[PATCH RFC] soundserver policy modification

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ken YANG <spng.yang@gmail.com>
To: SELinux List <selinux@tycho.nsa.gov>
Subject: [PATCH RFC] soundserver policy modification
Date: Tue, 31 Jul 2007 17:24:15 +0800	[thread overview]
Message-ID: <46AEFFBF.2030008@gmail.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 632 bytes --]


hi all,

i add some policy for nas(network audio system),
the drive of this modification is:

http://marc.info/?l=fedora-selinux-list&m=118493958413746&w=2

i post the modification to fedora-selinux-list
at last Saturday. Considering that fedora rawhide
policy now is merged version(strict and targeted),
which is somewhat different from the upstream policy,
so i post to that list:

http://marc.info/?l=fedora-selinux-list&m=118561164825982&w=2

but there wasnt reply about this patch until now,
so i think i post to the wrong place, then i "diff" with
the upstream policy(2377).

please review this patch.


thanks in advance.



[-- Attachment #2: soundserver-2377.patch --]
[-- Type: text/x-patch, Size: 4766 bytes --]

diff -Nur svn/policy/modules/services/soundserver.fc svn-soundserver/policy/modules/services/soundserver.fc
--- svn/policy/modules/services/soundserver.fc	2007-04-16 14:55:31.000000000 +0800
+++ svn-soundserver/policy/modules/services/soundserver.fc	2007-07-28 15:42:24.000000000 +0800
@@ -1,10 +1,28 @@
-/etc/nas(/.*)?			gen_context(system_u:object_r:soundd_etc_t,s0)
 /etc/yiff(/.*)?			gen_context(system_u:object_r:soundd_etc_t,s0)
-
-/usr/bin/nasd		--	gen_context(system_u:object_r:soundd_exec_t,s0)
 /usr/bin/gpe-soundserver --	gen_context(system_u:object_r:soundd_exec_t,s0)
-
 /usr/sbin/yiff		--	gen_context(system_u:object_r:soundd_exec_t,s0)
-
 /var/run/yiff-[0-9]+\.pid --	gen_context(system_u:object_r:soundd_var_run_t,s0)
 /var/state/yiff(/.*)?		gen_context(system_u:object_r:soundd_state_t,s0)
+
+
+#
+# Following is for nas
+
+#
+# /usr/bin
+#
+
+/usr/bin/nasd		--	gen_context(system_u:object_r:soundd_exec_t,s0)
+
+
+# 
+# /tmp
+#
+/tmp/\.sockets		-d	gen_context(system_u:object_r:soundd_tmp_t,s0)
+/tmp/\.sockets/.*	-s	<<none>>
+
+#
+# /etc
+#
+/etc/nas(/.*)?			gen_context(system_u:object_r:soundd_etc_t,s0)
+
diff -Nur svn/policy/modules/services/soundserver.if svn-soundserver/policy/modules/services/soundserver.if
--- svn/policy/modules/services/soundserver.if	2007-04-16 14:55:35.000000000 +0800
+++ svn-soundserver/policy/modules/services/soundserver.if	2007-07-28 14:02:35.000000000 +0800
@@ -13,3 +13,64 @@
 interface(`soundserver_tcp_connect',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
+
+
+########################################
+## <summary>
+##	Execute a domain transition to run soundserver.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`soundserver_domtrans',`
+	gen_require(`
+		type soundd_t, soundd_exec_t;
+	')
+
+	domain_auto_trans($1,soundd_exec_t,soundd_t)
+
+	allow soundd_t $1:fd use;
+	allow soundd_t $1:fifo_file rw_file_perms;
+	allow soundd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read, 
+##	soundserver tmp files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`soundserver_dontaudit_read_tmp_files',`
+	gen_require(`
+		type soundd_tmp_t;
+	')
+
+	dontaudit $1 soundd_tmp_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow domain to read, soundserver tmp files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`soundserver_read_tmp_files',`
+	gen_require(`
+		type soundd_tmp_t;
+	')
+
+	dontaudit $1 soundd_tmp_t:file r_file_perms;
+')
+
diff -Nur svn/policy/modules/services/soundserver.te svn-soundserver/policy/modules/services/soundserver.te
--- svn/policy/modules/services/soundserver.te	2007-07-03 15:26:28.000000000 +0800
+++ svn-soundserver/policy/modules/services/soundserver.te	2007-07-31 17:06:34.000000000 +0800
@@ -1,5 +1,5 @@
 
-policy_module(soundserver,1.3.0)
+policy_module(soundserver,1.3.1)
 
 ########################################
 #
@@ -8,10 +8,13 @@
 
 type soundd_t;
 type soundd_exec_t;
+domain_type(soundd_t)
+domain_entry_file(soundd_t,soundd_exec_t)
 init_daemon_domain(soundd_t,soundd_exec_t)
 
 type soundd_etc_t alias etc_soundd_t;
-files_type(soundd_etc_t)
+#files_type(soundd_etc_t)
+files_config_file(soundd_etc_t)
 
 type soundd_state_t;
 files_type(soundd_state_t)
@@ -28,13 +31,32 @@
 
 ########################################
 #
-# Declarations
+# sound server local policy
 #
 
 dontaudit soundd_t self:capability sys_tty_config;
 allow soundd_t self:process { setpgid signal_perms };
+
 allow soundd_t self:tcp_socket create_stream_socket_perms;
 allow soundd_t self:udp_socket create_socket_perms;
+
+allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+manage_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
+files_tmp_filetrans(soundd_t, soundd_tmp_t, { file dir sock_file })
+
+
+# Remove /tmp/.sockets/audio$n
+delete_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
+delete_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
+
+allow soundd_t self:capability { dac_override };
+
+fs_getattr_all_fs(soundd_t)
+
+optional_policy(`
+	alsa_domtrans(soundd_t)
+')
+
 # for yiff
 allow soundd_t self:shm create_shm_perms;
 
@@ -98,12 +120,6 @@
 userdom_dontaudit_use_unpriv_user_fds(soundd_t)
 userdom_dontaudit_search_sysadm_home_dirs(soundd_t)
 
-ifdef(`targeted_policy',`
-	term_dontaudit_use_unallocated_ttys(soundd_t)
-	term_dontaudit_use_generic_ptys(soundd_t)
-	files_dontaudit_read_root_files(soundd_t)
-')
-
 optional_policy(`
 	seutil_sigchld_newrole(soundd_t)
 ')

next             reply	other threads:[~2007-07-31  9:25 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-07-31  9:24 Ken YANG [this message]
2007-08-01  1:59 ` [PATCH RFC] soundserver policy modification Ken YANG

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=46AEFFBF.2030008@gmail.com \
    --to=spng.yang@gmail.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.