<br><br><div><span class="gmail_quote">On 4/19/07, <b class="gmail_sendername">Daniel J Walsh</b> &lt;<a href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Al Pacifico wrote:<br>&gt; I (a greenhorn with selinux) am writing a policy for a daemon that<br>&gt; streams music files over my home network to a music player client (a<br>&gt; Slimdevices Squeezebox). My OS is FC5.<br>
&gt;<br>&gt; The main daemon (/usr/sbin/slimserver) is a perl script that serves<br>&gt; the music files and is started with an init script. My questions have<br>&gt; to do with a secondary program (/usr/sbin/slimserver-scanner, also a
<br>&gt; perl script) that scans the music on the server, reading mp3 tags and<br>&gt; such, and generates a database of stored music that is stored in a<br>&gt; MySQL database. /usr/sbin/slimserver-scanner is invoked by the
<br>&gt; /usr/sbin/slimserver daemon and might be invoked by the user (although<br>&gt; I can&#39;t recall ever doing so in several years of owning a Squeezebox).<br>&gt;<br>&gt; I&#39;ve been following the example posted by Dan Walsh in a blog at
<br>&gt; <a href="http://danwalsh.livejournal.com/8707.html?thread=39171">http://danwalsh.livejournal.com/8707.html?thread=39171</a> which has been<br>&gt; extremely helpful.<br>&gt;<br>&gt; My (2) questions:<br>&gt; 1. What is the appropriate file context for the scanner program?
<br>&gt; system_u:object_r:sbin_t?<br>&gt; system_u:object_r:slimserver_t?<br>&gt; system_u:object_r:slimserver_exec_t?<br>&gt;<br>That depends on your security goals.&nbsp;&nbsp;If you want the slimserver-scanner<br>to have the same privs as slimserver you would label it sbin_t and allow
<br>slimserver to corecmd_exec_sbin().&nbsp;&nbsp;If you want to go with least privs,<br>you would create a new policy for slimserver-scanner<br>(slimserver_scanner_t with file context of slimserver_scanner_exec_t)<br>and then add a rule to slimserver_t to domtrans
<br>slimserver_scanner_domtrans(slimserver_t)</blockquote><div><br>I&#39;m a little confused about this. I want to limit privileges of slimserver and slimserver-scanner to accessing only certain files. If I label slimserver-scanner as &#39;sbin_t&#39;, when a user executes slimserver-scanner, won&#39;t he/she have more privileges than slimserver then?
<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">&gt; The generated slimserver.fc file contains:<br>&gt; # slimserver executable will have:
<br>&gt; # label: system_u:object_r:slimserver_exec_t<br>&gt; # MLS sensitivity: s0<br>&gt; # MCS categories: &lt;none&gt;<br>&gt;<br>&gt; /usr/sbin/slimserver&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--<br>&gt; gen_context(system_u:object_r:slimserver_exec_t,s0)
<br>&gt; /var/run/slimserver.pid<br>&gt; gen_context(system_u:object_r:slimserver_var_run_t,s0)<br>&gt; /var/log/slimserver<br>&gt; gen_context(system_u:object_r:slimserver_var_log_t,s0)<br>&gt;<br>&gt; and the slimserver.if
 file contains:<br>&gt; interface(`slimserver_domtrans&#39;,`<br>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; gen_require(`<br>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; type slimserver_t, slimserver_exec_t;<br>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#39;)<br>&gt;<br>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; domain_auto_trans($1,slimserver_exec_t,slimserver_t)
<br>&gt;<br>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; allow $1 slimserver_t:fd use;<br>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; allow slimserver_t $1:fd use;<br>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; allow slimserver_t $1:fifo_file rw_file_perms;<br>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; allow slimserver_t $1:process sigchld;<br>
&gt; &#39;)<br>&gt;<br>&gt; 2. There is no reason to add the scanner program be added to<br>&gt; slimserver.fc that was generated by policygentool, is there?<br>Only if you are creating a context for slimserver_scanner_exec_t,
<br>otherwise just let it be labeled sbin_t.<br>&gt; The file itself just needs to be labeled appropriately, right? Or does<br>&gt; that file play some role in policy compilation in a step that I did<br>&gt; not explicitly executed when I invoked &#39;make -f
<br>&gt; /usr/share/selinux/devel/Makefile&#39;?<br>&gt;<br>&gt; Thanks in advance.<br>&gt; -al<br>&gt; --<br>&gt; Al Pacifico<br>&gt; Seattle, WA<br>&gt; ------------------------------------------------------------------------
<br>&gt;<br>&gt; --<br>&gt; fedora-selinux-list mailing list<br>&gt; <a href="mailto:fedora-selinux-list@redhat.com">fedora-selinux-list@redhat.com</a><br>&gt; <a href="https://www.redhat.com/mailman/listinfo/fedora-selinux-list">
https://www.redhat.com/mailman/listinfo/fedora-selinux-list</a><br><br></blockquote></div><br><br clear="all"><br>-- <br>Al Pacifico<br>Seattle, WA