On Mon, 2008-08-04 at 14:35 +0200, david@xxxxxxxxxxx wrote: > plain text document attachment > (policy_modules_services_soundserver.patch) > This policy was written by Ken Yang and reviewed by Dan Walsh: > http://marc.info/?l=fedora-selinux-list&m=118561164825982&w=2 > and here: > https://bugzilla.redhat.com/show_bug.cgi?id=250453 > > I updated the .fc changes to also work with Debian paths. > > Originally submitted Jul 19, refreshed to apply cleanly Comments inline > +######################################## > +## <summary> > +## All of the rules required to administrate > +## an soundd environment > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +## <param name="role"> > +## <summary> > +## The role to be allowed to manage the soundd domain. > +## </summary> > +## </param> > +## <param name="terminal"> > +## <summary> > +## The type of the user terminal. > +## </summary> > +## </param> > +## <rolecap/> > +# > +interface(`soundserver_admin',` > + gen_require(` > + type soundd_t; > + type soundd_script_exec_t; > + type soundd_etc_t; > + type soundd_tmp_t; > + type soundd_var_run_t; > + ') > + > + allow $1 soundd_t:process { ptrace signal_perms getattr }; > + read_files_pattern($1, soundd_t, soundd_t) > + > + # Allow soundd_t to restart the apache service > + soundserver_script_domtrans($1) > + domain_system_change_exemption($1) > + role_transition $2 soundd_script_exec_t system_r; > + allow $2 system_r; > + > + files_list_tmp($1) > + manage_all_pattern($1,soundd_tmp_t) > + > + files_list_etc($1) > + manage_all_pattern($1,soundd_etc_t) > + > + files_list_pids($1) > + manage_all_pattern($1,soundd_var_run_t) > +') This interface need several fixes. The XML does not match. There are whitespace issues (there should be tabs, not 8 spaces). Also spaces after commas (other places in the patch too). Manage_all_pattern doesn't exist upstream, and I don't plan on ever adding it. > Index: refpolicy/policy/modules/services/soundserver.te > =================================================================== > --- refpolicy.orig/policy/modules/services/soundserver.te 2008-08-03 16:47:00.000000000 +0200 > +++ refpolicy/policy/modules/services/soundserver.te 2008-08-03 17:11:27.000000000 +0200 > @@ -10,9 +10,6 @@ > type soundd_exec_t; > init_daemon_domain(soundd_t, soundd_exec_t) > > -type soundd_etc_t alias etc_soundd_t; > -files_type(soundd_etc_t) > - > type soundd_state_t; > files_type(soundd_state_t) > > @@ -26,21 +23,30 @@ > type soundd_var_run_t; > files_pid_file(soundd_var_run_t) > > +type soundd_etc_t; > +files_config_file(soundd_etc_t) This type declaration shouldn't be moved > +type soundd_script_exec_t; > +init_script_type(soundd_script_exec_t) > + > ######################################## > # > -# Declarations > +# sound server local policy > # > > +allow soundd_t self:capability dac_override; > dontaudit soundd_t self:capability sys_tty_config; > allow soundd_t self:process { setpgid signal_perms }; > allow soundd_t self:tcp_socket create_stream_socket_perms; > allow soundd_t self:udp_socket create_socket_perms; > +allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms }; > + > +fs_getattr_all_fs(soundd_t) > + > # for yiff > allow soundd_t self:shm create_shm_perms; > > -allow soundd_t soundd_etc_t:dir list_dir_perms; > -allow soundd_t soundd_etc_t:file read_file_perms; > -allow soundd_t soundd_etc_t:lnk_file { getattr read }; > +read_files_pattern(soundd_t,soundd_etc_t,soundd_etc_t) > > manage_files_pattern(soundd_t, soundd_state_t, soundd_state_t) > manage_lnk_files_pattern(soundd_t, soundd_state_t, soundd_state_t) > @@ -55,8 +61,10 @@ > manage_sock_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) > fs_tmpfs_filetrans(soundd_t, soundd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) > > +manage_sock_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t) > manage_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) > -files_pid_filetrans(soundd_t, soundd_var_run_t, file) > +manage_dirs_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t) > +files_pid_filetrans(soundd_t,soundd_var_run_t,{ file dir }) > > kernel_read_kernel_sysctls(soundd_t) > kernel_list_proc(soundd_t) > @@ -96,10 +104,13 @@ > sysnet_read_config(soundd_t) > > userdom_dontaudit_use_unpriv_user_fds(soundd_t) > - > sysadm_dontaudit_search_home_dirs(soundd_t) > > optional_policy(` > + alsa_domtrans(soundd_t) > +') > + > +optional_policy(` > seutil_sigchld_newrole(soundd_t) > ') > > -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
