Please find herein two patches (one for main repo to declare the trivnet1
port and one for the contrib submodule to provide the minidlna policy) to
support minidlna in refpolicy.
The first draft was sent out on May 1st [1]; I've incorporated the changes
that Dominick provided, hopefully it is ok now. The discussion sparked a bit
of side-information on networking which I ignored for now: the
corenet_{tcp,udp}_sendrecv_* calls are still in there, even though they
should not be needed anymore. I left them in for consistency with existing
policy, but if you prefer without I am more than happy to remove them.
[1] http://oss.tresys.com/pipermail/refpolicy/2013-May/006393.html
The patch for main repo (declaration of trivnet1) needs to go in before the
contrib change can (as it uses interfaces defined in the first patch).
Wkr,
Sven Vermeulen
Create the proper port types for trivnet1 (port 8200)
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/kernel/corenetwork.te.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index e78ee3b..060c7fc 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -261,6 +261,7 @@ network_port(tor, tcp,6969,s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s
network_port(traceroute, udp,64000-64010,s0)
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
+network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0)
network_port(ups, tcp,3493,s0)
network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
--
1.8.1.5
The minidlna policy allows the minidla server to listen on the ssdp and trivnet1
ports (ssdp is for the discovery, trivnet1 for serving the files) and serve
files marked as public_t.
If minidlna_read_generic_user_content is set, the server can also be used to
serve user content.
Changes since v1
- Use minidlna_conf_t instead of minidlna_etc_t
- Add in directories used in fedora
- More descriptive booleans and general module summary
- Remove explicit node_bind permission as it is provided through other interface
calls
- Allow creating minidlna_log_t entries
- Drop filetransitions for log file and /var/lib
- Use permission sets when combined pattern interfaces are not needed
- Introduce auth_use_nsswitch as minidlna interprets nsswitch.conf
- Drop *_client_packets interfaces (secmark), the domain does not act as a
client
---
minidlna.fc | 14 +++++++++
minidlna.if | 64 ++++++++++++++++++++++++++++++++++++++
minidlna.te | 102 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 180 insertions(+)
create mode 100644 minidlna.fc
create mode 100644 minidlna.if
create mode 100644 minidlna.te
diff --git a/minidlna.fc b/minidlna.fc
new file mode 100644
index 0000000..9d4cd52
--- /dev/null
+++ b/minidlna.fc
@@ -0,0 +1,14 @@
+/etc/rc\.d/init\.d/minidlna -- gen_context(system_u:object_r:minidlna_initrc_exec_t,s0)
+
+/etc/minidlna\.conf -- gen_context(system_u:object_r:minidlna_conf_t,s0)
+
+/usr/sbin/minidlna -- gen_context(system_u:object_r:minidlna_exec_t,s0)
+
+/var/cache/minidlna(/.*)? gen_context(system_u:object_r:minidlna_db_t,s0)
+
+/var/lib/minidlna(/.*)? gen_context(system_u:object_r:minidlna_db_t,s0)
+
+/var/log/minidlna(/.*)? gen_context(system_u:object_r:minidlna_log_t,s0)
+/var/log/minidlna\.log.* -- gen_context(system_u:object_r:minidlna_log_t,s0)
+
+/var/run/minidlna(/.*)? gen_context(system_u:object_r:minidlna_var_run_t,s0)
diff --git a/minidlna.if b/minidlna.if
new file mode 100644
index 0000000..358917a
--- /dev/null
+++ b/minidlna.if
@@ -0,0 +1,64 @@
+## <summary>MiniDLNA lightweight DLNA/UPnP media server</summary>
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an minidlna environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`minidlna_admin',`
+ gen_require(`
+ type minidlna_t, minidlna_var_run_t, minidlna_initrc_exec_t;
+ type minidlna_conf_t, minidlna_log_t, minidlna_db_t;
+ ')
+
+ allow $1 minidlna_t:process { ptrace signal_perms };
+ ps_process_pattern($1, minidlna_t)
+
+ minidlna_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 minidlna_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_etc($1)
+ admin_pattern($1, minidlna_conf_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, minidlna_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, minidlna_db_t)
+
+ files_search_pids($1)
+ admin_pattern($1, minidlna_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute minidlna init scripts in
+## the initrc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`minidlna_initrc_domtrans',`
+ gen_require(`
+ type minidlna_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, minidlna_initrc_exec_t)
+')
diff --git a/minidlna.te b/minidlna.te
new file mode 100644
index 0000000..7273853
--- /dev/null
+++ b/minidlna.te
@@ -0,0 +1,102 @@
+policy_module(minidlna, 0.1)
+
+#############################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether minidlna can read generic user content.
+## </p>
+## </desc>
+gen_tunable(minidlna_read_generic_user_content, false)
+
+type minidlna_t;
+type minidlna_exec_t;
+init_daemon_domain(minidlna_t, minidlna_exec_t)
+
+type minidlna_initrc_exec_t;
+init_script_file(minidlna_initrc_exec_t)
+
+type minidlna_conf_t;
+files_config_file(minidlna_conf_t)
+
+type minidlna_log_t;
+logging_log_file(minidlna_log_t)
+
+type minidlna_db_t;
+files_type(minidlna_db_t)
+
+type minidlna_var_run_t;
+files_pid_file(minidlna_var_run_t)
+
+###############################################
+#
+# Local policy
+#
+
+allow minidlna_t self:process setsched;
+allow minidlna_t self:tcp_socket create_stream_socket_perms;
+allow minidlna_t self:udp_socket create_socket_perms;
+allow minidlna_t self:netlink_route_socket r_netlink_socket_perms;
+allow minidlna_t minidlna_conf_t:file read_file_perms;
+
+allow minidlna_t minidlna_db_t:dir { create_dir_perms rw_dir_perms };
+allow minidlna_t minidlna_db_t:file manage_file_perms;
+
+allow minidlna_t minidlna_log_t:file append_file_perms;
+create_files_pattern(minidlna_t, minidlna_log_t, minidlna_log_t)
+
+allow minidlna_t minidlna_var_run_t:file manage_file_perms;
+allow minidlna_t minidlna_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(minidlna_t, minidlna_var_run_t, file)
+
+kernel_read_fs_sysctls(minidlna_t)
+kernel_read_system_state(minidlna_t)
+
+corecmd_exec_bin(minidlna_t)
+corecmd_exec_shell(minidlna_t)
+
+corenet_all_recvfrom_netlabel(minidlna_t)
+corenet_all_recvfrom_unlabeled(minidlna_t)
+
+corenet_sendrecv_ssdp_server_packets(minidlna_t)
+corenet_sendrecv_trivnet1_server_packets(minidlna_t)
+
+corenet_tcp_bind_generic_node(minidlna_t)
+corenet_tcp_bind_trivnet1_port(minidlna_t)
+corenet_tcp_sendrecv_generic_if(minidlna_t)
+corenet_tcp_sendrecv_generic_node(minidlna_t)
+corenet_tcp_sendrecv_trivnet1_port(minidlna_t)
+
+corenet_udp_bind_generic_node(minidlna_t)
+corenet_udp_bind_ssdp_port(minidlna_t)
+corenet_udp_sendrecv_generic_if(minidlna_t)
+corenet_udp_sendrecv_generic_node(minidlna_t)
+corenet_udp_sendrecv_ssdp_port(minidlna_t)
+
+files_search_var_lib(minidlna_t)
+
+auth_use_nsswitch(minidlna_t)
+
+logging_search_logs(minidlna_t)
+
+miscfiles_read_localization(minidlna_t)
+miscfiles_read_public_files(minidlna_t)
+
+tunable_policy(`minidlna_read_generic_user_content',`
+ userdom_list_user_tmp(minidlna_t)
+ userdom_read_user_home_content_files(minidlna_t)
+ userdom_read_user_home_content_symlinks(minidlna_t)
+ userdom_read_user_tmp_files(minidlna_t)
+ userdom_read_user_tmp_symlinks(minidlna_t)
+',`
+ files_dontaudit_list_home(minidlna_t)
+ files_dontaudit_list_tmp(minidlna_t)
+
+ userdom_dontaudit_list_user_home_dirs(minidlna_t)
+ userdom_dontaudit_list_user_tmp(minidlna_t)
+ userdom_dontaudit_read_user_home_content_files(minidlna_t)
+ userdom_dontaudit_read_user_tmp_files(minidlna_t)
+')
--
1.8.1.5
On 05/07/13 14:22, Sven Vermeulen wrote:
> Please find herein two patches (one for main repo to declare the trivnet1
> port and one for the contrib submodule to provide the minidlna policy) to
> support minidlna in refpolicy.
Merged.
> The first draft was sent out on May 1st [1]; I've incorporated the changes
> that Dominick provided, hopefully it is ok now. The discussion sparked a bit
> of side-information on networking which I ignored for now: the
> corenet_{tcp,udp}_sendrecv_* calls are still in there, even though they
> should not be needed anymore. I left them in for consistency with existing
> policy, but if you prefer without I am more than happy to remove them.
I'm keeping them for now, though I'll eventually circle back to clean up the compat_net rules across the entire policy.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com