On 2007-04-18, Al Pacifico <adpacifico(a)users.sourceforge.net> wrote:
I (a greenhorn with selinux) am writing a policy for a daemon that
streams
music files over my home network to a music player client (a Slimdevices
Squeezebox). My OS is FC5.
Cool, I have a Squeezebox too, and slimserver running on Centos5.
I've been following the example posted by Dan Walsh in a blog at
http://danwalsh.livejournal.com/8707.html?thread=39171 which has been
extremely helpful.
Have a look at my venture into selinux-land too :-)
Cronologically:
http://tanso.net/selinux/
http://tanso.net/selinux/argus/
http://tanso.net/selinux/argus/argus-from-scratch/
My (2) questions:
1. What is the appropriate file context for the scanner program?
system_u:object_r:sbin_t?
system_u:object_r:slimserver_t?
system_u:object_r:slimserver_exec_t?
I believe the scanner is executed from the web-server process (there's a
scan-now link, or similar). So, my guess would be that you should make
the main slimserver script that's supposed to transition into slimserver_t
slimserver_exec_t, while the scanner should be slimserver_t.
If you make it sbin_t or bin_t, it will mean that you'll need to
give the main slimserver access to execute all files of type (s)bin_t.
It will probably be interesting to see how much it's possible to
confine a perl-script like the slimserver. Without looking, I'd
assume it'd need to exec lots of bin_t executables..
2. There is no reason to add the scanner program be added to
slimserver.fcthat was generated by policygentool, is there? The file
itself just needs to
be labeled appropriately, right?
I think you'll want to add the scanner to slimserver.fc to make sure
the labeling gets correct on the next re-label or slimserver upgrade.
-jf