On Sat, 2008-07-19 at 22:50 +0200, david@xxxxxxxxxxx wrote: > plain text document attachment (policy_modules_services_soundserver.patch) > This policy was written by Ken Yang and reviewed by Dan Walsh: > http://marc.info/?l=fedora-selinux-list&m=118561164825982&w=2 > and here: > https://bugzilla.redhat.com/show_bug.cgi?id=250453 > > I updated the .fc changes to also work with Debian paths. Does not apply cleanly. > diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.fc serefpolicy-3.5.0/policy/modules/services/soundserver.fc > --- nsaserefpolicy/policy/modules/services/soundserver.fc 2008-06-12 23:25:05.000000000 -0400 > +++ serefpolicy-3.5.0/policy/modules/services/soundserver.fc 2008-07-15 14:05:13.000000000 -0400 > @@ -7,4 +7,8 @@ > /usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0) > > /var/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0) > +/var/run/nasd(/.*)? gen_context(system_u:object_r:soundd_var_run_t,s0) > + > /var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0) > + > +/etc/(rc.d/)?init.d/nas(d)? -- gen_context(system_u:object_r:soundd_script_exec_t,s0) > diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.if serefpolicy-3.5.0/policy/modules/services/soundserver.if > --- nsaserefpolicy/policy/modules/services/soundserver.if 2008-06-12 23:25:05.000000000 -0400 > +++ serefpolicy-3.5.0/policy/modules/services/soundserver.if 2008-07-15 14:05:13.000000000 -0400 > @@ -13,3 +13,74 @@ > interface(`soundserver_tcp_connect',` > refpolicywarn(`$0($*) has been deprecated.') > ') > + > +######################################## > +## <summary> > +## Execute soundd server in the soundd domain. > +## </summary> > +## <param name="domain"> > +## <summary> > +## The type of the process performing this action. > +## </summary> > +## </param> > +# > +# > +interface(`soundserver_script_domtrans',` > + gen_require(` > + type soundd_script_exec_t; > + ') > + > + init_script_domtrans_spec($1,soundd_script_exec_t) > +') > + > +######################################## > +## <summary> > +## All of the rules required to administrate > +## an soundd environment > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +## <param name="role"> > +## <summary> > +## The role to be allowed to manage the soundd domain. > +## </summary> > +## </param> > +## <param name="terminal"> > +## <summary> > +## The type of the user terminal. > +## </summary> > +## </param> > +## <rolecap/> > +# > +interface(`soundserver_admin',` > + gen_require(` > + type soundd_t; > + type soundd_script_exec_t; > + type soundd_etc_t; > + type soundd_tmp_t; > + type soundd_var_run_t; > + ') > + > + allow $1 soundd_t:process { ptrace signal_perms getattr }; > + read_files_pattern($1, soundd_t, soundd_t) > + > + # Allow soundd_t to restart the apache service > + soundserver_script_domtrans($1) > + domain_system_change_exemption($1) > + role_transition $2 soundd_script_exec_t system_r; > + allow $2 system_r; > + > + files_list_tmp($1) > + manage_all_pattern($1,soundd_tmp_t) > + > + files_list_etc($1) > + manage_all_pattern($1,soundd_etc_t) > + > + files_list_pids($1) > + manage_all_pattern($1,soundd_var_run_t) > +') > + > + > diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.5.0/policy/modules/services/soundserver.te > --- nsaserefpolicy/policy/modules/services/soundserver.te 2008-07-10 11:38:46.000000000 -0400 > +++ serefpolicy-3.5.0/policy/modules/services/soundserver.te 2008-07-15 14:05:13.000000000 -0400 > @@ -10,9 +10,6 @@ > type soundd_exec_t; > init_daemon_domain(soundd_t,soundd_exec_t) > > -type soundd_etc_t alias etc_soundd_t; > -files_type(soundd_etc_t) > - > type soundd_state_t; > files_type(soundd_state_t) > > @@ -26,21 +23,30 @@ > type soundd_var_run_t; > files_pid_file(soundd_var_run_t) > > +type soundd_etc_t; > +files_config_file(soundd_etc_t) > + > +type soundd_script_exec_t; > +init_script_type(soundd_script_exec_t) > + > ######################################## > # > -# Declarations > +# sound server local policy > # > > +allow soundd_t self:capability dac_override; > dontaudit soundd_t self:capability sys_tty_config; > allow soundd_t self:process { setpgid signal_perms }; > allow soundd_t self:tcp_socket create_stream_socket_perms; > allow soundd_t self:udp_socket create_socket_perms; > +allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms }; > + > +fs_getattr_all_fs(soundd_t) > + > # for yiff > allow soundd_t self:shm create_shm_perms; > > -allow soundd_t soundd_etc_t:dir list_dir_perms; > -allow soundd_t soundd_etc_t:file read_file_perms; > -allow soundd_t soundd_etc_t:lnk_file { getattr read }; > +read_files_pattern(soundd_t,soundd_etc_t,soundd_etc_t) > > manage_files_pattern(soundd_t,soundd_state_t,soundd_state_t) > manage_lnk_files_pattern(soundd_t,soundd_state_t,soundd_state_t) > @@ -55,8 +61,10 @@ > manage_sock_files_pattern(soundd_t,soundd_tmpfs_t,soundd_tmpfs_t) > fs_tmpfs_filetrans(soundd_t,soundd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) > > +manage_sock_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t) > manage_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t) > -files_pid_filetrans(soundd_t,soundd_var_run_t,file) > +manage_dirs_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t) > +files_pid_filetrans(soundd_t,soundd_var_run_t,{ file dir }) > > kernel_read_kernel_sysctls(soundd_t) > kernel_list_proc(soundd_t) > @@ -96,10 +104,13 @@ > sysnet_read_config(soundd_t) > > userdom_dontaudit_use_unpriv_user_fds(soundd_t) > - > sysadm_dontaudit_search_home_dirs(soundd_t) > > optional_policy(` > + alsa_domtrans(soundd_t) > +') > + > +optional_policy(` > seutil_sigchld_newrole(soundd_t) > ') > -- Chris PeBenito <pebenito@xxxxxxxxxx> Developer, Hardened Gentoo Linux Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
Attachment:
signature.asc
Description: This is a digitally signed message part
