Bug 250453 - nasd opens sockets from communications in /tmp
nasd opens sockets from communications in /tmp
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: nas (Show other bugs)
rawhide
All Linux
high Severity high
: ---
: ---
Assigned To: Frank Büttner
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-01 14:06 EDT by Daniel Walsh
Modified: 2007-11-30 17:12 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-11 13:34:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Still some problems. This is the policy I will go with (479 bytes, application/octet-stream)
2007-08-20 17:02 EDT, Daniel Walsh
no flags Details
Interface file (1.55 KB, application/octet-stream)
2007-08-20 17:03 EDT, Daniel Walsh
no flags Details
TE File (3.02 KB, application/octet-stream)
2007-08-20 17:03 EDT, Daniel Walsh
no flags Details

  None (edit)
Description Daniel Walsh 2007-08-01 14:06:40 EDT
Description of problem:

This is a bad idea.  It blows up stuff like polinstantiated /tmp directoryies. 
Also opens your system to potential security violations if multiple users can
share tmp, I could trick the program nasd server into doing something bad. 
Socket communications with userspace should be done through /var/run  The way
dbus does it.
Comment 1 Ken YANG 2007-08-02 02:26:50 EDT
nothing but add myself to cc list. 

btw, i agree what Daniel said
Comment 2 Frank Büttner 2007-08-02 13:23:19 EDT
I will look at the weekend for it.
Comment 3 Frank Büttner 2007-08-11 11:47:38 EDT
Do you mean /tmp/.sockets/audio10?
Comment 4 Frank Büttner 2007-08-11 13:34:17 EDT
So I build an patch and add it for the devel repo. Please verify it.
Comment 5 Ken YANG 2007-08-16 06:20:56 EDT
i have modified the selinux soundserver policy, based on frank's bugfix:

http://marc.info/?l=fedora-selinux-list&m=118725875506751&w=2

please review it
Comment 6 Frank Büttner 2007-08-16 13:09:11 EDT
it looks ok for my.
Comment 7 Daniel Walsh 2007-08-20 17:02:54 EDT
Created attachment 161919 [details]
Still some problems.  This is the policy I will go with
Comment 8 Daniel Walsh 2007-08-20 17:03:22 EDT
Created attachment 161920 [details]
Interface file
Comment 9 Daniel Walsh 2007-08-20 17:03:49 EDT
Created attachment 161921 [details]
TE File
Comment 10 Ken YANG 2007-08-20 23:02:25 EDT
hi wlash, 

i saw your modifications, and had four questions:

1 
why use soundd_socket_t, instead of soundd_var_run_t, there are not 
soundd_socket_t used in soundserver policy module.

2 
in soundserver_read_socket_files(), why change type requires, but in 
allow rules, still use soundd_var_run_t?

3
why add manage_files_pattern()? originally, audio$n is labeled in fc 
as socket file, and there are manage_socket_files_pattern()

4 
why add "file sock_file" in files_pid_filetrans()? i think "dir" is 
enough, the socket audio$n created in /var/run/nasd will labeled with 
the containing directory.
Comment 11 Daniel Walsh 2007-08-21 13:18:40 EDT
1,2 your right, I guess I should have gone home earlied,  To much selinux policy
work :^(
Should be soundd_var_run_t

3.  What about the actual pid file?

4, Ok  removed.

Comment 12 Ken YANG 2007-08-21 22:40:44 EDT
i know the merge work of policy is huge, so many details you must 
carry with. i hope i can help you. 

yes, you are right. 

maybe i have not understand completely what pidfile mean.

i search policy source, i found most pidfile(call files_pid_file()) 
are *_var_run_t(socket file), or real pid file(e.g. auditd.pid). 

so i guess what the term "pidfile" mean is: pidfile are all files 
which only belong to current process.

is my guess right?
Comment 13 Daniel Walsh 2007-08-22 08:52:22 EDT
Yes, I think it is poorly named.  This function is for all files/dir/sockets
created in var_run.  Usually this is only the pid file.

Note You need to log in before you can comment on or make changes to this bug.