Bug 428499 - add cyphesis policy
add cyphesis policy
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Josef Kubin
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-12 02:31 EST by Wart
Modified: 2008-02-26 16:22 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-26 16:22:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch to add cyphesis policy (6.40 KB, patch)
2008-01-12 02:31 EST, Wart
no flags Details | Diff
Updated patch for Rawhide/Fedora 8 (4.55 KB, application/octet-stream)
2008-01-14 14:43 EST, Daniel Walsh
no flags Details

  None (edit)
Description Wart 2008-01-12 02:31:48 EST
Description of problem:
For the last couple of Fedora releases, the cyphesis game server has shipped
with its own selinux policy module in a 'cyphesis-selinux' subpackage.  Since
the policy has not changed much lately, it should be stable enough to include in
the core selinux-policy package.

Attached is a patch to selinux-policy for adding the cyphesis policy.  In
addition, selinux-policy should 'Obsoletes: cyphesis-selinux'.

This is my first attempt at creating a patch for the selinux base policy, so I
may have missed a few places that needed to be changed.  Even so, this patch did
work on the one rawhide system I tested it on.
Comment 1 Wart 2008-01-12 02:31:48 EST
Created attachment 291453 [details]
Patch to add cyphesis policy
Comment 2 Daniel Walsh 2008-01-14 14:43:55 EST
Created attachment 291618 [details]
Updated patch for Rawhide/Fedora 8

I have updated the patch with some internal "DAN" questions.  

You should send this patch upstream for approval.
Comment 3 Wart 2008-01-15 08:33:43 EST
To respond to your questions:

# DAN> What is cyphesis looking for in /bin?

According to strace, it's looking for /usr/bin/python.  cyphesis has an embedded
python interpreter for plugin modules, but I would expect it only needs to load
the python shared lib, not access the python binary itself.  I'll follow up with
upstream to clarify.

# DAN > Does cyphesis really create a sock_file in /tmp?  Why?

It creates a socket in /var/tmp/cyphesis.sock.  This is used by administrative
tools to manipulate the game world interactively.  If there's a better place to
put such sockets, then I can work with upstream to change this.

# DAN  Do you really need this [communication with the metaserver]?

It's certainly not required for normal operation to publish the server info to
the metaserver, but we do want to leave the option open so that clients that use
the metaserver can find our local server instance.
Comment 4 Daniel Walsh 2008-01-15 10:06:31 EST
I don't like any application that runs as root to use /tmp.  This directory is
under the full control of the user.  In the past coding mistakes in root
applications have led to root exploits via the use of the tmp directories.  I
prefer daemon apps that need to communicate with user apps, to use
/var/run/APPNAME/ directories and then set the sock_file world writable.

The other stuff looks fine.  I am not sure you have enough allow rules to
actually communicate with the metaserver.

But pass this upstream to get it into the upstream policy.
Comment 5 Wart 2008-01-15 21:44:42 EST
(In reply to comment #4)
> I don't like any application that runs as root to use /tmp.  This directory is
> under the full control of the user.  In the past coding mistakes in root
> applications have led to root exploits via the use of the tmp directories.  I
> prefer daemon apps that need to communicate with user apps, to use
> /var/run/APPNAME/ directories and then set the sock_file world writable.

cyphesis runs as the 'cyphesis' user, not root.  Nevertheless, I'll open a bug
to move the socket to /var/run/cyphesis instead of using /var/tmp.

> The other stuff looks fine.  I am not sure you have enough allow rules to
> actually communicate with the metaserver.

It has worked in the past, but I'll double check it just to make sure.

> But pass this upstream to get it into the upstream policy.

In this case, Fedora is upstream for the selinux policy.  The upstream cyphesis
developers have not yet included any selinux policy files into the cyphesis
source tarballs.  Or do you mean pass it to the upstream at
serefpolicy.sourceforge.net?
Comment 6 Daniel Walsh 2008-01-16 16:01:06 EST
Yes serefpolicy.sourceforge.net
Comment 7 Daniel Walsh 2008-02-26 16:22:31 EST
Added in selinux-policy-3.3.1-4.fc9

Note You need to log in before you can comment on or make changes to this bug.