From: sven.vermeulen@siphos.be (Sven Vermeulen)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH/RFC 2/2] Add minidlna policy
Date: Wed, 1 May 2013 22:09:01 +0200 [thread overview]
Message-ID: <20130501200901.GA27004@siphos.be> (raw)
In-Reply-To: <1367435529.452.19.camel@d30>
On Wed, May 01, 2013 at 09:12:09PM +0200, Dominick Grift wrote:
> > +/etc/minidlna\.conf -- gen_context(system_u:object_r:minidlna_etc_t,s0)
>
> Can we use type minidlna_conf_t instead for consistency?
Ok... but in the contrib/ folder, I find more _etc_t definitions than
_conf_t ones:
$ grep '^type .*_conf_t' *.te | wc -l
36
$ grep '^type .*_etc_t' *.te | wc -l
89
> > +
> > +/usr/sbin/minidlna -- gen_context(system_u:object_r:minidlna_exec_t,s0)
> > +
> > +/var/lib/minidlna(/.*)? gen_context(system_u:object_r:minidlna_db_t,s0)
>
> Can add support /var/cache/minidlna(/.*)? as well for Fedora? (Fedora
> installs the /var/cache/minidlna dir instead for this content
Of course
> > +
> > +/var/log/minidlna\.log -- gen_context(system_u:object_r:minidlna_log_t,s0)
>
> This daemon runs as root on gentoo?
No, but the package manager creates the log file with proper ownership
already here.
> Can we do /var/log/minidlna.log.* instead? (in case someone uses
> logrotate to maintain the log files)
>
> Also add support for /var/log/minidlna(/.*)? as well for Fedora?
> ( Fedora installs the /var/log/minidlna dir instead )
Ok
> > +## <summary>MiniDLNA server</summary>
>
> Gimme a break ;)
>
> Please use something a little more descriptive:
>
> MiniDLNA lightweight DLNA/UPnP media server.
Have a kitkat ;-)
Sorry about that.
> > +## <desc>
> > +## <p>
> > +## Allow minidlna to read generic user content
>
> Determine whether Minidlna can read generic user content. (i am trying
> to be consistent)
Ok.
> > +allow minidlna_t self:tcp_socket create_stream_socket_perms;
> > +allow minidlna_t self:udp_socket { create_socket_perms node_bind };
>
> Whats node_bind permission doing there?
Sorry about that, was from before I had the
corenet_udp_bind_generic_node(minidlna_t) set.
> > +allow minidlna_t self:netlink_route_socket rw_netlink_socket_perms;
>
> Are you sure it needs to write the routing table? (show me the avc
> denials)
Ah yes, r_netlink_socket_perms is sufficient, my bad.
> > +allow minidlna_t minidlna_log_t:file { create_file_perms append_file_perms };
>
> Need support for adding dir entries to minidlna_log_t dirs (fedora
> installs /var/log/minidlna dir)
Ok
> > +allow minidlna_t minidlna_etc_t:file read_file_perms;
> > +
> > +manage_files_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
> > +create_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
> > +rw_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
> > +files_var_lib_filetrans(minidlna_t, minidlna_db_t, dir)
>
> Are you saying that it does not actually install /var/lib/minidlna?
> This can probably be done cleaner (use permission sets where possible
> instead of patterns)
I wasn't sure what to do here. Gentoo installs the /var/lib/minidlna
directory already as part of the software installation. But I noticed that
the majority of modules do have this set.
I'll change it to a files_search_var_lib(minidlna_t).
> > +
> > +manage_files_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
> > +rw_dirs_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
>
> permission set is cleaner.
Ok
> > +files_pid_filetrans(minidlna_t, minidlna_var_run_t, file)
> > +
> > +kernel_read_fs_sysctls(minidlna_t)
> > +kernel_read_system_state(minidlna_t)
> > +logging_log_filetrans(minidlna_t, minidlna_log_t, file)
>
> This needs to go up (to where the other logging rules are
Ok
> > +
> > +corecmd_exec_bin(minidlna_t)
> > +corecmd_exec_shell(minidlna_t)
> > +
> > +corenet_all_recvfrom_netlabel(minidlna_t)
> > +corenet_all_recvfrom_unlabeled(minidlna_t)
> > +
> > +corenet_sendrecv_ssdp_client_packets(minidlna_t)
> > +corenet_sendrecv_ssdp_server_packets(minidlna_t)
> > +
> > +corenet_tcp_bind_generic_node(minidlna_t)
> > +corenet_tcp_sendrecv_generic_if(minidlna_t)
> > +corenet_tcp_sendrecv_generic_node(minidlna_t)
> > +
> > +corenet_udp_bind_generic_node(minidlna_t)
> > +corenet_udp_bind_ssdp_port(minidlna_t)
> > +
> > +corenet_sendrecv_trivnet1_client_packets(minidlna_t)
> > +corenet_sendrecv_trivnet1_server_packets(minidlna_t)
> > +corenet_tcp_bind_trivnet1_port(minidlna_t)
> > +
> > +files_read_etc_files(minidlna_t)
>
> Which file is that? /etc/nsswitch.conf?
nsswitch.conf and passwd.
Wkr,
Sven Vermeulen
next prev parent reply other threads:[~2013-05-01 20:09 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-01 18:36 [refpolicy] [PATCH/RFC 0/2] Introduce minidlna policy Sven Vermeulen
2013-05-01 18:37 ` [refpolicy] [PATCH/RFC 1/2] Add trivnet1 port (8200) Sven Vermeulen
2013-05-01 18:38 ` [refpolicy] [PATCH/RFC 2/2] Add minidlna policy Sven Vermeulen
2013-05-01 19:12 ` Dominick Grift
2013-05-01 20:09 ` Sven Vermeulen [this message]
2013-05-01 20:14 ` Dominick Grift
2013-05-02 18:26 ` Christopher J. PeBenito
2013-05-02 10:59 ` Dominick Grift
2013-05-02 15:41 ` Dominick Grift
2013-05-02 19:23 ` Sven Vermeulen
2013-05-02 19:52 ` Dominick Grift
2013-05-03 7:08 ` Dominick Grift
2013-05-03 12:02 ` Sven Vermeulen
2013-05-03 12:19 ` Dominick Grift
2013-05-03 12:23 ` Dominick Grift
2013-05-03 13:47 ` Christopher J. PeBenito
2013-05-03 17:21 ` Sven Vermeulen
2013-05-03 17:38 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130501200901.GA27004@siphos.be \
--to=sven.vermeulen@siphos.be \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.