> > +## Allow minidlna to read generic user content > > Determine whether Minidlna can read generic user content. (i am trying > to be consistent) Ok. > > +allow minidlna_t self:tcp_socket create_stream_socket_perms; > > +allow minidlna_t self:udp_socket { create_socket_perms node_bind }; > > Whats node_bind permission doing there? Sorry about that, was from before I had the corenet_udp_bind_generic_node(minidlna_t) set. > > +allow minidlna_t self:netlink_route_socket rw_netlink_socket_perms; > > Are you sure it needs to write the routing table? (show me the avc > denials) Ah yes, r_netlink_socket_perms is sufficient, my bad. > > +allow minidlna_t minidlna_log_t:file { create_file_perms append_file_perms }; > > Need support for adding dir entries to minidlna_log_t dirs (fedora > installs /var/log/minidlna dir) Ok > > +allow minidlna_t minidlna_etc_t:file read_file_perms; > > + > > +manage_files_pattern(minidlna_t, minidlna_db_t, minidlna_db_t) > > +create_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t) > > +rw_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t) > > +files_var_lib_filetrans(minidlna_t, minidlna_db_t, dir) > > Are you saying that it does not actually install /var/lib/minidlna? > This can probably be done cleaner (use permission sets where possible > instead of patterns) I wasn't sure what to do here. Gentoo installs the /var/lib/minidlna directory already as part of the software installation. But I noticed that the majority of modules do have this set. I'll change it to a files_search_var_lib(minidlna_t). > > + > > +manage_files_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t) > > +rw_dirs_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t) > > permission set is cleaner. Ok > > +files_pid_filetrans(minidlna_t, minidlna_var_run_t, file) > > + > > +kernel_read_fs_sysctls(minidlna_t) > > +kernel_read_system_state(minidlna_t) > > +logging_log_filetrans(minidlna_t, minidlna_log_t, file) > > This needs to go up (to where the other logging rules are Ok > > + > > +corecmd_exec_bin(minidlna_t) > > +corecmd_exec_shell(minidlna_t) > > + > > +corenet_all_recvfrom_netlabel(minidlna_t) > > +corenet_all_recvfrom_unlabeled(minidlna_t) > > + > > +corenet_sendrecv_ssdp_client_packets(minidlna_t) > > +corenet_sendrecv_ssdp_server_packets(minidlna_t) > > + > > +corenet_tcp_bind_generic_node(minidlna_t) > > +corenet_tcp_sendrecv_generic_if(minidlna_t) > > +corenet_tcp_sendrecv_generic_node(minidlna_t) > > + > > +corenet_udp_bind_generic_node(minidlna_t) > > +corenet_udp_bind_ssdp_port(minidlna_t) > > + > > +corenet_sendrecv_trivnet1_client_packets(minidlna_t) > > +corenet_sendrecv_trivnet1_server_packets(minidlna_t) > > +corenet_tcp_bind_trivnet1_port(minidlna_t) > > + > > +files_read_etc_files(minidlna_t) > > Which file is that? /etc/nsswitch.conf? nsswitch.conf and passwd. Wkr, Sven Vermeulen