Re: [RFC] policy about nas sound server

Ken YANG <spng.yang@xxxxxxxxx> · Thu, 02 Aug 2007 15:58:08 +0800

Daniel J Walsh wrote:
> Ken YANG wrote:
>> hi all,
>>
>> i write module for Network Audio System (NAS) in fedora
>> rawhide.
>>
>> firstly, i think there is not policy for nas, so i write
>> from scratch, but after finishing, i found there is a
>> soundserver module in policy, so i ported my nas policy
>> into this module.
>>
>> i am not familiar with nas, so i just make some tests for
>> new soundserver policy, especially some tools in nas package,
>> including:
>>
>> audemo, audial, auinfo, aupanel, auplay......
>>
>> IMHO, it seems to work well, and there was not any errors
>> about nas in audit messages.
>>
>>
>>   
> First I removed soundd_etc_t and replaced it with etc_t.  No reason to
> create a type for config files, unless
> you are writing to them, or they have data, that you are trying to
> prevent other confined domains from
> reading.  Existing soundd policy has this so I am typealiasing in Rawhide.

I had changed policy based on your advice, but i can not
find typealiase about etc_t in policy 3.0.4-5, maybe is still in your
workbench, hadn't export.


> 
> nasd is creating sockets in /tmp.  This is a bad idea.  It should be
> moved to /var/run.  This will not work with a polyinstatiated /tmp
> 
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=250453

i add myself to cc-list, so if there are some changes i will
modify the policy.

> 
> domain_type(soundd_t)
> domain_entry_file(soundd_t,soundd_exec_t)
> 
> Are provided already by
> 
> init_daemon_domain(soundd_t,soundd_exec_t)
> 
> 
> +manage_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
> Includes
> 
> +delete_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)

sorry for my ignorance.

> 
> You did not give the application the ability to create sound_tmp_t
> files, so this is not necessary.
> +delete_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
> 
> I think you need manage_dirs_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
> 
> Because the /tmp/.socket does not exist before hand
> And the only thing you are crearing is a dir so your file trans should
> look like the following.
> +files_tmp_filetrans(soundd_t, soundd_tmp_t, dir)
> 
> All these rules should change to var_run_t when nasd is fixed to use it.

the attach file is the newest patch based on selinux-policy-3.0.4-5,
please review it.

> 
> 

diff -Nur serefpolicy-3.0.4/policy/modules/services/soundserver.fc serefpolicy-3.0.4-soundserver/policy/modules/services/soundserver.fc

--- serefpolicy-3.0.4/policy/modules/services/soundserver.fc	2007-07-25 23:10:05.000000000 +0800
+++ serefpolicy-3.0.4-soundserver/policy/modules/services/soundserver.fc	2007-08-02 15:42:55.000000000 +0800
@@ -1,10 +1,25 @@
-/etc/nas(/.*)?			gen_context(system_u:object_r:soundd_etc_t,s0)
 /etc/yiff(/.*)?			gen_context(system_u:object_r:soundd_etc_t,s0)
-
-/usr/bin/nasd		--	gen_context(system_u:object_r:soundd_exec_t,s0)
 /usr/bin/gpe-soundserver --	gen_context(system_u:object_r:soundd_exec_t,s0)
-
 /usr/sbin/yiff		--	gen_context(system_u:object_r:soundd_exec_t,s0)
-
 /var/run/yiff-[0-9]+\.pid --	gen_context(system_u:object_r:soundd_var_run_t,s0)
 /var/state/yiff(/.*)?		gen_context(system_u:object_r:soundd_state_t,s0)
+
+
+#
+# Following is for nas
+
+#
+# /usr/bin
+#
+
+/usr/bin/nasd		--	gen_context(system_u:object_r:soundd_exec_t,s0)
+
+
+# 
+# /tmp
+#
+/tmp/\.sockets		-d	gen_context(system_u:object_r:soundd_tmp_t,s0)
+/tmp/\.sockets/.*	-s	<<none>>
+
+
+
diff -Nur serefpolicy-3.0.4/policy/modules/services/soundserver.if serefpolicy-3.0.4-soundserver/policy/modules/services/soundserver.if
--- serefpolicy-3.0.4/policy/modules/services/soundserver.if	2007-07-25 23:10:05.000000000 +0800
+++ serefpolicy-3.0.4-soundserver/policy/modules/services/soundserver.if	2007-08-02 15:42:55.000000000 +0800
@@ -13,3 +13,64 @@
 interface(`soundserver_tcp_connect',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
+
+
+########################################
+## <summary>
+##	Execute a domain transition to run soundserver.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`soundserver_domtrans',`
+	gen_require(`
+		type soundd_t, soundd_exec_t;
+	')
+
+	domain_auto_trans($1,soundd_exec_t,soundd_t)
+
+	allow soundd_t $1:fd use;
+	allow soundd_t $1:fifo_file rw_file_perms;
+	allow soundd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read, 
+##	soundserver tmp files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`soundserver_dontaudit_read_tmp_files',`
+	gen_require(`
+		type soundd_tmp_t;
+	')
+
+	dontaudit $1 soundd_tmp_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow domain to read, soundserver tmp files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`soundserver_read_tmp_files',`
+	gen_require(`
+		type soundd_tmp_t;
+	')
+
+	dontaudit $1 soundd_tmp_t:file r_file_perms;
+')
+
diff -Nur serefpolicy-3.0.4/policy/modules/services/soundserver.te serefpolicy-3.0.4-soundserver/policy/modules/services/soundserver.te
--- serefpolicy-3.0.4/policy/modules/services/soundserver.te	2007-07-25 23:10:05.000000000 +0800
+++ serefpolicy-3.0.4-soundserver/policy/modules/services/soundserver.te	2007-08-02 15:42:55.000000000 +0800
@@ -1,5 +1,5 @@
 
-policy_module(soundserver,1.3.0)
+policy_module(soundserver,1.3.1)
 
 ########################################
 #
@@ -11,7 +11,7 @@
 init_daemon_domain(soundd_t,soundd_exec_t)
 
 type soundd_etc_t alias etc_soundd_t;
-files_type(soundd_etc_t)
+files_config_file(soundd_etc_t)
 
 type soundd_state_t;
 files_type(soundd_state_t)
@@ -28,13 +28,28 @@
 
 ########################################
 #
-# Declarations
+# sound server local policy
 #
 
 dontaudit soundd_t self:capability sys_tty_config;
 allow soundd_t self:process { setpgid signal_perms };
+
 allow soundd_t self:tcp_socket create_stream_socket_perms;
 allow soundd_t self:udp_socket create_socket_perms;
+
+allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+manage_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
+files_tmp_filetrans(soundd_t, soundd_tmp_t, dir)
+manage_dirs_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
+
+allow soundd_t self:capability { dac_override };
+
+fs_getattr_all_fs(soundd_t)
+
+optional_policy(`
+	alsa_domtrans(soundd_t)
+')
+
 # for yiff
 allow soundd_t self:shm create_shm_perms;
 
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list



