Helper program for a daemon
Jan-Frode Myklebust
janfrode at tanso.net
Wed Apr 18 22:25:07 UTC 2007
On 2007-04-18, Al Pacifico <adpacifico at users.sourceforge.net> wrote:
> I (a greenhorn with selinux) am writing a policy for a daemon that streams
> music files over my home network to a music player client (a Slimdevices
> Squeezebox). My OS is FC5.
Cool, I have a Squeezebox too, and slimserver running on Centos5.
>
> I've been following the example posted by Dan Walsh in a blog at
> http://danwalsh.livejournal.com/8707.html?thread=39171 which has been
> extremely helpful.
Have a look at my venture into selinux-land too :-)
Cronologically:
http://tanso.net/selinux/
http://tanso.net/selinux/argus/
http://tanso.net/selinux/argus/argus-from-scratch/
> My (2) questions:
> 1. What is the appropriate file context for the scanner program?
> system_u:object_r:sbin_t?
> system_u:object_r:slimserver_t?
> system_u:object_r:slimserver_exec_t?
I believe the scanner is executed from the web-server process (there's a
scan-now link, or similar). So, my guess would be that you should make
the main slimserver script that's supposed to transition into slimserver_t
slimserver_exec_t, while the scanner should be slimserver_t.
If you make it sbin_t or bin_t, it will mean that you'll need to
give the main slimserver access to execute all files of type (s)bin_t.
It will probably be interesting to see how much it's possible to
confine a perl-script like the slimserver. Without looking, I'd
assume it'd need to exec lots of bin_t executables..
>
> 2. There is no reason to add the scanner program be added to
> slimserver.fcthat was generated by policygentool, is there? The file
> itself just needs to
> be labeled appropriately, right?
I think you'll want to add the scanner to slimserver.fc to make sure
the labeling gets correct on the next re-label or slimserver upgrade.
-jf
More information about the fedora-selinux-list
mailing list