From: domg472@gmail.com (Dominick Grift)
Date: Fri, 17 Jul 2009 12:21:32 +0200
Subject: [refpolicy] new policy: rtorrent
In-Reply-To: <20090717091335.GB1884@squirrel.roonstrasse.net>
References: <20090709095817.GA7703@squirrel.roonstrasse.net>
	<1247577749.31521.53.camel@gorn.columbia.tresys.com>
	<20090717091335.GB1884@squirrel.roonstrasse.net>
Message-ID: <1247826092.19628.23.camel@notebook2.grift.internal>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, 2009-07-17 at 11:13 +0200, Max Kellermann wrote:
> On 2009/07/14 15:22, "Christopher J. PeBenito" <cpebenito@tresys.com> wrote:
> > If there is some default or suggested location in rtorrent's docs, then
> > that would be the best choice.
> 
> Unfortunately, there is none.  rtorrent defaults to the current
> directory.
> 
> > > dontaudit rtorrent_t etc_t:file read_file_perms;
> > 
> > Referring to other module's types by name is not allowed.
> 
> During my work with the refpolicy, I've been confused many times, and
> with each release, new styles get adopted, new rules are set.  Where
> can I find documentation?  There is a lot of outdated
> selinux/refpolicy documentation on the net, but it's very hard to find
> something which is still valid today.

You could maybe solve this by patching a new interface to files.if

########################################
## <summary>
##	Do not audit attempts to read files
##	in /etc that are generic
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`files_dontaudit_read_etc_files',`
	gen_require(`
		type etc_t;
	')

	dontaudit $1 etc_t:file { getattr read };
')

And call that from your rtorrent.te file:

files_dontaudit_read_etc_files(rtorrent_t)

I have been considering writing some guidelines to refpolicy style
requirements, but i also still make mistakes...

Style issues can be learned by *carefully* studying refpolicy.

> Max
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090717/1f263b7a/attachment.bin