Ken YANG wrote:
hi all,
i write module for Network Audio System (NAS) in fedora
rawhide.
firstly, i think there is not policy for nas, so i write
from scratch, but after finishing, i found there is a
soundserver module in policy, so i ported my nas policy
into this module.
i am not familiar with nas, so i just make some tests for
new soundserver policy, especially some tools in nas package,
including:
audemo, audial, auinfo, aupanel, auplay......
IMHO, it seems to work well, and there was not any errors
about nas in audit messages.
First I removed soundd_etc_t and replaced it with etc_t. No reason to
create a type for config files, unless
you are writing to them, or they have data, that you are trying to
prevent other confined domains from
reading. Existing soundd policy has this so I am typealiasing in Rawhide.
nasd is creating sockets in /tmp. This is a bad idea. It should be
moved to /var/run. This will not work with a polyinstatiated /tmp
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=250453
domain_type(soundd_t)
domain_entry_file(soundd_t,soundd_exec_t)
Are provided already by
init_daemon_domain(soundd_t,soundd_exec_t)
+manage_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
Includes
+delete_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
You did not give the application the ability to create sound_tmp_t files, so this is not necessary.
+delete_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
I think you need
manage_dirs_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
Because the /tmp/.socket does not exist before hand
And the only thing you are crearing is a dir so your file trans should look like the following.
+files_tmp_filetrans(soundd_t, soundd_tmp_t, dir)
All these rules should change to var_run_t when nasd is fixed to use it.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
