-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/29/2011 12:06 AM, Mr Dash Four wrote: > See attached. I have enclosed 2 policy modules to start with and see how > it goes. I also enclosed a readme file with some notes on these > policies. Comments, suggestions are mostly welcome! Hi, I took a look at your policy modules. I would like to focus on the transmission-daemon policy module. I am not confident that any skype policy has a good chance of getting adopted or any other gui user app for that matter. The user space is not confined in a way yet to support gui user application policy optimal, and until it is i do not want to waste time on getting any gui user application policy accepted. Confining transmission-daemon on the other hand seems like a good idea. I have perused your policy and i rewrote it partly. However i have only tested starting and stopping transmission-daemon. I have not actually used it and so policy is missing. Could you please test my policy and provide feedback to that it can be extended? There are some things to be noted: The policy support a default setup. That is to say: transmission-daemon-2.11-2.fc14.x86_64 No changes have been made. I just installed it and ran it. Can you please do the same? Here is my policy: 1. Add to corenetwork.te.in: network_port(bittorrent_ctl, tcp,9091,s0) I have not yet dealt with any other ports/connections. I would like to see raw AVC denials of that if possible. 2. Add to init.te: optional_policy(` bittorrent_read_daemon_config_files(initrc_t) ') 3. The bittorrent policy module: - -- a: bittorrent.te: policy_module(bittorrent, 1.0.0) ######################################## # # Declarations # ## <desc> ## <p> ## Allow bittorrent servers to use cifs ## used for public file transfer services. ## </p> ## </desc> gen_tunable(allow_bittorrentd_use_cifs, false) ## <desc> ## <p> ## Allow bittorrent servers to use nfs ## used for public file transfer services. ## </p> ## </desc> gen_tunable(allow_bittorrentd_use_nfs, false) type bittorrentd_t; type bittorrentd_exec_t; init_daemon_domain(bittorrentd_t, bittorrentd_exec_t) type bittorrentd_initrc_exec_t; init_script_file(bittorrentd_initrc_exec_t) type bittorrentd_etc_t; files_config_file(bittorrentd_etc_t) type bittorrentd_var_lib_t; files_type(bittorrentd_var_lib_t) type bittorrentd_var_log_t; logging_log_file(bittorrentd_var_log_t) ######################################## # # Local policy # allow bittorrentd_t self:capability { setgid setuid }; dontaudit bittorrentd_t self:capability sys_tty_config; allow bittorrentd_t self:process { getsched setsched }; allow bittorrentd_t self:fifo_file rw_fifo_file_perms; allow bittorrentd_t self:tcp_socket { accept listen }; allow bittorrentd_t self:unix_stream_socket create_socket_perms; manage_dirs_pattern(bittorrentd_t, bittorrentd_var_lib_t, bittorrentd_var_lib_t) manage_files_pattern(bittorrentd_t, bittorrentd_var_lib_t, bittorrentd_var_lib_t) allow bittorrentd_t bittorrentd_var_log_t:file { create_file_perms setattr_file_perms append_file_perms }; logging_log_filetrans(bittorrentd_t, bittorrentd_var_log_t, file) kernel_read_network_state(bittorrentd_t) corenet_all_recvfrom_unlabeled(bittorrentd_t) corenet_all_recvfrom_netlabel(bittorrentd_t) corenet_tcp_sendrecv_generic_if(bittorrentd_t) corenet_udp_sendrecv_generic_if(bittorrentd_t) corenet_tcp_sendrecv_generic_node(bittorrentd_t) corenet_udp_sendrecv_generic_node(bittorrentd_t) corenet_tcp_bind_generic_node(bittorrentd_t) corenet_udp_bind_generic_node(bittorrentd_t) corenet_tcp_bind_bittorrent_ctl_port(bittorrentd_t) corenet_tcp_sendrecv_bittorrent_ctl_port(bittorrentd_t) corenet_sendrecv_bittorrent_ctl_server_packets(bittorrentd_t) dev_read_urand(bittorrentd_t) domain_use_interactive_fds(bittorrentd_t) files_search_var_lib(bittorrentd_t) files_search_pids(bittorrentd_t) fs_search_auto_mountpoints(bittorrentd_t) auth_use_nsswitch(bittorrentd_t) logging_send_syslog_msg(bittorrentd_t) miscfiles_read_localization(bittorrentd_t) miscfiles_read_public_files(bittorrentd_t) tunable_policy(`allow_bittorrentd_use_cifs',` fs_read_cifs_files(bittorrentd_t) ') tunable_policy(`allow_bittorrentd_use_nfs',` fs_read_nfs_files(bittorrentd_t) ') optional_policy(` seutil_sigchld_newrole(bittorrentd_t) ') - -- b: bittorrent.if: ## <summary>Bittorrent peer-to-peer communications protocol for file sharing.</summary> ######################################## ## <summary> ## Read bittorrent daemon ## configuration files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`bittorrent_read_daemon_config_files',` gen_require(` type bittorrentd_etc_t; ') files_search_etc($1) allow $1 bittorrentd_etc_t:file read_file_perms; ') - -- c: bittorrent.fc: /etc/rc\.d/init\.d/transmission-daemon -- gen_context(system_u:object_r:bittorrentd_initrc_exec_t,s0) /etc/sysconfig/transmission-daemon -- gen_context(system_u:object_r:bittorrentd_etc_t,s0) /usr/bin/transmission-daemon -- gen_context(system_u:object_r:bittorrentd_exec_t,s0) /var/lib/transmission(/.*)? gen_context(system_u:object_r:bittorrentd_var_lib_t,s0) /var/log/transmission-daemon\.log.* -- gen_context(system_u:object_r:bittorrentd_var_log_t,s0) Please compare what i have to what you have and ask questions about why my implementation differs from yours. Here are a few basic comments: 1. i named the policy module bittorrent instead of transmission. This is because there are many bittorrent servers i suspect. This class of servers have similar properties and so it makes sense to group them all in a single bittorrent domain. 2. I have labelled /etc/sysconfig/transmission-daemon: This is required to make any bittorrent_admin functional. We want bittorrent_admin to be able to define bittorrent server arguments (edit /etc/sysconfig/transmission-daemon) 3. The transmission-daemon package installs only the following files: /etc/rc.d/init.d/transmission-daemon /etc/sysconfig/transmission-daemon /usr/bin/transmission-daemon /usr/share/man/man1/transmission-daemon.1.gz /var/lib/transmission The /etc/rc.d/init.d/transmission-daemon script defines /var/log/name.log to be the default log file location. Yet there is no log file location specified in the "server args". This seems to be a bug, but it does not have to be if transmission-daemon logs to /var/log by default without setting the log server arg. I only started and stopped the server, and it did not create any log files. 4. The transmission-daemon lock and pid file are created by the init script and not by transmission-daemon. 5. The default location for transmission-daemon content appears to be /var/lib/transmission. The transmission-daemon created files and directories below there (.config/transmission-daemon.*). I seems that bittorrent_admin is expected to put the torrent content in the applicable layers below that directory as i understand it. Please try out my version of the policy on a clean and unmodified Fedora 14+ transmission-daemon installation, and provide feedback. Raw AVC denials are preffered. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk26llkACgkQMlxVo39jgT8EnACfZP5CwHIfTmh+ZRK4WIB/F8l5 T7AAnR8kdQzljsqejmBaMSQ2vr4iq8LG =crTe -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux