Bug 250453
Summary: | nasd opens sockets from communications in /tmp | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Daniel Walsh <dwalsh> | ||||||||
Component: | nas | Assignee: | Frank Büttner <bugzilla> | ||||||||
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
Severity: | high | Docs Contact: | |||||||||
Priority: | high | ||||||||||
Version: | rawhide | CC: | nalin, rdieter, spng.yang | ||||||||
Target Milestone: | --- | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2007-08-11 17:34:17 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Description
Daniel Walsh
2007-08-01 18:06:40 UTC
nothing but add myself to cc list. btw, i agree what Daniel said I will look at the weekend for it. Do you mean /tmp/.sockets/audio10? So I build an patch and add it for the devel repo. Please verify it. i have modified the selinux soundserver policy, based on frank's bugfix: http://marc.info/?l=fedora-selinux-list&m=118725875506751&w=2 please review it it looks ok for my. Created attachment 161919 [details]
Still some problems. This is the policy I will go with
Created attachment 161920 [details]
Interface file
Created attachment 161921 [details]
TE File
hi wlash, i saw your modifications, and had four questions: 1 why use soundd_socket_t, instead of soundd_var_run_t, there are not soundd_socket_t used in soundserver policy module. 2 in soundserver_read_socket_files(), why change type requires, but in allow rules, still use soundd_var_run_t? 3 why add manage_files_pattern()? originally, audio$n is labeled in fc as socket file, and there are manage_socket_files_pattern() 4 why add "file sock_file" in files_pid_filetrans()? i think "dir" is enough, the socket audio$n created in /var/run/nasd will labeled with the containing directory. 1,2 your right, I guess I should have gone home earlied, To much selinux policy work :^( Should be soundd_var_run_t 3. What about the actual pid file? 4, Ok removed. i know the merge work of policy is huge, so many details you must carry with. i hope i can help you. yes, you are right. maybe i have not understand completely what pidfile mean. i search policy source, i found most pidfile(call files_pid_file()) are *_var_run_t(socket file), or real pid file(e.g. auditd.pid). so i guess what the term "pidfile" mean is: pidfile are all files which only belong to current process. is my guess right? Yes, I think it is poorly named. This function is for all files/dir/sockets created in var_run. Usually this is only the pid file. |