On 2007-04-18, Al Pacifico <adpacifico@xxxxxxxxxxxxxxxxxxxxx> wrote: > I (a greenhorn with selinux) am writing a policy for a daemon that streams > music files over my home network to a music player client (a Slimdevices > Squeezebox). My OS is FC5. Cool, I have a Squeezebox too, and slimserver running on Centos5. > > I've been following the example posted by Dan Walsh in a blog at > http://danwalsh.livejournal.com/8707.html?thread=39171 which has been > extremely helpful. Have a look at my venture into selinux-land too :-) Cronologically: http://tanso.net/selinux/ http://tanso.net/selinux/argus/ http://tanso.net/selinux/argus/argus-from-scratch/ > My (2) questions: > 1. What is the appropriate file context for the scanner program? > system_u:object_r:sbin_t? > system_u:object_r:slimserver_t? > system_u:object_r:slimserver_exec_t? I believe the scanner is executed from the web-server process (there's a scan-now link, or similar). So, my guess would be that you should make the main slimserver script that's supposed to transition into slimserver_t slimserver_exec_t, while the scanner should be slimserver_t. If you make it sbin_t or bin_t, it will mean that you'll need to give the main slimserver access to execute all files of type (s)bin_t. It will probably be interesting to see how much it's possible to confine a perl-script like the slimserver. Without looking, I'd assume it'd need to exec lots of bin_t executables.. > > 2. There is no reason to add the scanner program be added to > slimserver.fcthat was generated by policygentool, is there? The file > itself just needs to > be labeled appropriately, right? I think you'll want to add the scanner to slimserver.fc to make sure the labeling gets correct on the next re-label or slimserver upgrade. -jf -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
