policy_module(rtorrent, 1.0.0) ######################################## # # Declarations # ## ##

## Allow rtorrent to use send mails ##

##
gen_tunable(rtorrent_send_mails, false) ## ##

## Enable necessary permissions for rutorrent ##

##
gen_tunable(rtorrent_enable_rutorrent, false) ## ##

## Allow rtorrent to execute helper scripts in home directories ##

##
gen_tunable(rtorrent_exec_scripts, false) attribute_role rtorrent_roles; roleattribute system_r rtorrent_roles; type rtorrent_t; type rtorrent_exec_t; application_domain(rtorrent_t, rtorrent_exec_t) role rtorrent_roles types rtorrent_t; ######################################## # # rtorrent local policy # allow rtorrent_t self:process { fork signal_perms }; allow rtorrent_t self:fifo_file manage_fifo_file_perms; allow rtorrent_t self:unix_stream_socket create_stream_socket_perms; domain_use_interactive_fds(rtorrent_t) files_read_etc_files(rtorrent_t) miscfiles_read_localization(rtorrent_t) sysnet_dns_name_resolve(rtorrent_t) optional_policy(` gen_require(` type staff_t; role staff_r; ') rtorrent_run(staff_t, staff_r) ') type rtorrent_port_t; corenet_port(rtorrent_port_t) allow rtorrent_t rtorrent_port_t:tcp_socket name_bind; userdom_read_user_home_content_symlinks(rtorrent_t) userdom_manage_user_home_content_files(rtorrent_t) userdom_manage_user_home_content_dirs(rtorrent_t) allow rtorrent_t self:tcp_socket { accept listen }; corenet_tcp_connect_all_ports(rtorrent_t) fs_getattr_xattr_fs(rtorrent_t) userdom_use_inherited_user_terminals(rtorrent_t) # this might be to much userdom_home_manager(rtorrent_t) userdom_filetrans_home_content(rtorrent_t) optional_policy(` tunable_policy(`rtorrent_send_mails',` userdom_exec_user_bin_files(rtorrent_t) userdom_exec_user_home_content_files(rtorrent_t) files_manage_generic_tmp_files(rtorrent_t) mta_send_mail(rtorrent_t) ') ') optional_policy(` tunable_policy(`rtorrent_enable_rutorrent',` apache_manage_sys_content(rtorrent_t) apache_exec_sys_content(rtorrent_t) ') ') tunable_policy(`rtorrent_exec_scripts',` # execute helper scripts corecmd_exec_bin(rtorrent_t) userdom_exec_user_bin_files(rtorrent_t) ')