new policy modules submission

Dominick Grift domg472 at gmail.com
Fri Apr 29 10:43:37 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/29/2011 12:06 AM, Mr Dash Four wrote:

> See attached. I have enclosed 2 policy modules to start with and see how
> it goes. I also enclosed a readme file with some notes on these
> policies. Comments, suggestions are mostly welcome!

Hi,

I took a look at your policy modules. I would like to focus on the
transmission-daemon policy module.

I am not confident that any skype policy has a good chance of getting
adopted or any other gui user app for that matter.

The user space is not confined in a way yet to support gui user
application policy optimal, and until it is i do not want to waste time
on getting any gui user application policy accepted.

Confining transmission-daemon on the other hand seems like a good idea.

I have perused your policy and i rewrote it partly.

However i have only tested starting and stopping transmission-daemon.

I have not actually used it and so policy is missing.

Could you please test my policy and provide feedback to that it can be
extended?

There are some things to be noted:

The policy support a default setup. That is to say:

transmission-daemon-2.11-2.fc14.x86_64

No changes have been made. I just installed it and ran it.

Can you please do the same?

Here is my policy:

1. Add to corenetwork.te.in:

network_port(bittorrent_ctl, tcp,9091,s0)

I have not yet dealt with any other ports/connections. I would like to
see raw AVC denials of that if possible.

2. Add to init.te:

optional_policy(`
	bittorrent_read_daemon_config_files(initrc_t)
')

3. The bittorrent policy module:

- -- a: bittorrent.te:

policy_module(bittorrent, 1.0.0)

########################################
#
# Declarations
#

## <desc>
##	<p>
##	Allow bittorrent servers to use cifs
##	used for public file transfer services.
##	</p>
## </desc>
gen_tunable(allow_bittorrentd_use_cifs, false)

## <desc>
##	<p>
##	Allow bittorrent servers to use nfs
##	used for public file transfer services.
##	</p>
## </desc>
gen_tunable(allow_bittorrentd_use_nfs, false)

type bittorrentd_t;
type bittorrentd_exec_t;
init_daemon_domain(bittorrentd_t, bittorrentd_exec_t)

type bittorrentd_initrc_exec_t;
init_script_file(bittorrentd_initrc_exec_t)

type bittorrentd_etc_t;
files_config_file(bittorrentd_etc_t)

type bittorrentd_var_lib_t;
files_type(bittorrentd_var_lib_t)

type bittorrentd_var_log_t;
logging_log_file(bittorrentd_var_log_t)

########################################
#
# Local policy
#

allow bittorrentd_t self:capability { setgid setuid };
dontaudit bittorrentd_t self:capability sys_tty_config;
allow bittorrentd_t self:process { getsched setsched };
allow bittorrentd_t self:fifo_file rw_fifo_file_perms;
allow bittorrentd_t self:tcp_socket { accept listen };
allow bittorrentd_t self:unix_stream_socket create_socket_perms;

manage_dirs_pattern(bittorrentd_t, bittorrentd_var_lib_t,
bittorrentd_var_lib_t)
manage_files_pattern(bittorrentd_t, bittorrentd_var_lib_t,
bittorrentd_var_lib_t)

allow bittorrentd_t bittorrentd_var_log_t:file { create_file_perms
setattr_file_perms append_file_perms };
logging_log_filetrans(bittorrentd_t, bittorrentd_var_log_t, file)

kernel_read_network_state(bittorrentd_t)

corenet_all_recvfrom_unlabeled(bittorrentd_t)
corenet_all_recvfrom_netlabel(bittorrentd_t)
corenet_tcp_sendrecv_generic_if(bittorrentd_t)
corenet_udp_sendrecv_generic_if(bittorrentd_t)
corenet_tcp_sendrecv_generic_node(bittorrentd_t)
corenet_udp_sendrecv_generic_node(bittorrentd_t)
corenet_tcp_bind_generic_node(bittorrentd_t)
corenet_udp_bind_generic_node(bittorrentd_t)

corenet_tcp_bind_bittorrent_ctl_port(bittorrentd_t)
corenet_tcp_sendrecv_bittorrent_ctl_port(bittorrentd_t)
corenet_sendrecv_bittorrent_ctl_server_packets(bittorrentd_t)

dev_read_urand(bittorrentd_t)

domain_use_interactive_fds(bittorrentd_t)

files_search_var_lib(bittorrentd_t)
files_search_pids(bittorrentd_t)

fs_search_auto_mountpoints(bittorrentd_t)

auth_use_nsswitch(bittorrentd_t)

logging_send_syslog_msg(bittorrentd_t)

miscfiles_read_localization(bittorrentd_t)
miscfiles_read_public_files(bittorrentd_t)

tunable_policy(`allow_bittorrentd_use_cifs',`
	fs_read_cifs_files(bittorrentd_t)
')

tunable_policy(`allow_bittorrentd_use_nfs',`
	fs_read_nfs_files(bittorrentd_t)
')

optional_policy(`
	seutil_sigchld_newrole(bittorrentd_t)
')

- -- b: bittorrent.if:

## <summary>Bittorrent peer-to-peer communications protocol for file
sharing.</summary>

########################################
## <summary>
##	Read bittorrent daemon
##	configuration files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`bittorrent_read_daemon_config_files',`
	gen_require(`
		type bittorrentd_etc_t;
	')

	files_search_etc($1)
	allow $1 bittorrentd_etc_t:file read_file_perms;
')

- -- c: bittorrent.fc:

/etc/rc\.d/init\.d/transmission-daemon	--
gen_context(system_u:object_r:bittorrentd_initrc_exec_t,s0)

/etc/sysconfig/transmission-daemon	--
gen_context(system_u:object_r:bittorrentd_etc_t,s0)

/usr/bin/transmission-daemon	--
gen_context(system_u:object_r:bittorrentd_exec_t,s0)

/var/lib/transmission(/.*)?
gen_context(system_u:object_r:bittorrentd_var_lib_t,s0)

/var/log/transmission-daemon\.log.*	--
gen_context(system_u:object_r:bittorrentd_var_log_t,s0)

Please compare what i have to what you have and ask questions about why
my implementation differs from yours.

Here are a few basic comments:

1. i named the policy module bittorrent instead of transmission. This is
because there are many bittorrent servers i suspect. This class of
servers have similar properties and so it makes sense to group them all
in a single bittorrent domain.

2. I have labelled /etc/sysconfig/transmission-daemon: This is required
to make any bittorrent_admin functional. We want bittorrent_admin to be
able to define bittorrent server arguments (edit
/etc/sysconfig/transmission-daemon)

3. The transmission-daemon package installs only the following files:

/etc/rc.d/init.d/transmission-daemon
/etc/sysconfig/transmission-daemon
/usr/bin/transmission-daemon
/usr/share/man/man1/transmission-daemon.1.gz
/var/lib/transmission

The /etc/rc.d/init.d/transmission-daemon script defines
/var/log/name.log to be the default log file location. Yet there is no
log file location specified in the "server args". This seems to be a
bug, but it does not have to be if transmission-daemon logs to /var/log
by default without setting the log server arg.

I only started and stopped the server, and it did not create any log files.

4. The transmission-daemon lock and pid file are created by the init
script and not by transmission-daemon.

5. The default location for transmission-daemon content appears to be
/var/lib/transmission. The transmission-daemon created files and
directories below there (.config/transmission-daemon.*). I seems that
bittorrent_admin is expected to put the torrent content in the
applicable layers below that directory as i understand it.

Please try out my version of the policy on a clean and unmodified Fedora
14+ transmission-daemon installation, and provide feedback. Raw AVC
denials are preffered.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk26llkACgkQMlxVo39jgT8EnACfZP5CwHIfTmh+ZRK4WIB/F8l5
T7AAnR8kdQzljsqejmBaMSQ2vr4iq8LG
=crTe
-----END PGP SIGNATURE-----

More information about the selinux mailing list