new policy modules submission

Dominick Grift domg472 at gmail.com
Fri Apr 29 12:45:29 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/29/2011 02:27 PM, Mr Dash Four wrote:
> 
>> Could you add me to CC. I would like to see these policies too. Thanks.
> I've just seen Dominick's response. Would you still need me to enclose
> these policies or are you happy with what he send me?
> 

I already made some additional changes to bittorrent module:

bittorrent.te: transmission creates files and dirs in /var/lib/transmission.

policy_module(bittorrent, 1.0.0)

########################################
#
# Declarations
#

## <desc>
##	<p>
##	Allow bittorrent servers to modify
##	public files used for public file
##	transfer services. Directories/Files
##	must be labeled public_content_rw_t.
##	</p>
## </desc>
gen_tunable(allow_httpd_anon_write, false)

## <desc>
##	<p>
##	Allow bittorrent servers to use cifs
##	used for public file transfer services.
##	</p>
## </desc>
gen_tunable(allow_bittorrentd_use_cifs, false)

## <desc>
##	<p>
##	Allow bittorrent servers to use nfs
##	used for public file transfer services.
##	</p>
## </desc>
gen_tunable(allow_bittorrentd_use_nfs, false)

type bittorrentd_t;
type bittorrentd_exec_t;
init_daemon_domain(bittorrentd_t, bittorrentd_exec_t)

type bittorrentd_initrc_exec_t;
init_script_file(bittorrentd_initrc_exec_t)

type bittorrentd_etc_t;
files_config_file(bittorrentd_etc_t)

type bittorrentd_var_lib_t;
files_type(bittorrentd_var_lib_t)

type bittorrentd_var_log_t;
logging_log_file(bittorrentd_var_log_t)

########################################
#
# Local policy
#

allow bittorrentd_t self:capability { setgid setuid };
dontaudit bittorrentd_t self:capability sys_tty_config;
allow bittorrentd_t self:process { getsched setsched };
allow bittorrentd_t self:fifo_file rw_fifo_file_perms;
allow bittorrentd_t self:tcp_socket { accept listen };
allow bittorrentd_t self:unix_stream_socket create_socket_perms;

manage_dirs_pattern(bittorrentd_t, bittorrentd_var_lib_t,
bittorrentd_var_lib_t)
manage_files_pattern(bittorrentd_t, bittorrentd_var_lib_t,
bittorrentd_var_lib_t)

allow bittorrentd_t bittorrentd_var_log_t:file { create_file_perms
setattr_file_perms append_file_perms };
logging_log_filetrans(bittorrentd_t, bittorrentd_var_log_t, file)

kernel_read_network_state(bittorrentd_t)

corenet_all_recvfrom_unlabeled(bittorrentd_t)
corenet_all_recvfrom_netlabel(bittorrentd_t)
corenet_tcp_sendrecv_generic_if(bittorrentd_t)
corenet_udp_sendrecv_generic_if(bittorrentd_t)
corenet_tcp_sendrecv_generic_node(bittorrentd_t)
corenet_udp_sendrecv_generic_node(bittorrentd_t)
corenet_tcp_bind_generic_node(bittorrentd_t)
corenet_udp_bind_generic_node(bittorrentd_t)

corenet_tcp_bind_bittorrent_ctl_port(bittorrentd_t)
corenet_tcp_sendrecv_bittorrent_ctl_port(bittorrentd_t)
corenet_sendrecv_bittorrent_ctl_server_packets(bittorrentd_t)

dev_read_urand(bittorrentd_t)

domain_use_interactive_fds(bittorrentd_t)

files_search_var_lib(bittorrentd_t)
files_search_pids(bittorrentd_t)

fs_search_auto_mountpoints(bittorrentd_t)

auth_use_nsswitch(bittorrentd_t)

logging_send_syslog_msg(bittorrentd_t)

miscfiles_read_localization(bittorrentd_t)
miscfiles_read_public_files(bittorrentd_t)

tunable_policy(`allow_bittorrent_anon_write',`
	miscfiles_manage_public_files(bittorrentd_t)
')

tunable_policy(`allow_bittorrentd_use_cifs',`
	fs_manage_cifs_dirs(bittorrentd_t)
	fs_manage_cifs_files(bittorrentd_t)
')

tunable_policy(`allow_bittorrentd_use_nfs',`
	fs_manage_nfs_dirs(bittorrentd_t)
	fs_manage_nfs_files(bittorrentd_t)
')

optional_policy(`
	seutil_sigchld_newrole(bittorrentd_t)
')

bittorrent.if: create bittorrent_admin()

## <summary>Bittorrent peer-to-peer communications protocol for file
sharing.</summary>

########################################
## <summary>
##	Read bittorrent daemon
##	configuration files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`bittorrent_read_daemon_config_files',`
	gen_require(`
		type bittorrentd_etc_t;
	')

	files_search_etc($1)
	allow $1 bittorrentd_etc_t:file read_file_perms;
')

########################################
## <summary>
##	All of the rules required to
##	administrate an bittorrent
##	environment.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`bittorrent_admin',`
	gen_require(`
		type bittorrentd_t; bittorrentd_initrc_exec_t;
		type bittorrentd_etc_t, bittorrentd_var_log_t;
		type bittorrentd_var_lib_t;
	')

	allow $1 bittorrentd_t:process { ptrace signal_perms };
	ps_process_pattern($1, bittorrentd_t)

	init_labeled_script_domtrans($1, bittorrentd_initrc_exec_t)
	domain_system_change_exemption($1)
	role_transition $2 bittorrentd_initrc_exec_t system_r;
	allow $2 system_r;

	miscfiles_manage_public_files($1)

	files_list_etc($1)
	admin_pattern($1, bittorrentd_etc_t)

	logging_list_logs($1)
	admin_pattern($1, bittorrentd_var_log_t)

	files_list_var_lib($1)
	admin_pattern($1, bittorrentd_var_lib_t)
')
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk26sukACgkQMlxVo39jgT/uHwCghqxyuCJALPKR/YpVyobmvYoW
e38AoLN0fAOuf+bEMA4xUsm8dTESboFb
=NUCj
-----END PGP SIGNATURE-----

More information about the selinux mailing list