[RFC] policy about nas sound server
Ken YANG
spng.yang at gmail.com
Thu Aug 2 07:58:08 UTC 2007
Daniel J Walsh wrote:
> Ken YANG wrote:
>> hi all,
>>
>> i write module for Network Audio System (NAS) in fedora
>> rawhide.
>>
>> firstly, i think there is not policy for nas, so i write
>> from scratch, but after finishing, i found there is a
>> soundserver module in policy, so i ported my nas policy
>> into this module.
>>
>> i am not familiar with nas, so i just make some tests for
>> new soundserver policy, especially some tools in nas package,
>> including:
>>
>> audemo, audial, auinfo, aupanel, auplay......
>>
>> IMHO, it seems to work well, and there was not any errors
>> about nas in audit messages.
>>
>>
>>
> First I removed soundd_etc_t and replaced it with etc_t. No reason to
> create a type for config files, unless
> you are writing to them, or they have data, that you are trying to
> prevent other confined domains from
> reading. Existing soundd policy has this so I am typealiasing in Rawhide.
I had changed policy based on your advice, but i can not
find typealiase about etc_t in policy 3.0.4-5, maybe is still in your
workbench, hadn't export.
>
> nasd is creating sockets in /tmp. This is a bad idea. It should be
> moved to /var/run. This will not work with a polyinstatiated /tmp
>
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=250453
i add myself to cc-list, so if there are some changes i will
modify the policy.
>
> domain_type(soundd_t)
> domain_entry_file(soundd_t,soundd_exec_t)
>
> Are provided already by
>
> init_daemon_domain(soundd_t,soundd_exec_t)
>
>
> +manage_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
> Includes
>
> +delete_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
sorry for my ignorance.
>
> You did not give the application the ability to create sound_tmp_t
> files, so this is not necessary.
> +delete_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
>
> I think you need manage_dirs_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
>
> Because the /tmp/.socket does not exist before hand
> And the only thing you are crearing is a dir so your file trans should
> look like the following.
> +files_tmp_filetrans(soundd_t, soundd_tmp_t, dir)
>
> All these rules should change to var_run_t when nasd is fixed to use it.
the attach file is the newest patch based on selinux-policy-3.0.4-5,
please review it.
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: soundserver-3.0.4-5.patch
Type: text/x-patch
Size: 4255 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20070802/4366db5e/attachment.bin
More information about the selinux
mailing list