Red Hat Bugzilla – Bug 250453
nasd opens sockets from communications in /tmp
Last modified: 2007-11-30 17:12:12 EST
Description of problem:
This is a bad idea. It blows up stuff like polinstantiated /tmp directoryies.
Also opens your system to potential security violations if multiple users can
share tmp, I could trick the program nasd server into doing something bad.
Socket communications with userspace should be done through /var/run The way
dbus does it.
nothing but add myself to cc list.
btw, i agree what Daniel said
I will look at the weekend for it.
Do you mean /tmp/.sockets/audio10?
So I build an patch and add it for the devel repo. Please verify it.
i have modified the selinux soundserver policy, based on frank's bugfix:
please review it
it looks ok for my.
Created attachment 161919 [details]
Still some problems. This is the policy I will go with
Created attachment 161920 [details]
Created attachment 161921 [details]
i saw your modifications, and had four questions:
why use soundd_socket_t, instead of soundd_var_run_t, there are not
soundd_socket_t used in soundserver policy module.
in soundserver_read_socket_files(), why change type requires, but in
allow rules, still use soundd_var_run_t?
why add manage_files_pattern()? originally, audio$n is labeled in fc
as socket file, and there are manage_socket_files_pattern()
why add "file sock_file" in files_pid_filetrans()? i think "dir" is
enough, the socket audio$n created in /var/run/nasd will labeled with
the containing directory.
1,2 your right, I guess I should have gone home earlied, To much selinux policy
Should be soundd_var_run_t
3. What about the actual pid file?
4, Ok removed.
i know the merge work of policy is huge, so many details you must
carry with. i hope i can help you.
yes, you are right.
maybe i have not understand completely what pidfile mean.
i search policy source, i found most pidfile(call files_pid_file())
are *_var_run_t(socket file), or real pid file(e.g. auditd.pid).
so i guess what the term "pidfile" mean is: pidfile are all files
which only belong to current process.
is my guess right?
Yes, I think it is poorly named. This function is for all files/dir/sockets
created in var_run. Usually this is only the pid file.