d25433c6c5
- Update fix_networkmanager.patch to ensure NetworkManager chrony dispatcher is properly labled and update fix_chronyd.patch to ensure chrony helper script has proper label to be used by NetworkManager (bsc#1203824) >>>>>>> ./selinux-policy.changes.new - Revamped rtorrent module OBS-URL: https://build.opensuse.org/request/show/1006965 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=147
102 lines
2.3 KiB
Plaintext
102 lines
2.3 KiB
Plaintext
policy_module(rtorrent, 1.0.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
## <desc>
|
|
## <p>
|
|
## Allow rtorrent to use send mails
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(rtorrent_send_mails, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Enable necessary permissions for rutorrent
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(rtorrent_enable_rutorrent, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow rtorrent to execute helper scripts in home directories
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(rtorrent_exec_scripts, false)
|
|
|
|
attribute_role rtorrent_roles;
|
|
roleattribute system_r rtorrent_roles;
|
|
|
|
type rtorrent_t;
|
|
type rtorrent_exec_t;
|
|
application_domain(rtorrent_t, rtorrent_exec_t)
|
|
role rtorrent_roles types rtorrent_t;
|
|
|
|
########################################
|
|
#
|
|
# rtorrent local policy
|
|
#
|
|
allow rtorrent_t self:process { fork signal_perms };
|
|
|
|
allow rtorrent_t self:fifo_file manage_fifo_file_perms;
|
|
allow rtorrent_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
domain_use_interactive_fds(rtorrent_t)
|
|
|
|
files_read_etc_files(rtorrent_t)
|
|
|
|
miscfiles_read_localization(rtorrent_t)
|
|
|
|
sysnet_dns_name_resolve(rtorrent_t)
|
|
|
|
optional_policy(`
|
|
gen_require(`
|
|
type staff_t;
|
|
role staff_r;
|
|
')
|
|
|
|
rtorrent_run(staff_t, staff_r)
|
|
')
|
|
|
|
type rtorrent_port_t;
|
|
corenet_port(rtorrent_port_t)
|
|
allow rtorrent_t rtorrent_port_t:tcp_socket name_bind;
|
|
|
|
userdom_read_user_home_content_symlinks(rtorrent_t)
|
|
userdom_manage_user_home_content_files(rtorrent_t)
|
|
userdom_manage_user_home_content_dirs(rtorrent_t)
|
|
|
|
allow rtorrent_t self:tcp_socket { accept listen };
|
|
|
|
corenet_tcp_connect_all_ports(rtorrent_t)
|
|
|
|
fs_getattr_xattr_fs(rtorrent_t)
|
|
|
|
userdom_use_inherited_user_terminals(rtorrent_t)
|
|
# this might be to much
|
|
userdom_home_manager(rtorrent_t)
|
|
userdom_filetrans_home_content(rtorrent_t)
|
|
|
|
optional_policy(`
|
|
tunable_policy(`rtorrent_send_mails',`
|
|
userdom_exec_user_bin_files(rtorrent_t)
|
|
userdom_exec_user_home_content_files(rtorrent_t)
|
|
files_manage_generic_tmp_files(rtorrent_t)
|
|
mta_send_mail(rtorrent_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`rtorrent_enable_rutorrent',`
|
|
apache_manage_sys_content(rtorrent_t)
|
|
apache_exec_sys_content(rtorrent_t)
|
|
')
|
|
')
|
|
|
|
tunable_policy(`rtorrent_exec_scripts',`
|
|
# execute helper scripts
|
|
corecmd_exec_bin(rtorrent_t)
|
|
userdom_exec_user_bin_files(rtorrent_t)
|
|
')
|