Helper program for a daemon

Al Pacifico adpacifico at users.sourceforge.net
Wed Apr 18 20:56:44 UTC 2007 

I (a greenhorn with selinux) am writing a policy for a daemon that streams
music files over my home network to a music player client (a Slimdevices
Squeezebox). My OS is FC5.

The main daemon (/usr/sbin/slimserver) is a perl script that serves the
music files and is started with an init script. My questions have to do with
a secondary program (/usr/sbin/slimserver-scanner, also a perl script) that
scans the music on the server, reading mp3 tags and such, and generates a
database of stored music that is stored in a MySQL database.
/usr/sbin/slimserver-scanner is invoked by the /usr/sbin/slimserver daemon
and might be invoked by the user (although I can't recall ever doing so in
several years of owning a Squeezebox).

I've been following the example posted by Dan Walsh in a blog at
http://danwalsh.livejournal.com/8707.html?thread=39171 which has been
extremely helpful.

My (2) questions:
1. What is the appropriate file context for the scanner program?
system_u:object_r:sbin_t?
system_u:object_r:slimserver_t?
system_u:object_r:slimserver_exec_t?

The generated slimserver.fc file contains:
# slimserver executable will have:
# label: system_u:object_r:slimserver_exec_t
# MLS sensitivity: s0
# MCS categories: <none>

/usr/sbin/slimserver            --
gen_context(system_u:object_r:slimserver_exec_t,s0)
/var/run/slimserver.pid
gen_context(system_u:object_r:slimserver_var_run_t,s0)
/var/log/slimserver
gen_context(system_u:object_r:slimserver_var_log_t,s0)

and the slimserver.if file contains:
interface(`slimserver_domtrans',`
        gen_require(`
                type slimserver_t, slimserver_exec_t;
        ')

        domain_auto_trans($1,slimserver_exec_t,slimserver_t)

        allow $1 slimserver_t:fd use;
        allow slimserver_t $1:fd use;
        allow slimserver_t $1:fifo_file rw_file_perms;
        allow slimserver_t $1:process sigchld;
')

2. There is no reason to add the scanner program be added to
slimserver.fcthat was generated by policygentool, is there? The file
itself just needs to
be labeled appropriately, right? Or does that file play some role in policy
compilation in a step that I did not explicitly executed when I invoked
'make -f /usr/share/selinux/devel/Makefile'?

Thanks in advance.
-al
-- 
Al Pacifico
Seattle, WA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20070418/76edf468/attachment.htm>

More information about the fedora-selinux-list mailing list