From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Wed, 1 May 2013 22:09:01 +0200
Subject: [refpolicy] [PATCH/RFC 2/2] Add minidlna policy
In-Reply-To: <1367435529.452.19.camel@d30>
References: <20130501183657.GA25116@siphos.be>
	<20130501183845.GC25116@siphos.be> <1367435529.452.19.camel@d30>
Message-ID: <20130501200901.GA27004@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, May 01, 2013 at 09:12:09PM +0200, Dominick Grift wrote:
> > +/etc/minidlna\.conf	--	gen_context(system_u:object_r:minidlna_etc_t,s0)
> 
> Can we use type minidlna_conf_t instead for consistency?

Ok... but in the contrib/ folder, I find more _etc_t definitions than
_conf_t ones:

$ grep '^type .*_conf_t' *.te | wc -l
36
$ grep '^type .*_etc_t' *.te | wc -l
89

> > +
> > +/usr/sbin/minidlna	--	gen_context(system_u:object_r:minidlna_exec_t,s0)
> > +
> > +/var/lib/minidlna(/.*)?		gen_context(system_u:object_r:minidlna_db_t,s0)
> 
> Can add support /var/cache/minidlna(/.*)? as well for Fedora? (Fedora
> installs the /var/cache/minidlna dir instead for this content 

Of course

> > +
> > +/var/log/minidlna\.log	--	gen_context(system_u:object_r:minidlna_log_t,s0)
> 
> This daemon runs as root on gentoo?

No, but the package manager creates the log file with proper ownership
already here.

> Can we do /var/log/minidlna.log.* instead? (in case someone uses
> logrotate to maintain the log files)
> 
> Also add support for /var/log/minidlna(/.*)? as well for Fedora?
> ( Fedora installs the /var/log/minidlna dir instead )

Ok

> > +## <summary>MiniDLNA server</summary>
> 
> Gimme a break ;)
> 
> Please use something a little more descriptive:
> 
> MiniDLNA lightweight DLNA/UPnP media server.

Have a kitkat ;-)

Sorry about that.

> > +## <desc>
> > +##	<p>
> > +##	Allow minidlna to read generic user content
> 
> Determine whether Minidlna can read generic user content. (i am trying
> to be consistent)

Ok.

> > +allow minidlna_t self:tcp_socket create_stream_socket_perms;
> > +allow minidlna_t self:udp_socket { create_socket_perms node_bind };
> 
> Whats node_bind permission doing there?

Sorry about that, was from before I had the
corenet_udp_bind_generic_node(minidlna_t) set.

> > +allow minidlna_t self:netlink_route_socket rw_netlink_socket_perms;
> 
> Are you sure it needs to write the routing table? (show me the avc
> denials)

Ah yes, r_netlink_socket_perms is sufficient, my bad.

> > +allow minidlna_t minidlna_log_t:file { create_file_perms append_file_perms };
> 
> Need support for adding dir entries to minidlna_log_t dirs (fedora
> installs /var/log/minidlna dir) 

Ok

> > +allow minidlna_t minidlna_etc_t:file read_file_perms;
> > +
> > +manage_files_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
> > +create_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
> > +rw_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
> > +files_var_lib_filetrans(minidlna_t, minidlna_db_t, dir)
> 
> Are you saying that it does not actually install /var/lib/minidlna?
> This can probably be done cleaner (use permission sets where possible
> instead of patterns)

I wasn't sure what to do here. Gentoo installs the /var/lib/minidlna
directory already as part of the software installation. But I noticed that
the majority of modules do have this set.

I'll change it to a files_search_var_lib(minidlna_t).

> > +
> > +manage_files_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
> > +rw_dirs_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
> 
> permission set is cleaner.

Ok

> > +files_pid_filetrans(minidlna_t, minidlna_var_run_t, file)
> > +
> > +kernel_read_fs_sysctls(minidlna_t)
> > +kernel_read_system_state(minidlna_t)
> > +logging_log_filetrans(minidlna_t, minidlna_log_t, file)
> 
> This needs to go up (to where the other logging rules are

Ok

> > +
> > +corecmd_exec_bin(minidlna_t)
> > +corecmd_exec_shell(minidlna_t)
> > +
> > +corenet_all_recvfrom_netlabel(minidlna_t)
> > +corenet_all_recvfrom_unlabeled(minidlna_t)
> > +
> > +corenet_sendrecv_ssdp_client_packets(minidlna_t)
> > +corenet_sendrecv_ssdp_server_packets(minidlna_t)
> > +
> > +corenet_tcp_bind_generic_node(minidlna_t)
> > +corenet_tcp_sendrecv_generic_if(minidlna_t)
> > +corenet_tcp_sendrecv_generic_node(minidlna_t)
> > +
> > +corenet_udp_bind_generic_node(minidlna_t)
> > +corenet_udp_bind_ssdp_port(minidlna_t)
> > +
> > +corenet_sendrecv_trivnet1_client_packets(minidlna_t)
> > +corenet_sendrecv_trivnet1_server_packets(minidlna_t)
> > +corenet_tcp_bind_trivnet1_port(minidlna_t)
> > +
> > +files_read_etc_files(minidlna_t)
> 
> Which file is that? /etc/nsswitch.conf?

nsswitch.conf and passwd.

Wkr,
	Sven Vermeulen