Daniel J Walsh wrote:
Ken YANG wrote:
> hi all,
>
> i write module for Network Audio System (NAS) in fedora
> rawhide.
>
> firstly, i think there is not policy for nas, so i write
> from scratch, but after finishing, i found there is a
> soundserver module in policy, so i ported my nas policy
> into this module.
>
> i am not familiar with nas, so i just make some tests for
> new soundserver policy, especially some tools in nas package,
> including:
>
> audemo, audial, auinfo, aupanel, auplay......
>
> IMHO, it seems to work well, and there was not any errors
> about nas in audit messages.
>
>
>
First I removed soundd_etc_t and replaced it with etc_t. No reason to
create a type for config files, unless
you are writing to them, or they have data, that you are trying to
prevent other confined domains from
reading. Existing soundd policy has this so I am typealiasing in Rawhide.
I had changed policy based on your advice, but i can not
find typealiase about etc_t in policy 3.0.4-5, maybe is still in your
workbench, hadn't export.
nasd is creating sockets in /tmp. This is a bad idea. It should be
moved to /var/run. This will not work with a polyinstatiated /tmp
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=250453
i add myself to cc-list, so if there are some changes i will
modify the policy.
domain_type(soundd_t)
domain_entry_file(soundd_t,soundd_exec_t)
Are provided already by
init_daemon_domain(soundd_t,soundd_exec_t)
+manage_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
Includes
+delete_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
sorry for my ignorance.
You did not give the application the ability to create sound_tmp_t
files, so this is not necessary.
+delete_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
I think you need manage_dirs_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
Because the /tmp/.socket does not exist before hand
And the only thing you are crearing is a dir so your file trans should
look like the following.
+files_tmp_filetrans(soundd_t, soundd_tmp_t, dir)
All these rules should change to var_run_t when nasd is fixed to use it.
the attach file is the newest patch based on selinux-policy-3.0.4-5,
please review it.