sorry for modify late, i just finished a business
trip for over 10 days.
i have modified soundserver policy module based on
frank bugfix:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=250453
the patch is based on selinux-policy-targeted-3.0.5-7.fc8.noarch
diff -Nur serefpolicy-3.0.5/policy/modules/services/soundserver.fc nas-serefpolicy-3.0.5/policy/modules/services/soundserver.fc
--- serefpolicy-3.0.5/policy/modules/services/soundserver.fc 2007-08-16 17:49:32.000000000 +0800
+++ nas-serefpolicy-3.0.5/policy/modules/services/soundserver.fc 2007-08-16 17:51:06.000000000 +0800
@@ -15,8 +15,8 @@
#
-# /tmp
+# /var/run
#
-/tmp/\.sockets -d gen_context(system_u:object_r:soundd_tmp_t,s0)
-/tmp/\.sockets/.* -s <<none>>
+/var/run/nasd -d gen_context(system_u:object_r:soundd_var_run_t,s0)
+/var/run/nasd/.* -s <<none>>
diff -Nur serefpolicy-3.0.5/policy/modules/services/soundserver.if nas-serefpolicy-3.0.5/policy/modules/services/soundserver.if
--- serefpolicy-3.0.5/policy/modules/services/soundserver.if 2007-08-16 17:49:32.000000000 +0800
+++ nas-serefpolicy-3.0.5/policy/modules/services/soundserver.if 2007-08-16 17:51:06.000000000 +0800
@@ -40,7 +40,7 @@
########################################
## <summary>
## Do not audit attempts to read,
-## soundserver tmp files
+## soundserver domain socket
## </summary>
## <param name="domain">
## <summary>
@@ -48,17 +48,17 @@
## </summary>
## </param>
#
-interface(`soundserver_dontaudit_read_tmp_files',`
+interface(`soundserver_dontaudit_read_socket_files',`
gen_require(`
- type soundd_tmp_t;
+ type soundd_var_run_t;
')
- dontaudit $1 soundd_tmp_t:file r_file_perms;
+ dontaudit $1 soundd_var_run_t:file r_file_perms;
')
########################################
## <summary>
-## Allow domain to read, soundserver tmp files
+## Allow domain to read, soundserver domain socket
## </summary>
## <param name="domain">
## <summary>
@@ -66,11 +66,11 @@
## </summary>
## </param>
#
-interface(`soundserver_read_tmp_files',`
+interface(`soundserver_read_socket_files',`
gen_require(`
- type soundd_tmp_t;
+ type soundd_var_run_t;
')
- dontaudit $1 soundd_tmp_t:file r_file_perms;
+ dontaudit $1 soundd_var_run_t:file r_file_perms;
')
diff -Nur serefpolicy-3.0.5/policy/modules/services/soundserver.te nas-serefpolicy-3.0.5/policy/modules/services/soundserver.te
--- serefpolicy-3.0.5/policy/modules/services/soundserver.te 2007-08-16 17:49:32.000000000 +0800
+++ nas-serefpolicy-3.0.5/policy/modules/services/soundserver.te 2007-08-16 17:51:06.000000000 +0800
@@ -35,12 +35,12 @@
allow soundd_t self:udp_socket create_socket_perms;
allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms };
-manage_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
-files_tmp_filetrans(soundd_t, soundd_tmp_t, { file dir sock_file })
-# Remove /tmp/.sockets/audio$n
-delete_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
+manage_sock_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
+files_pid_filetrans(soundd_t,soundd_var_run_t,dir)
+manage_dirs_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
+
allow soundd_t self:capability { dac_override };
@@ -66,9 +66,6 @@
manage_sock_files_pattern(soundd_t,soundd_tmpfs_t,soundd_tmpfs_t)
fs_tmpfs_filetrans(soundd_t,soundd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-manage_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
-files_pid_filetrans(soundd_t,soundd_var_run_t,file)
-
kernel_read_kernel_sysctls(soundd_t)
kernel_list_proc(soundd_t)
kernel_read_proc_symlinks(soundd_t)
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
