From: domg472@gmail.com (Dominick Grift)
Date: Thu, 09 Jul 2009 14:21:45 +0200
Subject: [refpolicy] new policy: rtorrent
In-Reply-To: <20090709095817.GA7703@squirrel.roonstrasse.net>
References: <20090709095817.GA7703@squirrel.roonstrasse.net>
Message-ID: <1247142105.5300.12.camel@notebook2.grift.internal>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, 2009-07-09 at 11:58 +0200, Max Kellermann wrote:
> Hi,
> 
> I have written a policy for rtorrent a while ago, and I thought it
> might be a good idea to submit it to the refpolicy project.  Here it
> is.
> 
> The policy defines the rtorrent_data_t type, but does not declare a
> fcontext for it.  Users who want to use it have to manually tag the
> data directory.  Another idea might be to provide a "reasonable"
> default...  on my machine, that's declared in the host specific policy
> .fc file.

Here is my take on the policy:

http://82.197.205.60/~dgrift/stuff/modules/rtorrent.te
http://82.197.205.60/~dgrift/stuff/modules/rtorrent.if
http://82.197.205.60/~dgrift/stuff/modules/rtorrent.fc

Some notes:

These are deprecated i believe:

libs_use_ld_so(rtorrent_t)
libs_use_shared_libs(rtorrent_t)

I would not prefer this to be default behavior ( could be tunable ):

corenet_tcp_bind_all_nodes(rtorrent_t)
corenet_tcp_connect_all_ports(rtorrent_t)

Added nfs/samba/nis home support
Added filetrans pattern for rtorrent_t rtorrent_data_t
Added relabel patterns for $2 rtorrent home content
Added signal child permission for rtorrent_t
Added signal permissions for $2 to rtorrent_t
Declared port for bittorrent
Added policy for rtorrent to bind connect bittorrent ports.
Added boolean for rtorrent unrestricted network access
I am aware that the bittorrent port declaration should be done in
corenetwork.te.in and that interfaces should be called for interaction
between rtorrent_t and bittorrent_port_t

and more...

But to be honest i think user app policy might get adopted by refpolicy.
There are some complications i believe.

> Max
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090709/146ac0cc/attachment.bin