From: dominick.grift@gmail.com (Dominick Grift) Date: Wed, 01 May 2013 21:12:09 +0200 Subject: [refpolicy] [PATCH/RFC 2/2] Add minidlna policy In-Reply-To: <20130501183845.GC25116@siphos.be> References: <20130501183657.GA25116@siphos.be> <20130501183845.GC25116@siphos.be> Message-ID: <1367435529.452.19.camel@d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2013-05-01 at 20:38 +0200, Sven Vermeulen wrote: > The minidlna policy allows the minidla server to listen on the ssdp and trivnet1 > ports (ssdp is for the discovery, trivnet1 for serving the files) and serve > files marked as public_t. > > If minidlna_read_generic_user_content is set, the server can also be used to > serve user content. Some comments in-line > Signed-off-by: Sven Vermeulen > --- > minidlna.fc | 11 +++++++ > minidlna.if | 64 +++++++++++++++++++++++++++++++++++++++ > minidlna.te | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > 3 files changed, 174 insertions(+) > create mode 100644 minidlna.fc > create mode 100644 minidlna.if > create mode 100644 minidlna.te > > diff --git a/minidlna.fc b/minidlna.fc > new file mode 100644 > index 0000000..05ad732 > --- /dev/null > +++ b/minidlna.fc > @@ -0,0 +1,11 @@ > +/etc/rc\.d/init\.d/minidlna -- gen_context(system_u:object_r:minidlna_initrc_exec_t,s0) > + > +/etc/minidlna\.conf -- gen_context(system_u:object_r:minidlna_etc_t,s0) Can we use type minidlna_conf_t instead for consistency? > + > +/usr/sbin/minidlna -- gen_context(system_u:object_r:minidlna_exec_t,s0) > + > +/var/lib/minidlna(/.*)? gen_context(system_u:object_r:minidlna_db_t,s0) Can add support /var/cache/minidlna(/.*)? as well for Fedora? (Fedora installs the /var/cache/minidlna dir instead for this content > + > +/var/log/minidlna\.log -- gen_context(system_u:object_r:minidlna_log_t,s0) This daemon runs as root on gentoo? Can we do /var/log/minidlna.log.* instead? (in case someone uses logrotate to maintain the log files) Also add support for /var/log/minidlna(/.*)? as well for Fedora? ( Fedora installs the /var/log/minidlna dir instead ) > + > +/var/run/minidlna(/.*)? gen_context(system_u:object_r:minidlna_var_run_t,s0) > diff --git a/minidlna.if b/minidlna.if > new file mode 100644 > index 0000000..d27f634 > --- /dev/null > +++ b/minidlna.if > @@ -0,0 +1,64 @@ > +## MiniDLNA server Gimme a break ;) Please use something a little more descriptive: MiniDLNA lightweight DLNA/UPnP media server. > + > +######################################## > +## > +## All of the rules required to > +## administrate an minidlna environment. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## Role allowed access. > +## > +## > +## > +# > +interface(`minidlna_admin',` > + gen_require(` > + type minidlna_t, minidlna_var_run_t, minidlna_initrc_exec_t; > + type minidlna_etc_t, minidlna_log_t, minidlna_db_t; > + ') > + > + allow $1 minidlna_t:process { ptrace signal_perms }; > + ps_process_pattern($1, minidlna_t) > + > + minidlna_initrc_domtrans($1) > + domain_system_change_exemption($1) > + role_transition $2 minidlna_initrc_exec_t system_r; > + allow $2 system_r; > + > + files_search_etc($1) > + admin_pattern($1, minidlna_etc_t) > + > + logging_search_logs($1) > + admin_pattern($1, minidlna_log_t) > + > + files_search_var_lib($1) > + admin_pattern($1, minidlna_db_t) > + > + files_search_pids($1) > + admin_pattern($1, minidlna_var_run_t) > +') > + > +######################################## > +## > +## Execute minidlna init scripts in > +## the initrc domain. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`minidlna_initrc_domtrans',` > + gen_require(` > + type minidlna_initrc_exec_t; > + ') > + > + init_labeled_script_domtrans($1, minidlna_initrc_exec_t) > +') > diff --git a/minidlna.te b/minidlna.te > new file mode 100644 > index 0000000..06ab1c9 > --- /dev/null > +++ b/minidlna.te > @@ -0,0 +1,99 @@ > +policy_module(minidlna, 0.1) > + > +############################################# > +# > +# Declarations > +# > + > +## > +##

> +## Allow minidlna to read generic user content Determine whether Minidlna can read generic user content. (i am trying to be consistent) > +##

> +## > +gen_tunable(minidlna_read_generic_user_content, false) > + > +type minidlna_t; > +type minidlna_exec_t; > +init_daemon_domain(minidlna_t, minidlna_exec_t) > + > +type minidlna_initrc_exec_t; > +init_script_file(minidlna_initrc_exec_t) > + > +type minidlna_etc_t; > +files_config_file(minidlna_etc_t) > + > +type minidlna_log_t; > +logging_log_file(minidlna_log_t) > + > +type minidlna_db_t; > +files_type(minidlna_db_t) > + > +type minidlna_var_run_t; > +files_pid_file(minidlna_var_run_t) > + > +############################################### > +# > +# Local policy > +# > + > +allow minidlna_t self:process { setsched }; No need for brace expansion here (nothing to expand) > +allow minidlna_t self:tcp_socket create_stream_socket_perms; > +allow minidlna_t self:udp_socket { create_socket_perms node_bind }; Whats node_bind permission doing there? > +allow minidlna_t self:netlink_route_socket rw_netlink_socket_perms; Are you sure it needs to write the routing table? (show me the avc denials) > +allow minidlna_t minidlna_log_t:file { create_file_perms append_file_perms }; Need support for adding dir entries to minidlna_log_t dirs (fedora installs /var/log/minidlna dir) > +allow minidlna_t minidlna_etc_t:file read_file_perms; > + > +manage_files_pattern(minidlna_t, minidlna_db_t, minidlna_db_t) > +create_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t) > +rw_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t) > +files_var_lib_filetrans(minidlna_t, minidlna_db_t, dir) Are you saying that it does not actually install /var/lib/minidlna? This can probably be done cleaner (use permission sets where possible instead of patterns) > + > +manage_files_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t) > +rw_dirs_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t) permission set is cleaner. > +files_pid_filetrans(minidlna_t, minidlna_var_run_t, file) > + > +kernel_read_fs_sysctls(minidlna_t) > +kernel_read_system_state(minidlna_t) > +logging_log_filetrans(minidlna_t, minidlna_log_t, file) This needs to go up (to where the other logging rules are > + > +corecmd_exec_bin(minidlna_t) > +corecmd_exec_shell(minidlna_t) > + > +corenet_all_recvfrom_netlabel(minidlna_t) > +corenet_all_recvfrom_unlabeled(minidlna_t) > + > +corenet_sendrecv_ssdp_client_packets(minidlna_t) > +corenet_sendrecv_ssdp_server_packets(minidlna_t) > + > +corenet_tcp_bind_generic_node(minidlna_t) > +corenet_tcp_sendrecv_generic_if(minidlna_t) > +corenet_tcp_sendrecv_generic_node(minidlna_t) > + > +corenet_udp_bind_generic_node(minidlna_t) > +corenet_udp_bind_ssdp_port(minidlna_t) > + > +corenet_sendrecv_trivnet1_client_packets(minidlna_t) > +corenet_sendrecv_trivnet1_server_packets(minidlna_t) > +corenet_tcp_bind_trivnet1_port(minidlna_t) > + > +files_read_etc_files(minidlna_t) Which file is that? /etc/nsswitch.conf? > + > +miscfiles_read_localization(minidlna_t) > +miscfiles_read_public_files(minidlna_t) > + > +tunable_policy(`minidlna_read_generic_user_content',` > + userdom_list_user_tmp(minidlna_t) > + userdom_read_user_home_content_files(minidlna_t) > + userdom_read_user_home_content_symlinks(minidlna_t) > + userdom_read_user_tmp_files(minidlna_t) > + userdom_read_user_tmp_symlinks(minidlna_t) > +',` > + files_dontaudit_list_home(minidlna_t) > + files_dontaudit_list_tmp(minidlna_t) > + > + userdom_dontaudit_list_user_home_dirs(minidlna_t) > + userdom_dontaudit_list_user_tmp(minidlna_t) > + userdom_dontaudit_read_user_home_content_files(minidlna_t) > + userdom_dontaudit_read_user_tmp_files(minidlna_t) > +')