[refpolicy] [PATCH/RFC 2/2] Add minidlna policy

Dominick Grift dominick.grift at gmail.com
Wed May 1 15:12:09 EDT 2013


On Wed, 2013-05-01 at 20:38 +0200, Sven Vermeulen wrote:
> The minidlna policy allows the minidla server to listen on the ssdp and trivnet1
> ports (ssdp is for the discovery, trivnet1 for serving the files) and serve
> files marked as public_t.
> 
> If minidlna_read_generic_user_content is set, the server can also be used to
> serve user content.

Some comments in-line

> Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
> ---
>  minidlna.fc | 11 +++++++
>  minidlna.if | 64 +++++++++++++++++++++++++++++++++++++++
>  minidlna.te | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 174 insertions(+)
>  create mode 100644 minidlna.fc
>  create mode 100644 minidlna.if
>  create mode 100644 minidlna.te
> 
> diff --git a/minidlna.fc b/minidlna.fc
> new file mode 100644
> index 0000000..05ad732
> --- /dev/null
> +++ b/minidlna.fc
> @@ -0,0 +1,11 @@
> +/etc/rc\.d/init\.d/minidlna	--	gen_context(system_u:object_r:minidlna_initrc_exec_t,s0)
> +
> +/etc/minidlna\.conf	--	gen_context(system_u:object_r:minidlna_etc_t,s0)

Can we use type minidlna_conf_t instead for consistency?

> +
> +/usr/sbin/minidlna	--	gen_context(system_u:object_r:minidlna_exec_t,s0)
> +
> +/var/lib/minidlna(/.*)?		gen_context(system_u:object_r:minidlna_db_t,s0)

Can add support /var/cache/minidlna(/.*)? as well for Fedora? (Fedora
installs the /var/cache/minidlna dir instead for this content 

> +
> +/var/log/minidlna\.log	--	gen_context(system_u:object_r:minidlna_log_t,s0)

This daemon runs as root on gentoo?

Can we do /var/log/minidlna.log.* instead? (in case someone uses
logrotate to maintain the log files)

Also add support for /var/log/minidlna(/.*)? as well for Fedora?
( Fedora installs the /var/log/minidlna dir instead )

> +
> +/var/run/minidlna(/.*)?		gen_context(system_u:object_r:minidlna_var_run_t,s0)
> diff --git a/minidlna.if b/minidlna.if
> new file mode 100644
> index 0000000..d27f634
> --- /dev/null
> +++ b/minidlna.if
> @@ -0,0 +1,64 @@
> +## <summary>MiniDLNA server</summary>

Gimme a break ;)

Please use something a little more descriptive:

MiniDLNA lightweight DLNA/UPnP media server.

> +
> +########################################
> +## <summary>
> +##	All of the rules required to
> +##	administrate an minidlna environment.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`minidlna_admin',`
> +	gen_require(`
> +		type minidlna_t, minidlna_var_run_t, minidlna_initrc_exec_t;
> +		type minidlna_etc_t, minidlna_log_t, minidlna_db_t;
> +	')
> +
> +	allow $1 minidlna_t:process { ptrace signal_perms };
> +	ps_process_pattern($1, minidlna_t)
> +
> +	minidlna_initrc_domtrans($1)
> +	domain_system_change_exemption($1)
> +	role_transition $2 minidlna_initrc_exec_t system_r;
> +	allow $2 system_r;
> +
> +	files_search_etc($1)
> +	admin_pattern($1, minidlna_etc_t)
> +
> +	logging_search_logs($1)
> +	admin_pattern($1, minidlna_log_t)
> +
> +	files_search_var_lib($1)
> +	admin_pattern($1, minidlna_db_t)
> +
> +	files_search_pids($1)
> +	admin_pattern($1, minidlna_var_run_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Execute minidlna init scripts in
> +##	the initrc domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +#
> +interface(`minidlna_initrc_domtrans',`
> +	gen_require(`
> +		type minidlna_initrc_exec_t;
> +	')
> +
> +	init_labeled_script_domtrans($1, minidlna_initrc_exec_t)
> +')
> diff --git a/minidlna.te b/minidlna.te
> new file mode 100644
> index 0000000..06ab1c9
> --- /dev/null
> +++ b/minidlna.te
> @@ -0,0 +1,99 @@
> +policy_module(minidlna, 0.1)
> +
> +#############################################
> +#
> +# Declarations
> +#
> +
> +## <desc>
> +##	<p>
> +##	Allow minidlna to read generic user content

Determine whether Minidlna can read generic user content. (i am trying
to be consistent)

> +##	</p>
> +## </desc>
> +gen_tunable(minidlna_read_generic_user_content, false)
> +
> +type minidlna_t;
> +type minidlna_exec_t;
> +init_daemon_domain(minidlna_t, minidlna_exec_t)
> +
> +type minidlna_initrc_exec_t;
> +init_script_file(minidlna_initrc_exec_t)
> +
> +type minidlna_etc_t;
> +files_config_file(minidlna_etc_t)
> +
> +type minidlna_log_t;
> +logging_log_file(minidlna_log_t)
> +
> +type minidlna_db_t;
> +files_type(minidlna_db_t)
> +
> +type minidlna_var_run_t;
> +files_pid_file(minidlna_var_run_t)
> +
> +###############################################
> +#
> +# Local policy
> +#
> +
> +allow minidlna_t self:process { setsched };

No need for brace expansion here (nothing to expand)

> +allow minidlna_t self:tcp_socket create_stream_socket_perms;
> +allow minidlna_t self:udp_socket { create_socket_perms node_bind };

Whats node_bind permission doing there?

> +allow minidlna_t self:netlink_route_socket rw_netlink_socket_perms;

Are you sure it needs to write the routing table? (show me the avc
denials)

> +allow minidlna_t minidlna_log_t:file { create_file_perms append_file_perms };

Need support for adding dir entries to minidlna_log_t dirs (fedora
installs /var/log/minidlna dir) 

> +allow minidlna_t minidlna_etc_t:file read_file_perms;
> +
> +manage_files_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
> +create_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
> +rw_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
> +files_var_lib_filetrans(minidlna_t, minidlna_db_t, dir)

Are you saying that it does not actually install /var/lib/minidlna?
This can probably be done cleaner (use permission sets where possible
instead of patterns)

> +
> +manage_files_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
> +rw_dirs_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)

permission set is cleaner.

> +files_pid_filetrans(minidlna_t, minidlna_var_run_t, file)
> +
> +kernel_read_fs_sysctls(minidlna_t)
> +kernel_read_system_state(minidlna_t)
> +logging_log_filetrans(minidlna_t, minidlna_log_t, file)

This needs to go up (to where the other logging rules are

> +
> +corecmd_exec_bin(minidlna_t)
> +corecmd_exec_shell(minidlna_t)
> +
> +corenet_all_recvfrom_netlabel(minidlna_t)
> +corenet_all_recvfrom_unlabeled(minidlna_t)
> +
> +corenet_sendrecv_ssdp_client_packets(minidlna_t)
> +corenet_sendrecv_ssdp_server_packets(minidlna_t)
> +
> +corenet_tcp_bind_generic_node(minidlna_t)
> +corenet_tcp_sendrecv_generic_if(minidlna_t)
> +corenet_tcp_sendrecv_generic_node(minidlna_t)
> +
> +corenet_udp_bind_generic_node(minidlna_t)
> +corenet_udp_bind_ssdp_port(minidlna_t)
> +
> +corenet_sendrecv_trivnet1_client_packets(minidlna_t)
> +corenet_sendrecv_trivnet1_server_packets(minidlna_t)
> +corenet_tcp_bind_trivnet1_port(minidlna_t)
> +
> +files_read_etc_files(minidlna_t)

Which file is that? /etc/nsswitch.conf?

> +
> +miscfiles_read_localization(minidlna_t)
> +miscfiles_read_public_files(minidlna_t)
> +
> +tunable_policy(`minidlna_read_generic_user_content',`
> +	userdom_list_user_tmp(minidlna_t)
> +	userdom_read_user_home_content_files(minidlna_t)
> +	userdom_read_user_home_content_symlinks(minidlna_t)
> +	userdom_read_user_tmp_files(minidlna_t)
> +	userdom_read_user_tmp_symlinks(minidlna_t)
> +',`
> +	files_dontaudit_list_home(minidlna_t)
> +	files_dontaudit_list_tmp(minidlna_t)
> +
> +	userdom_dontaudit_list_user_home_dirs(minidlna_t)
> +	userdom_dontaudit_list_user_tmp(minidlna_t)
> +	userdom_dontaudit_read_user_home_content_files(minidlna_t)
> +	userdom_dontaudit_read_user_tmp_files(minidlna_t)
> +')




More information about the refpolicy mailing list