* [PATCH RFC] soundserver policy modification
@ 2007-07-31 9:24 Ken YANG
2007-08-01 1:59 ` Ken YANG
0 siblings, 1 reply; 2+ messages in thread
From: Ken YANG @ 2007-07-31 9:24 UTC (permalink / raw)
To: SELinux List
[-- Attachment #1: Type: text/plain, Size: 632 bytes --]
hi all,
i add some policy for nas(network audio system),
the drive of this modification is:
http://marc.info/?l=fedora-selinux-list&m=118493958413746&w=2
i post the modification to fedora-selinux-list
at last Saturday. Considering that fedora rawhide
policy now is merged version(strict and targeted),
which is somewhat different from the upstream policy,
so i post to that list:
http://marc.info/?l=fedora-selinux-list&m=118561164825982&w=2
but there wasnt reply about this patch until now,
so i think i post to the wrong place, then i "diff" with
the upstream policy(2377).
please review this patch.
thanks in advance.
[-- Attachment #2: soundserver-2377.patch --]
[-- Type: text/x-patch, Size: 4766 bytes --]
diff -Nur svn/policy/modules/services/soundserver.fc svn-soundserver/policy/modules/services/soundserver.fc
--- svn/policy/modules/services/soundserver.fc 2007-04-16 14:55:31.000000000 +0800
+++ svn-soundserver/policy/modules/services/soundserver.fc 2007-07-28 15:42:24.000000000 +0800
@@ -1,10 +1,28 @@
-/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
/etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
-
-/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0)
/usr/bin/gpe-soundserver -- gen_context(system_u:object_r:soundd_exec_t,s0)
-
/usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0)
-
/var/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0)
/var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0)
+
+
+#
+# Following is for nas
+
+#
+# /usr/bin
+#
+
+/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0)
+
+
+#
+# /tmp
+#
+/tmp/\.sockets -d gen_context(system_u:object_r:soundd_tmp_t,s0)
+/tmp/\.sockets/.* -s <<none>>
+
+#
+# /etc
+#
+/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
+
diff -Nur svn/policy/modules/services/soundserver.if svn-soundserver/policy/modules/services/soundserver.if
--- svn/policy/modules/services/soundserver.if 2007-04-16 14:55:35.000000000 +0800
+++ svn-soundserver/policy/modules/services/soundserver.if 2007-07-28 14:02:35.000000000 +0800
@@ -13,3 +13,64 @@
interface(`soundserver_tcp_connect',`
refpolicywarn(`$0($*) has been deprecated.')
')
+
+
+########################################
+## <summary>
+## Execute a domain transition to run soundserver.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`soundserver_domtrans',`
+ gen_require(`
+ type soundd_t, soundd_exec_t;
+ ')
+
+ domain_auto_trans($1,soundd_exec_t,soundd_t)
+
+ allow soundd_t $1:fd use;
+ allow soundd_t $1:fifo_file rw_file_perms;
+ allow soundd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read,
+## soundserver tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`soundserver_dontaudit_read_tmp_files',`
+ gen_require(`
+ type soundd_tmp_t;
+ ')
+
+ dontaudit $1 soundd_tmp_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to read, soundserver tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`soundserver_read_tmp_files',`
+ gen_require(`
+ type soundd_tmp_t;
+ ')
+
+ dontaudit $1 soundd_tmp_t:file r_file_perms;
+')
+
diff -Nur svn/policy/modules/services/soundserver.te svn-soundserver/policy/modules/services/soundserver.te
--- svn/policy/modules/services/soundserver.te 2007-07-03 15:26:28.000000000 +0800
+++ svn-soundserver/policy/modules/services/soundserver.te 2007-07-31 17:06:34.000000000 +0800
@@ -1,5 +1,5 @@
-policy_module(soundserver,1.3.0)
+policy_module(soundserver,1.3.1)
########################################
#
@@ -8,10 +8,13 @@
type soundd_t;
type soundd_exec_t;
+domain_type(soundd_t)
+domain_entry_file(soundd_t,soundd_exec_t)
init_daemon_domain(soundd_t,soundd_exec_t)
type soundd_etc_t alias etc_soundd_t;
-files_type(soundd_etc_t)
+#files_type(soundd_etc_t)
+files_config_file(soundd_etc_t)
type soundd_state_t;
files_type(soundd_state_t)
@@ -28,13 +31,32 @@
########################################
#
-# Declarations
+# sound server local policy
#
dontaudit soundd_t self:capability sys_tty_config;
allow soundd_t self:process { setpgid signal_perms };
+
allow soundd_t self:tcp_socket create_stream_socket_perms;
allow soundd_t self:udp_socket create_socket_perms;
+
+allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+manage_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
+files_tmp_filetrans(soundd_t, soundd_tmp_t, { file dir sock_file })
+
+
+# Remove /tmp/.sockets/audio$n
+delete_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
+delete_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
+
+allow soundd_t self:capability { dac_override };
+
+fs_getattr_all_fs(soundd_t)
+
+optional_policy(`
+ alsa_domtrans(soundd_t)
+')
+
# for yiff
allow soundd_t self:shm create_shm_perms;
@@ -98,12 +120,6 @@
userdom_dontaudit_use_unpriv_user_fds(soundd_t)
userdom_dontaudit_search_sysadm_home_dirs(soundd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(soundd_t)
- term_dontaudit_use_generic_ptys(soundd_t)
- files_dontaudit_read_root_files(soundd_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(soundd_t)
')
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: [PATCH RFC] soundserver policy modification
2007-07-31 9:24 [PATCH RFC] soundserver policy modification Ken YANG
@ 2007-08-01 1:59 ` Ken YANG
0 siblings, 0 replies; 2+ messages in thread
From: Ken YANG @ 2007-08-01 1:59 UTC (permalink / raw)
To: SELinux List
[-- Attachment #1: Type: text/plain, Size: 891 bytes --]
Ken YANG wrote:
> hi all,
>
> i add some policy for nas(network audio system),
> the drive of this modification is:
>
> http://marc.info/?l=fedora-selinux-list&m=118493958413746&w=2
>
> i post the modification to fedora-selinux-list
> at last Saturday. Considering that fedora rawhide
> policy now is merged version(strict and targeted),
> which is somewhat different from the upstream policy,
> so i post to that list:
>
> http://marc.info/?l=fedora-selinux-list&m=118561164825982&w=2
>
> but there wasnt reply about this patch until now,
> so i think i post to the wrong place, then i "diff" with
> the upstream policy(2377).
>
> please review this patch.
sorry, in last patch, i forgot add some targeted_policy
rules, which had been removed from the merged-version
policy(selinux-policy>3.0)
additionally, the new patch based on 2383 version
>
>
> thanks in advance.
>
>
>
[-- Attachment #2: soundserver-2383.patch --]
[-- Type: text/x-patch, Size: 4415 bytes --]
diff -Nur svn/policy/modules/services/soundserver.fc svn-soundserver/policy/modules/services/soundserver.fc
--- svn/policy/modules/services/soundserver.fc 2007-04-16 14:55:31.000000000 +0800
+++ svn-soundserver/policy/modules/services/soundserver.fc 2007-08-01 09:50:22.000000000 +0800
@@ -1,10 +1,28 @@
-/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
/etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
-
-/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0)
/usr/bin/gpe-soundserver -- gen_context(system_u:object_r:soundd_exec_t,s0)
-
/usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0)
-
/var/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0)
/var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0)
+
+
+#
+# Following is for nas
+
+#
+# /usr/bin
+#
+
+/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0)
+
+
+#
+# /tmp
+#
+/tmp/\.sockets -d gen_context(system_u:object_r:soundd_tmp_t,s0)
+/tmp/\.sockets/.* -s <<none>>
+
+#
+# /etc
+#
+/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
+
diff -Nur svn/policy/modules/services/soundserver.if svn-soundserver/policy/modules/services/soundserver.if
--- svn/policy/modules/services/soundserver.if 2007-04-16 14:55:35.000000000 +0800
+++ svn-soundserver/policy/modules/services/soundserver.if 2007-08-01 09:50:22.000000000 +0800
@@ -13,3 +13,64 @@
interface(`soundserver_tcp_connect',`
refpolicywarn(`$0($*) has been deprecated.')
')
+
+
+########################################
+## <summary>
+## Execute a domain transition to run soundserver.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`soundserver_domtrans',`
+ gen_require(`
+ type soundd_t, soundd_exec_t;
+ ')
+
+ domain_auto_trans($1,soundd_exec_t,soundd_t)
+
+ allow soundd_t $1:fd use;
+ allow soundd_t $1:fifo_file rw_file_perms;
+ allow soundd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read,
+## soundserver tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`soundserver_dontaudit_read_tmp_files',`
+ gen_require(`
+ type soundd_tmp_t;
+ ')
+
+ dontaudit $1 soundd_tmp_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to read, soundserver tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`soundserver_read_tmp_files',`
+ gen_require(`
+ type soundd_tmp_t;
+ ')
+
+ dontaudit $1 soundd_tmp_t:file r_file_perms;
+')
+
diff -Nur svn/policy/modules/services/soundserver.te svn-soundserver/policy/modules/services/soundserver.te
--- svn/policy/modules/services/soundserver.te 2007-07-03 15:26:28.000000000 +0800
+++ svn-soundserver/policy/modules/services/soundserver.te 2007-08-01 09:51:59.000000000 +0800
@@ -1,5 +1,5 @@
-policy_module(soundserver,1.3.0)
+policy_module(soundserver,1.3.1)
########################################
#
@@ -8,10 +8,13 @@
type soundd_t;
type soundd_exec_t;
+domain_type(soundd_t)
+domain_entry_file(soundd_t,soundd_exec_t)
init_daemon_domain(soundd_t,soundd_exec_t)
type soundd_etc_t alias etc_soundd_t;
-files_type(soundd_etc_t)
+#files_type(soundd_etc_t)
+files_config_file(soundd_etc_t)
type soundd_state_t;
files_type(soundd_state_t)
@@ -28,13 +31,32 @@
########################################
#
-# Declarations
+# sound server local policy
#
dontaudit soundd_t self:capability sys_tty_config;
allow soundd_t self:process { setpgid signal_perms };
+
allow soundd_t self:tcp_socket create_stream_socket_perms;
allow soundd_t self:udp_socket create_socket_perms;
+
+allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+manage_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
+files_tmp_filetrans(soundd_t, soundd_tmp_t, { file dir sock_file })
+
+
+# Remove /tmp/.sockets/audio$n
+delete_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
+delete_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
+
+allow soundd_t self:capability { dac_override };
+
+fs_getattr_all_fs(soundd_t)
+
+optional_policy(`
+ alsa_domtrans(soundd_t)
+')
+
# for yiff
allow soundd_t self:shm create_shm_perms;
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-08-01 2:01 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-07-31 9:24 [PATCH RFC] soundserver policy modification Ken YANG
2007-08-01 1:59 ` Ken YANG
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.