[RFC] policy about nas sound server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

hi all,

i write module for Network Audio System (NAS) in fedora
rawhide.

firstly, i think there is not policy for nas, so i write
from scratch, but after finishing, i found there is a
soundserver module in policy, so i ported my nas policy
into this module.

i am not familiar with nas, so i just make some tests for
new soundserver policy, especially some tools in nas package,
including:

audemo, audial, auinfo, aupanel, auplay......

IMHO, it seems to work well, and there was not any errors
about nas in audit messages.

-(:16:13:$)-> rpm -q nas
nas-1.9-2.fc7.i386
-(yangshao@Nerazzurri:pts/2)--------------------------------------(~/workBench/selinux/soundserver)-(5/5)-
-(:16:13:$)-> ps axZ|grep nas
system_u:system_r:soundd_t       2322 ?        S      0:00 nasd -b -local
system_u:system_r:unconfined_t   4329 pts/2    S+     0:00 egrep --color
-r --exclude=*.svn* nas
-(yangshao@Nerazzurri:pts/2)--------------------------------------(~/workBench/selinux/soundserver)-(5/5)-
-(:16:13:$)-> rpm -q selinux-policy-targeted
selinux-policy-targeted-3.0.4-1.fc8.noarch


please review this patch.



diff -Nur serefpolicy-3.0.4/policy/modules/services/soundserver.fc serefpolicy-3.0.4-new/policy/modules/services/soundserver.fc
--- serefpolicy-3.0.4/policy/modules/services/soundserver.fc	2007-07-25 23:10:05.000000000 +0800
+++ serefpolicy-3.0.4-new/policy/modules/services/soundserver.fc	2007-07-28 15:42:24.000000000 +0800
@@ -1,10 +1,28 @@
-/etc/nas(/.*)?			gen_context(system_u:object_r:soundd_etc_t,s0)
 /etc/yiff(/.*)?			gen_context(system_u:object_r:soundd_etc_t,s0)
-
-/usr/bin/nasd		--	gen_context(system_u:object_r:soundd_exec_t,s0)
 /usr/bin/gpe-soundserver --	gen_context(system_u:object_r:soundd_exec_t,s0)
-
 /usr/sbin/yiff		--	gen_context(system_u:object_r:soundd_exec_t,s0)
-
 /var/run/yiff-[0-9]+\.pid --	gen_context(system_u:object_r:soundd_var_run_t,s0)
 /var/state/yiff(/.*)?		gen_context(system_u:object_r:soundd_state_t,s0)
+
+
+#
+# Following is for nas
+
+#
+# /usr/bin
+#
+
+/usr/bin/nasd		--	gen_context(system_u:object_r:soundd_exec_t,s0)
+
+
+# 
+# /tmp
+#
+/tmp/\.sockets		-d	gen_context(system_u:object_r:soundd_tmp_t,s0)
+/tmp/\.sockets/.*	-s	<<none>>
+
+#
+# /etc
+#
+/etc/nas(/.*)?			gen_context(system_u:object_r:soundd_etc_t,s0)
+
diff -Nur serefpolicy-3.0.4/policy/modules/services/soundserver.if serefpolicy-3.0.4-new/policy/modules/services/soundserver.if
--- serefpolicy-3.0.4/policy/modules/services/soundserver.if	2007-07-25 23:10:05.000000000 +0800
+++ serefpolicy-3.0.4-new/policy/modules/services/soundserver.if	2007-07-28 14:02:35.000000000 +0800
@@ -13,3 +13,64 @@
 interface(`soundserver_tcp_connect',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
+
+
+########################################
+## <summary>
+##	Execute a domain transition to run soundserver.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`soundserver_domtrans',`
+	gen_require(`
+		type soundd_t, soundd_exec_t;
+	')
+
+	domain_auto_trans($1,soundd_exec_t,soundd_t)
+
+	allow soundd_t $1:fd use;
+	allow soundd_t $1:fifo_file rw_file_perms;
+	allow soundd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read, 
+##	soundserver tmp files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`soundserver_dontaudit_read_tmp_files',`
+	gen_require(`
+		type soundd_tmp_t;
+	')
+
+	dontaudit $1 soundd_tmp_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow domain to read, soundserver tmp files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`soundserver_read_tmp_files',`
+	gen_require(`
+		type soundd_tmp_t;
+	')
+
+	dontaudit $1 soundd_tmp_t:file r_file_perms;
+')
+
diff -Nur serefpolicy-3.0.4/policy/modules/services/soundserver.te serefpolicy-3.0.4-new/policy/modules/services/soundserver.te
--- serefpolicy-3.0.4/policy/modules/services/soundserver.te	2007-07-25 23:10:05.000000000 +0800
+++ serefpolicy-3.0.4-new/policy/modules/services/soundserver.te	2007-07-28 15:43:41.000000000 +0800
@@ -1,5 +1,5 @@
 
-policy_module(soundserver,1.3.0)
+policy_module(soundserver,1.2.1)
 
 ########################################
 #
@@ -8,10 +8,13 @@
 
 type soundd_t;
 type soundd_exec_t;
+domain_type(soundd_t)
+domain_entry_file(soundd_t,soundd_exec_t)
 init_daemon_domain(soundd_t,soundd_exec_t)
 
 type soundd_etc_t alias etc_soundd_t;
-files_type(soundd_etc_t)
+#files_type(soundd_etc_t)
+files_config_file(soundd_etc_t)
 
 type soundd_state_t;
 files_type(soundd_state_t)
@@ -28,13 +31,32 @@
 
 ########################################
 #
-# Declarations
+# sound server local policy
 #
 
 dontaudit soundd_t self:capability sys_tty_config;
 allow soundd_t self:process { setpgid signal_perms };
+
 allow soundd_t self:tcp_socket create_stream_socket_perms;
 allow soundd_t self:udp_socket create_socket_perms;
+
+allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+manage_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
+files_tmp_filetrans(soundd_t, soundd_tmp_t, { file dir sock_file })
+
+
+# Remove /tmp/.sockets/audio$n
+delete_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
+delete_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
+
+allow soundd_t self:capability { dac_override };
+
+fs_getattr_all_fs(soundd_t)
+
+optional_policy(`
+	alsa_domtrans(soundd_t)
+')
+
 # for yiff
 allow soundd_t self:shm create_shm_perms;
 

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux