package review?

[Paul Howarth]

Michael Thomas wrote:
> A few packages (game server daemons) that I maintain in Fedora Extras
> would benefit from having a selinux security policy available.  But
> since I'm new to writing selinux policies, I was hoping that someone
> from f-s-l could take a peek at what I did and let me know if I've done
> things correctly and in the 'recommended' way.
> 
> I've already tested the policy on FC5 to make sure that it works and
> produces no 'avc denied' messages:
> 
> http://www.kobold.org/~wart/fedora/crossfire-1.9.1-2.src.rpm
> 
> I wasn't sure exactly which networking rules I would need.  Most of the
> ones there were generated by policygentool.  I also couldn't figure out
> why some of the rules at the end of crossfire.te were necessary.

I don't see any domain transition to crossfire_t in your policy; how 
does it get into that domain?

Your policy file includes a comment about wanting to patch out use of 
temp files; another option would be to use your own domain for temp 
files, as you've done for the log files.

Did you follow the guide on Packaging/SELinux on the wiki for actually 
building the module in your package? I've changed what I do for package 
building since I last updated that page (and I can't update it any more) 
and you'll find it won't build on rawhide as there is an 
selinux-policy-devel package you need as a buildreq there.

An example of the way I'm currently doing SELinux module packaging can 
be found here:

http://www.city-fan.org/~paul/extras/mod_fcgid/mod_fcgid.spec

Paul.