Description of problem: For the last couple of Fedora releases, the cyphesis game server has shipped with its own selinux policy module in a 'cyphesis-selinux' subpackage. Since the policy has not changed much lately, it should be stable enough to include in the core selinux-policy package. Attached is a patch to selinux-policy for adding the cyphesis policy. In addition, selinux-policy should 'Obsoletes: cyphesis-selinux'. This is my first attempt at creating a patch for the selinux base policy, so I may have missed a few places that needed to be changed. Even so, this patch did work on the one rawhide system I tested it on.
Created attachment 291453 [details] Patch to add cyphesis policy
Created attachment 291618 [details] Updated patch for Rawhide/Fedora 8 I have updated the patch with some internal "DAN" questions. You should send this patch upstream for approval.
To respond to your questions: # DAN> What is cyphesis looking for in /bin? According to strace, it's looking for /usr/bin/python. cyphesis has an embedded python interpreter for plugin modules, but I would expect it only needs to load the python shared lib, not access the python binary itself. I'll follow up with upstream to clarify. # DAN > Does cyphesis really create a sock_file in /tmp? Why? It creates a socket in /var/tmp/cyphesis.sock. This is used by administrative tools to manipulate the game world interactively. If there's a better place to put such sockets, then I can work with upstream to change this. # DAN Do you really need this [communication with the metaserver]? It's certainly not required for normal operation to publish the server info to the metaserver, but we do want to leave the option open so that clients that use the metaserver can find our local server instance.
I don't like any application that runs as root to use /tmp. This directory is under the full control of the user. In the past coding mistakes in root applications have led to root exploits via the use of the tmp directories. I prefer daemon apps that need to communicate with user apps, to use /var/run/APPNAME/ directories and then set the sock_file world writable. The other stuff looks fine. I am not sure you have enough allow rules to actually communicate with the metaserver. But pass this upstream to get it into the upstream policy.
(In reply to comment #4) > I don't like any application that runs as root to use /tmp. This directory is > under the full control of the user. In the past coding mistakes in root > applications have led to root exploits via the use of the tmp directories. I > prefer daemon apps that need to communicate with user apps, to use > /var/run/APPNAME/ directories and then set the sock_file world writable. cyphesis runs as the 'cyphesis' user, not root. Nevertheless, I'll open a bug to move the socket to /var/run/cyphesis instead of using /var/tmp. > The other stuff looks fine. I am not sure you have enough allow rules to > actually communicate with the metaserver. It has worked in the past, but I'll double check it just to make sure. > But pass this upstream to get it into the upstream policy. In this case, Fedora is upstream for the selinux policy. The upstream cyphesis developers have not yet included any selinux policy files into the cyphesis source tarballs. Or do you mean pass it to the upstream at serefpolicy.sourceforge.net?
Yes serefpolicy.sourceforge.net
Added in selinux-policy-3.3.1-4.fc9