Bug 428499
Summary: | add cyphesis policy | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Wart <wart> | ||||||
Component: | selinux-policy | Assignee: | Josef Kubin <jkubin> | ||||||
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | low | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | rawhide | ||||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2008-02-26 21:22:31 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Wart
2008-01-12 07:31:48 UTC
Created attachment 291453 [details]
Patch to add cyphesis policy
Created attachment 291618 [details]
Updated patch for Rawhide/Fedora 8
I have updated the patch with some internal "DAN" questions.
You should send this patch upstream for approval.
To respond to your questions: # DAN> What is cyphesis looking for in /bin? According to strace, it's looking for /usr/bin/python. cyphesis has an embedded python interpreter for plugin modules, but I would expect it only needs to load the python shared lib, not access the python binary itself. I'll follow up with upstream to clarify. # DAN > Does cyphesis really create a sock_file in /tmp? Why? It creates a socket in /var/tmp/cyphesis.sock. This is used by administrative tools to manipulate the game world interactively. If there's a better place to put such sockets, then I can work with upstream to change this. # DAN Do you really need this [communication with the metaserver]? It's certainly not required for normal operation to publish the server info to the metaserver, but we do want to leave the option open so that clients that use the metaserver can find our local server instance. I don't like any application that runs as root to use /tmp. This directory is under the full control of the user. In the past coding mistakes in root applications have led to root exploits via the use of the tmp directories. I prefer daemon apps that need to communicate with user apps, to use /var/run/APPNAME/ directories and then set the sock_file world writable. The other stuff looks fine. I am not sure you have enough allow rules to actually communicate with the metaserver. But pass this upstream to get it into the upstream policy. (In reply to comment #4) > I don't like any application that runs as root to use /tmp. This directory is > under the full control of the user. In the past coding mistakes in root > applications have led to root exploits via the use of the tmp directories. I > prefer daemon apps that need to communicate with user apps, to use > /var/run/APPNAME/ directories and then set the sock_file world writable. cyphesis runs as the 'cyphesis' user, not root. Nevertheless, I'll open a bug to move the socket to /var/run/cyphesis instead of using /var/tmp. > The other stuff looks fine. I am not sure you have enough allow rules to > actually communicate with the metaserver. It has worked in the past, but I'll double check it just to make sure. > But pass this upstream to get it into the upstream policy. In this case, Fedora is upstream for the selinux policy. The upstream cyphesis developers have not yet included any selinux policy files into the cyphesis source tarballs. Or do you mean pass it to the upstream at serefpolicy.sourceforge.net? Yes serefpolicy.sourceforge.net Added in selinux-policy-3.3.1-4.fc9 |