From: domg472@gmail.com (Dominick Grift) Date: Thu, 09 Jul 2009 14:31:29 +0200 Subject: [refpolicy] new policy: rtorrent In-Reply-To: <1247142105.5300.12.camel@notebook2.grift.internal> References: <20090709095817.GA7703@squirrel.roonstrasse.net> <1247142105.5300.12.camel@notebook2.grift.internal> Message-ID: <1247142689.5300.14.camel@notebook2.grift.internal> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 2009-07-09 at 14:21 +0200, Dominick Grift wrote: > On Thu, 2009-07-09 at 11:58 +0200, Max Kellermann wrote: > > Hi, > > > > I have written a policy for rtorrent a while ago, and I thought it > > might be a good idea to submit it to the refpolicy project. Here it > > is. > > > > The policy defines the rtorrent_data_t type, but does not declare a > > fcontext for it. Users who want to use it have to manually tag the > > data directory. Another idea might be to provide a "reasonable" > > default... on my machine, that's declared in the host specific policy > > .fc file. > > Here is my take on the policy: > > http://82.197.205.60/~dgrift/stuff/modules/rtorrent.te > http://82.197.205.60/~dgrift/stuff/modules/rtorrent.if > http://82.197.205.60/~dgrift/stuff/modules/rtorrent.fc > > Some notes: > > These are deprecated i believe: > > libs_use_ld_so(rtorrent_t) > libs_use_shared_libs(rtorrent_t) > > I would not prefer this to be default behavior ( could be tunable ): > > corenet_tcp_bind_all_nodes(rtorrent_t) > corenet_tcp_connect_all_ports(rtorrent_t) > > Added nfs/samba/nis home support > Added filetrans pattern for rtorrent_t rtorrent_data_t > Added relabel patterns for $2 rtorrent home content > Added signal child permission for rtorrent_t > Added signal permissions for $2 to rtorrent_t > Declared port for bittorrent > Added policy for rtorrent to bind connect bittorrent ports. > Added boolean for rtorrent unrestricted network access > I am aware that the bittorrent port declaration should be done in > corenetwork.te.in and that interfaces should be called for interaction > between rtorrent_t and bittorrent_port_t > > and more... > > But to be honest i think user app policy might get adopted by refpolicy. > There are some complications i believe. ignore my network policy... it is messed up. obviously it does use UDP. And it does not bind sockets to tcp ports... > > Max > > _______________________________________________ > > refpolicy mailing list > > refpolicy at oss.tresys.com > > http://oss.tresys.com/mailman/listinfo/refpolicy -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090709/eaa06a27/attachment.bin