From: dominick.grift@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH/RFC 2/2] Add minidlna policy
Date: Wed, 01 May 2013 21:12:09 +0200 [thread overview]
Message-ID: <1367435529.452.19.camel@d30> (raw)
In-Reply-To: <20130501183845.GC25116@siphos.be>
On Wed, 2013-05-01 at 20:38 +0200, Sven Vermeulen wrote:
> The minidlna policy allows the minidla server to listen on the ssdp and trivnet1
> ports (ssdp is for the discovery, trivnet1 for serving the files) and serve
> files marked as public_t.
>
> If minidlna_read_generic_user_content is set, the server can also be used to
> serve user content.
Some comments in-line
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> minidlna.fc | 11 +++++++
> minidlna.if | 64 +++++++++++++++++++++++++++++++++++++++
> minidlna.te | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 174 insertions(+)
> create mode 100644 minidlna.fc
> create mode 100644 minidlna.if
> create mode 100644 minidlna.te
>
> diff --git a/minidlna.fc b/minidlna.fc
> new file mode 100644
> index 0000000..05ad732
> --- /dev/null
> +++ b/minidlna.fc
> @@ -0,0 +1,11 @@
> +/etc/rc\.d/init\.d/minidlna -- gen_context(system_u:object_r:minidlna_initrc_exec_t,s0)
> +
> +/etc/minidlna\.conf -- gen_context(system_u:object_r:minidlna_etc_t,s0)
Can we use type minidlna_conf_t instead for consistency?
> +
> +/usr/sbin/minidlna -- gen_context(system_u:object_r:minidlna_exec_t,s0)
> +
> +/var/lib/minidlna(/.*)? gen_context(system_u:object_r:minidlna_db_t,s0)
Can add support /var/cache/minidlna(/.*)? as well for Fedora? (Fedora
installs the /var/cache/minidlna dir instead for this content
> +
> +/var/log/minidlna\.log -- gen_context(system_u:object_r:minidlna_log_t,s0)
This daemon runs as root on gentoo?
Can we do /var/log/minidlna.log.* instead? (in case someone uses
logrotate to maintain the log files)
Also add support for /var/log/minidlna(/.*)? as well for Fedora?
( Fedora installs the /var/log/minidlna dir instead )
> +
> +/var/run/minidlna(/.*)? gen_context(system_u:object_r:minidlna_var_run_t,s0)
> diff --git a/minidlna.if b/minidlna.if
> new file mode 100644
> index 0000000..d27f634
> --- /dev/null
> +++ b/minidlna.if
> @@ -0,0 +1,64 @@
> +## <summary>MiniDLNA server</summary>
Gimme a break ;)
Please use something a little more descriptive:
MiniDLNA lightweight DLNA/UPnP media server.
> +
> +########################################
> +## <summary>
> +## All of the rules required to
> +## administrate an minidlna environment.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`minidlna_admin',`
> + gen_require(`
> + type minidlna_t, minidlna_var_run_t, minidlna_initrc_exec_t;
> + type minidlna_etc_t, minidlna_log_t, minidlna_db_t;
> + ')
> +
> + allow $1 minidlna_t:process { ptrace signal_perms };
> + ps_process_pattern($1, minidlna_t)
> +
> + minidlna_initrc_domtrans($1)
> + domain_system_change_exemption($1)
> + role_transition $2 minidlna_initrc_exec_t system_r;
> + allow $2 system_r;
> +
> + files_search_etc($1)
> + admin_pattern($1, minidlna_etc_t)
> +
> + logging_search_logs($1)
> + admin_pattern($1, minidlna_log_t)
> +
> + files_search_var_lib($1)
> + admin_pattern($1, minidlna_db_t)
> +
> + files_search_pids($1)
> + admin_pattern($1, minidlna_var_run_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute minidlna init scripts in
> +## the initrc domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`minidlna_initrc_domtrans',`
> + gen_require(`
> + type minidlna_initrc_exec_t;
> + ')
> +
> + init_labeled_script_domtrans($1, minidlna_initrc_exec_t)
> +')
> diff --git a/minidlna.te b/minidlna.te
> new file mode 100644
> index 0000000..06ab1c9
> --- /dev/null
> +++ b/minidlna.te
> @@ -0,0 +1,99 @@
> +policy_module(minidlna, 0.1)
> +
> +#############################################
> +#
> +# Declarations
> +#
> +
> +## <desc>
> +## <p>
> +## Allow minidlna to read generic user content
Determine whether Minidlna can read generic user content. (i am trying
to be consistent)
> +## </p>
> +## </desc>
> +gen_tunable(minidlna_read_generic_user_content, false)
> +
> +type minidlna_t;
> +type minidlna_exec_t;
> +init_daemon_domain(minidlna_t, minidlna_exec_t)
> +
> +type minidlna_initrc_exec_t;
> +init_script_file(minidlna_initrc_exec_t)
> +
> +type minidlna_etc_t;
> +files_config_file(minidlna_etc_t)
> +
> +type minidlna_log_t;
> +logging_log_file(minidlna_log_t)
> +
> +type minidlna_db_t;
> +files_type(minidlna_db_t)
> +
> +type minidlna_var_run_t;
> +files_pid_file(minidlna_var_run_t)
> +
> +###############################################
> +#
> +# Local policy
> +#
> +
> +allow minidlna_t self:process { setsched };
No need for brace expansion here (nothing to expand)
> +allow minidlna_t self:tcp_socket create_stream_socket_perms;
> +allow minidlna_t self:udp_socket { create_socket_perms node_bind };
Whats node_bind permission doing there?
> +allow minidlna_t self:netlink_route_socket rw_netlink_socket_perms;
Are you sure it needs to write the routing table? (show me the avc
denials)
> +allow minidlna_t minidlna_log_t:file { create_file_perms append_file_perms };
Need support for adding dir entries to minidlna_log_t dirs (fedora
installs /var/log/minidlna dir)
> +allow minidlna_t minidlna_etc_t:file read_file_perms;
> +
> +manage_files_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
> +create_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
> +rw_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
> +files_var_lib_filetrans(minidlna_t, minidlna_db_t, dir)
Are you saying that it does not actually install /var/lib/minidlna?
This can probably be done cleaner (use permission sets where possible
instead of patterns)
> +
> +manage_files_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
> +rw_dirs_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
permission set is cleaner.
> +files_pid_filetrans(minidlna_t, minidlna_var_run_t, file)
> +
> +kernel_read_fs_sysctls(minidlna_t)
> +kernel_read_system_state(minidlna_t)
> +logging_log_filetrans(minidlna_t, minidlna_log_t, file)
This needs to go up (to where the other logging rules are
> +
> +corecmd_exec_bin(minidlna_t)
> +corecmd_exec_shell(minidlna_t)
> +
> +corenet_all_recvfrom_netlabel(minidlna_t)
> +corenet_all_recvfrom_unlabeled(minidlna_t)
> +
> +corenet_sendrecv_ssdp_client_packets(minidlna_t)
> +corenet_sendrecv_ssdp_server_packets(minidlna_t)
> +
> +corenet_tcp_bind_generic_node(minidlna_t)
> +corenet_tcp_sendrecv_generic_if(minidlna_t)
> +corenet_tcp_sendrecv_generic_node(minidlna_t)
> +
> +corenet_udp_bind_generic_node(minidlna_t)
> +corenet_udp_bind_ssdp_port(minidlna_t)
> +
> +corenet_sendrecv_trivnet1_client_packets(minidlna_t)
> +corenet_sendrecv_trivnet1_server_packets(minidlna_t)
> +corenet_tcp_bind_trivnet1_port(minidlna_t)
> +
> +files_read_etc_files(minidlna_t)
Which file is that? /etc/nsswitch.conf?
> +
> +miscfiles_read_localization(minidlna_t)
> +miscfiles_read_public_files(minidlna_t)
> +
> +tunable_policy(`minidlna_read_generic_user_content',`
> + userdom_list_user_tmp(minidlna_t)
> + userdom_read_user_home_content_files(minidlna_t)
> + userdom_read_user_home_content_symlinks(minidlna_t)
> + userdom_read_user_tmp_files(minidlna_t)
> + userdom_read_user_tmp_symlinks(minidlna_t)
> +',`
> + files_dontaudit_list_home(minidlna_t)
> + files_dontaudit_list_tmp(minidlna_t)
> +
> + userdom_dontaudit_list_user_home_dirs(minidlna_t)
> + userdom_dontaudit_list_user_tmp(minidlna_t)
> + userdom_dontaudit_read_user_home_content_files(minidlna_t)
> + userdom_dontaudit_read_user_tmp_files(minidlna_t)
> +')
next prev parent reply other threads:[~2013-05-01 19:12 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-01 18:36 [refpolicy] [PATCH/RFC 0/2] Introduce minidlna policy Sven Vermeulen
2013-05-01 18:37 ` [refpolicy] [PATCH/RFC 1/2] Add trivnet1 port (8200) Sven Vermeulen
2013-05-01 18:38 ` [refpolicy] [PATCH/RFC 2/2] Add minidlna policy Sven Vermeulen
2013-05-01 19:12 ` Dominick Grift [this message]
2013-05-01 20:09 ` Sven Vermeulen
2013-05-01 20:14 ` Dominick Grift
2013-05-02 18:26 ` Christopher J. PeBenito
2013-05-02 10:59 ` Dominick Grift
2013-05-02 15:41 ` Dominick Grift
2013-05-02 19:23 ` Sven Vermeulen
2013-05-02 19:52 ` Dominick Grift
2013-05-03 7:08 ` Dominick Grift
2013-05-03 12:02 ` Sven Vermeulen
2013-05-03 12:19 ` Dominick Grift
2013-05-03 12:23 ` Dominick Grift
2013-05-03 13:47 ` Christopher J. PeBenito
2013-05-03 17:21 ` Sven Vermeulen
2013-05-03 17:38 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1367435529.452.19.camel@d30 \
--to=dominick.grift@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.