Red Hat Bugzilla – Bug 428499
add cyphesis policy
Last modified: 2008-02-26 16:22:31 EST
Description of problem:
For the last couple of Fedora releases, the cyphesis game server has shipped
with its own selinux policy module in a 'cyphesis-selinux' subpackage. Since
the policy has not changed much lately, it should be stable enough to include in
the core selinux-policy package.
Attached is a patch to selinux-policy for adding the cyphesis policy. In
addition, selinux-policy should 'Obsoletes: cyphesis-selinux'.
This is my first attempt at creating a patch for the selinux base policy, so I
may have missed a few places that needed to be changed. Even so, this patch did
work on the one rawhide system I tested it on.
Created attachment 291453 [details]
Patch to add cyphesis policy
Created attachment 291618 [details]
Updated patch for Rawhide/Fedora 8
I have updated the patch with some internal "DAN" questions.
You should send this patch upstream for approval.
To respond to your questions:
# DAN> What is cyphesis looking for in /bin?
According to strace, it's looking for /usr/bin/python. cyphesis has an embedded
python interpreter for plugin modules, but I would expect it only needs to load
the python shared lib, not access the python binary itself. I'll follow up with
upstream to clarify.
# DAN > Does cyphesis really create a sock_file in /tmp? Why?
It creates a socket in /var/tmp/cyphesis.sock. This is used by administrative
tools to manipulate the game world interactively. If there's a better place to
put such sockets, then I can work with upstream to change this.
# DAN Do you really need this [communication with the metaserver]?
It's certainly not required for normal operation to publish the server info to
the metaserver, but we do want to leave the option open so that clients that use
the metaserver can find our local server instance.
I don't like any application that runs as root to use /tmp. This directory is
under the full control of the user. In the past coding mistakes in root
applications have led to root exploits via the use of the tmp directories. I
prefer daemon apps that need to communicate with user apps, to use
/var/run/APPNAME/ directories and then set the sock_file world writable.
The other stuff looks fine. I am not sure you have enough allow rules to
actually communicate with the metaserver.
But pass this upstream to get it into the upstream policy.
(In reply to comment #4)
> I don't like any application that runs as root to use /tmp. This directory is
> under the full control of the user. In the past coding mistakes in root
> applications have led to root exploits via the use of the tmp directories. I
> prefer daemon apps that need to communicate with user apps, to use
> /var/run/APPNAME/ directories and then set the sock_file world writable.
cyphesis runs as the 'cyphesis' user, not root. Nevertheless, I'll open a bug
to move the socket to /var/run/cyphesis instead of using /var/tmp.
> The other stuff looks fine. I am not sure you have enough allow rules to
> actually communicate with the metaserver.
It has worked in the past, but I'll double check it just to make sure.
> But pass this upstream to get it into the upstream policy.
In this case, Fedora is upstream for the selinux policy. The upstream cyphesis
developers have not yet included any selinux policy files into the cyphesis
source tarballs. Or do you mean pass it to the upstream at
Added in selinux-policy-3.3.1-4.fc9