[RFC] policy about nas sound server

[Daniel J Walsh]

Ken YANG wrote:
> hi all,
>
> i write module for Network Audio System (NAS) in fedora
> rawhide.
>
> firstly, i think there is not policy for nas, so i write
> from scratch, but after finishing, i found there is a
> soundserver module in policy, so i ported my nas policy
> into this module.
>
> i am not familiar with nas, so i just make some tests for
> new soundserver policy, especially some tools in nas package,
> including:
>
> audemo, audial, auinfo, aupanel, auplay......
>
> IMHO, it seems to work well, and there was not any errors
> about nas in audit messages.
>
>
>   
First I removed soundd_etc_t and replaced it with etc_t.  No reason to 
create a type for config files, unless
you are writing to them, or they have data, that you are trying to 
prevent other confined domains from
reading.  Existing soundd policy has this so I am typealiasing in Rawhide.

nasd is creating sockets in /tmp.  This is a bad idea.  It should be 
moved to /var/run.  This will not work with a polyinstatiated /tmp

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=250453

domain_type(soundd_t)
domain_entry_file(soundd_t,soundd_exec_t)

Are provided already by

init_daemon_domain(soundd_t,soundd_exec_t)


+manage_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
Includes

+delete_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)

You did not give the application the ability to create sound_tmp_t files, so this is not necessary.
+delete_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)

I think you need 
manage_dirs_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)

Because the /tmp/.socket does not exist before hand
And the only thing you are crearing is a dir so your file trans should look like the following.
+files_tmp_filetrans(soundd_t, soundd_tmp_t, dir)

All these rules should change to var_run_t when nasd is fixed to use it.