From: max@duempel.org (Max Kellermann)
Date: Thu, 9 Jul 2009 11:58:17 +0200
Subject: [refpolicy] new policy: rtorrent
Message-ID: <20090709095817.GA7703@squirrel.roonstrasse.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi,

I have written a policy for rtorrent a while ago, and I thought it
might be a good idea to submit it to the refpolicy project.  Here it
is.

The policy defines the rtorrent_data_t type, but does not declare a
fcontext for it.  Users who want to use it have to manually tag the
data directory.  Another idea might be to provide a "reasonable"
default...  on my machine, that's declared in the host specific policy
.fc file.

Max
-------------- next part --------------
policy_module(rtorrent,1.0.0)

type rtorrent_t;
type rtorrent_exec_t;
application_domain(rtorrent_t, rtorrent_exec_t)
ubac_constrained(rtorrent_t)

type rtorrent_conf_t;
files_config_file(rtorrent_conf_t)

type rtorrent_data_t;
files_type(rtorrent_data_t)

# shared libraries
libs_use_ld_so(rtorrent_t)
libs_use_shared_libs(rtorrent_t)

# rtorrent is an interactive program
domain_use_interactive_fds(rtorrent_t)
userdom_use_user_terminals(rtorrent_t)

# grant locale + resolver read access
miscfiles_read_localization(rtorrent_t)
sysnet_read_config(rtorrent_t)
sysnet_dns_name_resolve(rtorrent_t)
optional_policy(`
	nscd_socket_use(rtorrent_t)
')

# read config files
userdom_search_user_home_dirs(rtorrent_t)
userdom_dontaudit_list_user_home_dirs(rtorrent_t)
read_files_pattern(rtorrent_t, rtorrent_conf_t, rtorrent_conf_t)

# manage data files
allow rtorrent_t rtorrent_data_t:dir manage_dir_perms;
allow rtorrent_t rtorrent_data_t:file manage_file_perms;

# network access
allow rtorrent_t self:tcp_socket create_stream_socket_perms;
allow rtorrent_t self:udp_socket create_socket_perms;

corenet_tcp_bind_all_ports(rtorrent_t)
corenet_tcp_bind_all_nodes(rtorrent_t)
corenet_tcp_connect_all_ports(rtorrent_t)
corenet_tcp_sendrecv_all_ports(rtorrent_t)

corenet_udp_bind_all_ports(rtorrent_t)
corenet_udp_bind_all_nodes(rtorrent_t)
corenet_udp_sendrecv_all_ports(rtorrent_t)

# rtorrent wants to know how much disk space is available
fs_getattr_xattr_fs(rtorrent_t)
files_dontaudit_getattr_all_dirs(rtorrent_t)

# misc
allow rtorrent_t self:process signal;
dev_read_urand(rtorrent_t)

# some dontaudit rules
gen_require(`
	type etc_t;
')

dontaudit rtorrent_t etc_t:file read_file_perms;
dontaudit rtorrent_t self:netlink_route_socket create_stream_socket_perms;
-------------- next part --------------
## <summary>rtorrent client policy</summary>

########################################
## <summary>
##	Role access for rtorrent
## </summary>
## <param name="role">
##	<summary>
##	Role allowed access
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	User domain for the role
##	</summary>
## </param>
#
template(`rtorrent_role',`
	gen_require(`
		type rtorrent_t;
		type rtorrent_exec_t;
		type rtorrent_conf_t;
		type rtorrent_data_t;
	')

	role $1 types rtorrent_t;

	# Transition from the user domain to the derived domain.
	domtrans_pattern($2, rtorrent_exec_t, rtorrent_t)

	# allow ps to show rtorrent
	ps_process_pattern($2, rtorrent_t)
	allow $2 rtorrent_t:process signal;

        # user can manage config
        manage_files_pattern($2, rtorrent_conf_t, rtorrent_conf_t)

        # Access the torrent data files.
        allow $2 rtorrent_data_t:dir manage_dir_perms;
        allow $2 rtorrent_data_t:file manage_file_perms;
')
-------------- next part --------------
/usr/bin/rtorrent -- gen_context(system_u:object_r:rtorrent_exec_t,s0)

HOME_DIR/\.rtorrent.rc gen_context(system_u:object_r:rtorrent_conf_t,s0)