Selinux policy for beanstalkd

Mon Jan 18 17:28:46 UTC 2010

On 01/17/2010 06:25 PM, Ruben Kerkhof wrote:
> Hi list,
> 
> I haven't written an selinux module before, so to start simple I
> created one for beanstalkd, since we use this a lot.
> 
> I'm running into one issue though:
> 
> beanstalkd has the ability to create binary log files in
> /var/lib/beanstalkd/binlog.
> This directory doesn't exist by default, but it is created in the init script.
> 
> Starting up beanstalkd creates an AVC denial:
> type=AVC msg=audit(1263749015.682:199): avc:  denied  { create } for
> pid=2163 comm="mkdir" name="beanstalkd"
> scontext=unconfined_u:system_r:initrc_t:s0
> tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
> type=SYSCALL msg=audit(1263749015.682:199): arch=c000003e syscall=83
> success=no exit=-13 a0=7fff4e491f7b a1=1ed a2=7fff4e490770
> a3=7fff4e4902c0 items=0 ppid=2156 pid=2163 auid=500 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="mkdir"
> exe="/bin/mkdir" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
> 
> How do I allow the init script to do mkdir -p /var/lib/beanstalkd/binlog?

Ask whoever packaged it to install the directory instead of letting the
init script create it.

Your beanstalk_admin could use a:

files_search_var_lib($1)
admin_pattern($1, beanstalkd_var_lib_t, beanstalk_var_lib_t)

You will need to require the beanstalkd_var_lib_t type as well

Other then that, looks good to me.

> Here's my policy:
> 
> [root at ruben ~]# cat beanstalkd.fc
> /usr/bin/beanstalkd             --
> gen_context(system_u:object_r:beanstalkd_exec_t,s0)
> /etc/rc\.d/init\.d/beanstalkd   --
> gen_context(system_u:object_r:beanstalkd_initrc_exec_t,s0)
> /var/lib/beanstalkd(/.*)?
> gen_context(system_u:object_r:beanstalkd_var_lib_t,s0)
> 
> [root at ruben ~]# cat beanstalkd.te
> policy_module(beanstalkd,1.0.0)
> 
> ########################################
> #
> # Declarations
> #
> 
> type beanstalkd_t;
> type beanstalkd_exec_t;
> init_daemon_domain(beanstalkd_t, beanstalkd_exec_t)
> 
> type beanstalkd_initrc_exec_t;
> init_script_file(beanstalkd_initrc_exec_t)
> 
> type beanstalkd_var_lib_t;
> files_type(beanstalkd_var_lib_t)
> 
> ########################################
> #
> # beanstalkd local policy
> #
> 
> allow beanstalkd_t self:capability { dac_override setgid setuid };
> allow beanstalkd_t self:process { fork setrlimit };
> allow beanstalkd_t self:tcp_socket create_stream_socket_perms;
> 
> manage_files_pattern(beanstalkd_t, beanstalkd_var_lib_t, beanstalkd_var_lib_t)
> files_var_lib_filetrans(beanstalkd_t, beanstalkd_var_lib_t, file)
> 
> corenet_tcp_sendrecv_generic_if(beanstalkd_t)
> corenet_tcp_sendrecv_generic_node(beanstalkd_t)
> corenet_tcp_sendrecv_all_ports(beanstalkd_t)
> corenet_tcp_bind_generic_node(beanstalkd_t)
> corenet_tcp_bind_generic_node(beanstalkd_t)
> 
> # FIXME: we need a beanstalkd_port (tcp, 11300) in core policy
> corenet_tcp_bind_all_unreserved_ports(beanstalkd_t)
> 
> 
> fs_dontaudit_getattr_all_fs(beanstalkd_t)
> 
> domain_use_interactive_fds(beanstalkd_t)
> 
> auth_use_nsswitch(beanstalkd_t)
> 
> [root at ruben ~]# cat beanstalkd.if
> 
> ## <summary>policy for beanstalkd</summary>
> 
> ########################################
> ## <summary>
> ##	Execute a domain transition to run beanstalkd.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ##	Domain allowed to transition.
> ## </summary>
> ## </param>
> #
> interface(`beanstalkd_domtrans',`
> 	gen_require(`
> 		type beanstalkd_t, beanstalkd_exec_t;
> 	')
> 
> 	domtrans_pattern($1, beanstalkd_exec_t, beanstalkd_t)
> ')
> 
> 
> ########################################
> ## <summary>
> ##	Execute beanstalkd server in the beanstalkd domain.
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	The type of the process performing this action.
> ##	</summary>
> ## </param>
> #
> interface(`beanstalkd_initrc_domtrans',`
> 	gen_require(`
> 		type beanstalkd_initrc_exec_t;
> 	')
> 
> 	init_labeled_script_domtrans($1, beanstalkd_initrc_exec_t)
> ')
> 
> ########################################
> ## <summary>
> ##	All of the rules required to administrate
> ##	an beanstalkd environment
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access.
> ##	</summary>
> ## </param>
> ## <param name="role">
> ##	<summary>
> ##	Role allowed access.
> ##	</summary>
> ## </param>
> ## <rolecap/>
> #
> interface(`beanstalkd_admin',`
> 	gen_require(`
> 		type beanstalkd_t;
> 	')
> 
> 	allow $1 beanstalkd_t:process { ptrace signal_perms getattr };
> 	read_files_pattern($1, beanstalkd_t, beanstalkd_t)
> 	
> 
> 	gen_require(`
> 		type beanstalkd_initrc_exec_t;
> 	')
> 
> 	beanstalkd_initrc_domtrans($1)
> 	domain_system_change_exemption($1)
> 	role_transition $2 beanstalkd_initrc_exec_t system_r;
> 	allow $2 system_r;
> 
> ')
> 
> Kind regards,
> 
> Ruben Kerkhof
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100118/8e16f61c/attachment.bin 