On 4/19/07, Daniel J Walsh <dwalsh@redhat.com> wrote:
Al Pacifico wrote:
> I (a greenhorn with selinux) am writing a policy for a daemon that
> streams music files over my home network to a music player client (a
> Slimdevices Squeezebox). My OS is FC5.
>
> The main daemon (/usr/sbin/slimserver) is a perl script that serves
> the music files and is started with an init script. My questions have
> to do with a secondary program (/usr/sbin/slimserver-scanner, also a
> perl script) that scans the music on the server, reading mp3 tags and
> such, and generates a database of stored music that is stored in a
> MySQL database. /usr/sbin/slimserver-scanner is invoked by the
> /usr/sbin/slimserver daemon and might be invoked by the user (although
> I can't recall ever doing so in several years of owning a Squeezebox).
>
> I've been following the example posted by Dan Walsh in a blog at
> http://danwalsh.livejournal.com/8707.html?thread=39171 which has been
> extremely helpful.
>
> My (2) questions:
> 1. What is the appropriate file context for the scanner program?
> system_u:object_r:sbin_t?
> system_u:object_r:slimserver_t?
> system_u:object_r:slimserver_exec_t?
>
That depends on your security goals.  If you want the slimserver-scanner
to have the same privs as slimserver you would label it sbin_t and allow
slimserver to corecmd_exec_sbin().  If you want to go with least privs,
you would create a new policy for slimserver-scanner
(slimserver_scanner_t with file context of slimserver_scanner_exec_t)
and then add a rule to slimserver_t to domtrans
slimserver_scanner_domtrans(slimserver_t)

After reviewing the source code to:
1) confirm that slimserver-scanner is intended to be run from the command line as well as by the slimserver daemon
2) see if it logs to the slimserver log
3) determine if it might want to use the network
(to which all three answers were 'yes')
...I tried to use policygentool to create a policy for slimserver-scanner. However, I was stymied by an error.

Here is what happened:
[root@joplin slimserver-scanner]# /usr/share/selinux/devel/policygentool slimserver-scanner /usr/sbin/slimserver-scanner


This tool generate three files for policy development, A Type Enforcement (te)
file, a File Context (fc), and a Interface File(if).  Most of the policy rules
will be written in the te file.  Use the File Context file to associate file
paths with security context.  Use the interface rules to allow other protected
domains to interact with the newly defined domains.

After generating these files use the /usr/share/selinux/devel/Makefile to
compile your policy package.  Then use the semodule tool to load it.

# /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp
# make -f /usr/share/selinux/devel/Makefile
# semodule -l myapp.pp
# restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"

Now you can turn on permissive mode, start your application and avc messages
will be generated.  You can use audit2allow to help translate the avc messages
into policy.

# setenforce 0
# service myapp start
# audit2allow -R -i /var/log/audit/audit.log

Return to continue:

If the module uses pidfiles, what is the pidfile called?

If the module uses logfiles, where are they stored?
/var/log/slimserver
If the module has var/lib files, where are they stored?

Does the module have a init script? [yN]
N
Does the module use the network? [yN]
y
[root@joplin slimserver-scanner]# ls
slimserver-scanner.fc  slimserver-scanner.if  slimserver-scanner.te
[root@joplin slimserver-scanner]# make -f /usr/share/selinux/devel/Makefile
Compiling targeted slimserver-scanner module
/usr/bin/checkmodule:  loading policy configuration from tmp/slimserver-scanner.tmp
slimserver-scanner.te:1:ERROR 'syntax error' at token 'slimserver-scanner' on line 59006:
                module slimserver-scanner 1.0.0;
#line 1
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/slimserver-scanner.mod] Error 1

I thought I would display the line containing the error and associated context with the following:
[root@joplin slimserver-scanner]# nl tmp/slimserver-scanner.tmp | sed -n '58990,59022p'
 50718  ##      Execute a domain transition to run slimserver-scanner.
 50719  ## </summary>
 50720  ## <param name="domain">
 50721  ## <summary>
 50722  ##      Domain allowed to transition.
 50723  ## </summary>
 50724  ## </param>
 50725  #
 50726
 50727  #line 124172

 50728  #line 1 "slimserver-scanner.te "

 50729  #line 1
 50730
 50731  #line 1
 50732                  module slimserver-scanner 1.0.0;
 50733  #line 1

 50734  #line 1
 50735                  require {
 50736  #line 1
 50737                          role system_r;
 50738  #line 1
 50739
 50740  #line 1
 50741          class security { compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot };
 50742  #line 1
 50743          class process { fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate };
 50744  #line 1
 50745          class system { ipc_info syslog_read syslog_mod syslog_console }; 50746  #line 1
 50747          class capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control };

which does show the line 'module slimserver-scanner 1.0.0;', although the line numbering is inconsistent.

At first, I thought maybe policygentool inspected the context for the /usr/sbin/slimserver-scanner binary and that was the problem. Cursory examination of the source code did not suggest this. Now, I wonder if policygentool is only to be used for daemons. This wasn't stated in any comments. (BTW I'm using the selinux-policy-devel-2.3.7-2.fc5 package.)

Are there any thoughts regarding the nature of the error or suggestions for alternative tools for generating the policy?
-al

--
Al Pacifico
Seattle, WA