<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
On 01/18/2010 06:28 PM, Dominick Grift wrote:
<blockquote cite="mid:4B549A4E.2090507@gmail.com" type="cite">
<pre wrap="">On 01/17/2010 06:25 PM, Ruben Kerkhof wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi list,
I haven't written an selinux module before, so to start simple I
created one for beanstalkd, since we use this a lot.
I'm running into one issue though:
beanstalkd has the ability to create binary log files in
/var/lib/beanstalkd/binlog.
This directory doesn't exist by default, but it is created in the init script.
Starting up beanstalkd creates an AVC denial:
type=AVC msg=audit(1263749015.682:199): avc: denied { create } for
pid=2163 comm="mkdir" name="beanstalkd"
scontext=unconfined_u:system_r:initrc_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1263749015.682:199): arch=c000003e syscall=83
success=no exit=-13 a0=7fff4e491f7b a1=1ed a2=7fff4e490770
a3=7fff4e4902c0 items=0 ppid=2156 pid=2163 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="mkdir"
exe="/bin/mkdir" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
How do I allow the init script to do mkdir -p /var/lib/beanstalkd/binlog?
</pre>
</blockquote>
<pre wrap="">
Ask whoever packaged it to install the directory instead of letting the
init script create it.
Your beanstalk_admin could use a:
files_search_var_lib($1)
admin_pattern($1, beanstalkd_var_lib_t, beanstalk_var_lib_t)
You will need to require the beanstalkd_var_lib_t type as well
Other then that, looks good to me.
</pre>
<blockquote type="cite">
<pre wrap="">Here's my policy:
[root@ruben ~]# cat beanstalkd.fc
/usr/bin/beanstalkd --
gen_context(system_u:object_r:beanstalkd_exec_t,s0)
/etc/rc\.d/init\.d/beanstalkd --
gen_context(system_u:object_r:beanstalkd_initrc_exec_t,s0)
/var/lib/beanstalkd(/.*)?
gen_context(system_u:object_r:beanstalkd_var_lib_t,s0)
[root@ruben ~]# cat beanstalkd.te
policy_module(beanstalkd,1.0.0)
########################################
#
# Declarations
#
type beanstalkd_t;
type beanstalkd_exec_t;
init_daemon_domain(beanstalkd_t, beanstalkd_exec_t)
type beanstalkd_initrc_exec_t;
init_script_file(beanstalkd_initrc_exec_t)
type beanstalkd_var_lib_t;
files_type(beanstalkd_var_lib_t)
########################################
#
# beanstalkd local policy
#
allow beanstalkd_t self:capability { dac_override setgid setuid };
allow beanstalkd_t self:process { fork setrlimit };
allow beanstalkd_t self:tcp_socket create_stream_socket_perms;
manage_files_pattern(beanstalkd_t, beanstalkd_var_lib_t, beanstalkd_var_lib_t)
files_var_lib_filetrans(beanstalkd_t, beanstalkd_var_lib_t, file)
corenet_tcp_sendrecv_generic_if(beanstalkd_t)
corenet_tcp_sendrecv_generic_node(beanstalkd_t)
corenet_tcp_sendrecv_all_ports(beanstalkd_t)
corenet_tcp_bind_generic_node(beanstalkd_t)
corenet_tcp_bind_generic_node(beanstalkd_t)
# FIXME: we need a beanstalkd_port (tcp, 11300) in core policy
corenet_tcp_bind_all_unreserved_ports(beanstalkd_t)
fs_dontaudit_getattr_all_fs(beanstalkd_t)
domain_use_interactive_fds(beanstalkd_t)
auth_use_nsswitch(beanstalkd_t)
[root@ruben ~]# cat beanstalkd.if
## <summary>policy for beanstalkd</summary>
########################################
## <summary>
## Execute a domain transition to run beanstalkd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`beanstalkd_domtrans',`
gen_require(`
type beanstalkd_t, beanstalkd_exec_t;
')
domtrans_pattern($1, beanstalkd_exec_t, beanstalkd_t)
')
########################################
## <summary>
## Execute beanstalkd server in the beanstalkd domain.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`beanstalkd_initrc_domtrans',`
gen_require(`
type beanstalkd_initrc_exec_t;
')
init_labeled_script_domtrans($1, beanstalkd_initrc_exec_t)
')
########################################
## <summary>
## All of the rules required to administrate
## an beanstalkd environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`beanstalkd_admin',`
gen_require(`
type beanstalkd_t;
')
allow $1 beanstalkd_t:process { ptrace signal_perms getattr };
read_files_pattern($1, beanstalkd_t, beanstalkd_t)
gen_require(`
type beanstalkd_initrc_exec_t;
')
beanstalkd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 beanstalkd_initrc_exec_t system_r;
allow $2 system_r;
')
Kind regards,
Ruben Kerkhof
</pre>
</blockquote>
</blockquote>
<pre wrap=""># FIXME: we need a beanstalkd_port (tcp, 11300) in core policy
corenet_tcp_bind_all_unreserved_ports(beanstalkd_t)</pre>
<br>
Just for information, there is a workaround for this. You can add the
following statements to your beanstalkd local policy :<br>
<br>
----<br>
<br>
type beanstalkd_port_t;<br>
corenet_port(beanstalkd_port_t)<br>
<br>
allow beanstalkd_t beanstalkd_port_t:tcp_socket name_bind;<br>
<br>
---<br>
<br>
Then compile and load your policy module and execute:<br>
<br>
# semanage port -a -t beanstalkd_port_t -p tcp 11300
<blockquote cite="mid:4B549A4E.2090507@gmail.com" type="cite">
<blockquote type="cite">
<pre wrap="">--
selinux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a>
</pre>
</blockquote>
<pre wrap="">
</pre>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
--
selinux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
<br>
</body>
</html>