to know how much disk space is available fs_getattr_xattr_fs(rtorrent_t) files_dontaudit_getattr_all_dirs(rtorrent_t) # misc allow rtorrent_t self:process signal; dev_read_urand(rtorrent_t) # some dontaudit rules gen_require(` type etc_t; ') dontaudit rtorrent_t etc_t:file read_file_perms; dontaudit rtorrent_t self:netlink_route_socket create_stream_socket_perms; -------------- next part -------------- ## rtorrent client policy ######################################## ## ## Role access for rtorrent ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## # template(`rtorrent_role',` gen_require(` type rtorrent_t; type rtorrent_exec_t; type rtorrent_conf_t; type rtorrent_data_t; ') role $1 types rtorrent_t; # Transition from the user domain to the derived domain. domtrans_pattern($2, rtorrent_exec_t, rtorrent_t) # allow ps to show rtorrent ps_process_pattern($2, rtorrent_t) allow $2 rtorrent_t:process signal; # user can manage config manage_files_pattern($2, rtorrent_conf_t, rtorrent_conf_t) # Access the torrent data files. allow $2 rtorrent_data_t:dir manage_dir_perms; allow $2 rtorrent_data_t:file manage_file_perms; ') -------------- next part -------------- /usr/bin/rtorrent -- gen_context(system_u:object_r:rtorrent_exec_t,s0) HOME_DIR/\.rtorrent.rc gen_context(system_u:object_r:rtorrent_conf_t,s0)