On Thu, 2008-08-07 at 11:09 -0400, Daniel J Walsh wrote: > Christopher J. PeBenito wrote: > > On Mon, 2008-08-04 at 14:35 +0200, david@xxxxxxxxxxx wrote: > >> plain text document attachment > >> (policy_modules_services_soundserver.patch) > >> This policy was written by Ken Yang and reviewed by Dan Walsh: > >> http://marc.info/?l=fedora-selinux-list&m=118561164825982&w=2 > >> and here: > >> https://bugzilla.redhat.com/show_bug.cgi?id=250453 > >> > >> I updated the .fc changes to also work with Debian paths. > >> > >> Originally submitted Jul 19, refreshed to apply cleanly > > > > Comments inline > > > >> +######################################## > >> +## <summary> > >> +## All of the rules required to administrate > >> +## an soundd environment > >> +## </summary> > >> +## <param name="domain"> > >> +## <summary> > >> +## Domain allowed access. > >> +## </summary> > >> +## </param> > >> +## <param name="role"> > >> +## <summary> > >> +## The role to be allowed to manage the soundd domain. > >> +## </summary> > >> +## </param> > >> +## <param name="terminal"> > >> +## <summary> > >> +## The type of the user terminal. > >> +## </summary> > >> +## </param> > >> +## <rolecap/> > >> +# > >> +interface(`soundserver_admin',` > >> + gen_require(` > >> + type soundd_t; > >> + type soundd_script_exec_t; > >> + type soundd_etc_t; > >> + type soundd_tmp_t; > >> + type soundd_var_run_t; > >> + ') > >> + > >> + allow $1 soundd_t:process { ptrace signal_perms getattr }; > >> + read_files_pattern($1, soundd_t, soundd_t) > >> + > >> + # Allow soundd_t to restart the apache service > >> + soundserver_script_domtrans($1) > >> + domain_system_change_exemption($1) > >> + role_transition $2 soundd_script_exec_t system_r; > >> + allow $2 system_r; > >> + > >> + files_list_tmp($1) > >> + manage_all_pattern($1,soundd_tmp_t) > >> + > >> + files_list_etc($1) > >> + manage_all_pattern($1,soundd_etc_t) > >> + > >> + files_list_pids($1) > >> + manage_all_pattern($1,soundd_var_run_t) > >> +') > > > > This interface need several fixes. The XML does not match. There are > > whitespace issues (there should be tabs, not 8 spaces). Also spaces > > after commas (other places in the patch too). Manage_all_pattern > > doesn't exist upstream, and I don't plan on ever adding it. > > > Why not? If I am an admin of a domain, I should be able to modify the > labeling on all types that are in that domain, on the entire class of > objects in that domain. Making me add all of the rules for each type is > just prone to errors. > > Without this rule you need to add > manage_dirs_pattern($1,$2,$2) > manage_files_pattern($1,$2,$2) > manage_lnk_files_pattern($1,$2,$2) > manage_fifo_files_pattern($1,$2,$2) > manage_sock_files_pattern($1,$2,$2) > > relabelto_dirs_pattern($1,$2,$2) > relabelto_files_pattern($1,$2,$2) > relabelto_lnk_files_pattern($1,$2,$2) > relabelto_fifo_files_pattern($1,$2,$2) > relabelto_sock_files_pattern($1,$2,$2) > > relabelfrom_dirs_pattern($1,$2,$2) > relabelfrom_files_pattern($1,$2,$2) > relabelfrom_lnk_files_pattern($1,$2,$2) > relabelfrom_fifo_files_pattern($1,$2,$2) > relabelfrom_sock_files_pattern($1,$2,$2) > > For every type, which is nuts. It is nuts because I don't think all that access should be provided. Neglecting that, "manage" in refpolicy does not imply any relabeling permissions. Also the second and third blocks could be merged with relabel_*_pattern(). -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
