new policy modules submission
Dominick Grift
domg472 at gmail.com
Fri Apr 29 12:45:29 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/29/2011 02:27 PM, Mr Dash Four wrote:
>
>> Could you add me to CC. I would like to see these policies too. Thanks.
> I've just seen Dominick's response. Would you still need me to enclose
> these policies or are you happy with what he send me?
>
I already made some additional changes to bittorrent module:
bittorrent.te: transmission creates files and dirs in /var/lib/transmission.
policy_module(bittorrent, 1.0.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow bittorrent servers to modify
## public files used for public file
## transfer services. Directories/Files
## must be labeled public_content_rw_t.
## </p>
## </desc>
gen_tunable(allow_httpd_anon_write, false)
## <desc>
## <p>
## Allow bittorrent servers to use cifs
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_bittorrentd_use_cifs, false)
## <desc>
## <p>
## Allow bittorrent servers to use nfs
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_bittorrentd_use_nfs, false)
type bittorrentd_t;
type bittorrentd_exec_t;
init_daemon_domain(bittorrentd_t, bittorrentd_exec_t)
type bittorrentd_initrc_exec_t;
init_script_file(bittorrentd_initrc_exec_t)
type bittorrentd_etc_t;
files_config_file(bittorrentd_etc_t)
type bittorrentd_var_lib_t;
files_type(bittorrentd_var_lib_t)
type bittorrentd_var_log_t;
logging_log_file(bittorrentd_var_log_t)
########################################
#
# Local policy
#
allow bittorrentd_t self:capability { setgid setuid };
dontaudit bittorrentd_t self:capability sys_tty_config;
allow bittorrentd_t self:process { getsched setsched };
allow bittorrentd_t self:fifo_file rw_fifo_file_perms;
allow bittorrentd_t self:tcp_socket { accept listen };
allow bittorrentd_t self:unix_stream_socket create_socket_perms;
manage_dirs_pattern(bittorrentd_t, bittorrentd_var_lib_t,
bittorrentd_var_lib_t)
manage_files_pattern(bittorrentd_t, bittorrentd_var_lib_t,
bittorrentd_var_lib_t)
allow bittorrentd_t bittorrentd_var_log_t:file { create_file_perms
setattr_file_perms append_file_perms };
logging_log_filetrans(bittorrentd_t, bittorrentd_var_log_t, file)
kernel_read_network_state(bittorrentd_t)
corenet_all_recvfrom_unlabeled(bittorrentd_t)
corenet_all_recvfrom_netlabel(bittorrentd_t)
corenet_tcp_sendrecv_generic_if(bittorrentd_t)
corenet_udp_sendrecv_generic_if(bittorrentd_t)
corenet_tcp_sendrecv_generic_node(bittorrentd_t)
corenet_udp_sendrecv_generic_node(bittorrentd_t)
corenet_tcp_bind_generic_node(bittorrentd_t)
corenet_udp_bind_generic_node(bittorrentd_t)
corenet_tcp_bind_bittorrent_ctl_port(bittorrentd_t)
corenet_tcp_sendrecv_bittorrent_ctl_port(bittorrentd_t)
corenet_sendrecv_bittorrent_ctl_server_packets(bittorrentd_t)
dev_read_urand(bittorrentd_t)
domain_use_interactive_fds(bittorrentd_t)
files_search_var_lib(bittorrentd_t)
files_search_pids(bittorrentd_t)
fs_search_auto_mountpoints(bittorrentd_t)
auth_use_nsswitch(bittorrentd_t)
logging_send_syslog_msg(bittorrentd_t)
miscfiles_read_localization(bittorrentd_t)
miscfiles_read_public_files(bittorrentd_t)
tunable_policy(`allow_bittorrent_anon_write',`
miscfiles_manage_public_files(bittorrentd_t)
')
tunable_policy(`allow_bittorrentd_use_cifs',`
fs_manage_cifs_dirs(bittorrentd_t)
fs_manage_cifs_files(bittorrentd_t)
')
tunable_policy(`allow_bittorrentd_use_nfs',`
fs_manage_nfs_dirs(bittorrentd_t)
fs_manage_nfs_files(bittorrentd_t)
')
optional_policy(`
seutil_sigchld_newrole(bittorrentd_t)
')
bittorrent.if: create bittorrent_admin()
## <summary>Bittorrent peer-to-peer communications protocol for file
sharing.</summary>
########################################
## <summary>
## Read bittorrent daemon
## configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`bittorrent_read_daemon_config_files',`
gen_require(`
type bittorrentd_etc_t;
')
files_search_etc($1)
allow $1 bittorrentd_etc_t:file read_file_perms;
')
########################################
## <summary>
## All of the rules required to
## administrate an bittorrent
## environment.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`bittorrent_admin',`
gen_require(`
type bittorrentd_t; bittorrentd_initrc_exec_t;
type bittorrentd_etc_t, bittorrentd_var_log_t;
type bittorrentd_var_lib_t;
')
allow $1 bittorrentd_t:process { ptrace signal_perms };
ps_process_pattern($1, bittorrentd_t)
init_labeled_script_domtrans($1, bittorrentd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 bittorrentd_initrc_exec_t system_r;
allow $2 system_r;
miscfiles_manage_public_files($1)
files_list_etc($1)
admin_pattern($1, bittorrentd_etc_t)
logging_list_logs($1)
admin_pattern($1, bittorrentd_var_log_t)
files_list_var_lib($1)
admin_pattern($1, bittorrentd_var_lib_t)
')
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk26sukACgkQMlxVo39jgT/uHwCghqxyuCJALPKR/YpVyobmvYoW
e38AoLN0fAOuf+bEMA4xUsm8dTESboFb
=NUCj
-----END PGP SIGNATURE-----
More information about the selinux
mailing list