On 01/18/2010 08:26 PM, Ruben Kerkhof wrote:
On Jan 18, 2010, at 6:28 PM, Dominick Grift wrote:
> On 01/17/2010 06:25 PM, Ruben Kerkhof wrote:
>> Hi list,
>>
>> I haven't written an selinux module before, so to start simple I
>> created one for beanstalkd, since we use this a lot.
>>
>> I'm running into one issue though:
>>
>> beanstalkd has the ability to create binary log files in
>> /var/lib/beanstalkd/binlog.
>> This directory doesn't exist by default, but it is created in the
>> init script.
>>
>> Starting up beanstalkd creates an AVC denial:
>> type=AVC msg=audit(1263749015.682:199): avc: denied { create } for
>> pid=2163 comm="mkdir" name="beanstalkd"
>> scontext=unconfined_u:system_r:initrc_t:s0
>> tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
>> type=SYSCALL msg=audit(1263749015.682:199): arch=c000003e syscall=83
>> success=no exit=-13 a0=7fff4e491f7b a1=1ed a2=7fff4e490770
>> a3=7fff4e4902c0 items=0 ppid=2156 pid=2163 auid=500 uid=0 gid=0
>> euid=0
>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="mkdir"
>> exe="/bin/mkdir" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
>>
>> How do I allow the init script to do mkdir -p /var/lib/beanstalkd/
>> binlog?
>
> Ask whoever packaged it to install the directory instead of letting
> the
> init script create it.
That certainly seems the easiest way, thanks. I'll file a bug.
> Your beanstalk_admin could use a:
>
> files_search_var_lib($1)
> admin_pattern($1, beanstalkd_var_lib_t, beanstalk_var_lib_t)
I presume this means that someone in the 'admin' role has the rights
to manage stuff in /var/lib/beanstalkd?
Do I have to setup roles to test this?
The beanstalkd_admin() interface is for the beanstalkadm_r role yes
You can test it by creating a beanstalkadm module:
beanstalkadm.te:
policy_module(beanstalkadm, 1.0.0)
role beanstalkadm_r;
userdom_base_user_template(beanstalkadm)
beanstalk_admin(beanstalkadm_t, beanstalkadm_r)
beanstalkadm.if:
## <summary>beanstalk administrator role</summary>
########################################
## <summary>
## Change to the beanstalk administrator role.
## </summary>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`beanstalkadm_role_change',`
gen_require(`
role beanstalkadm_r;
')
allow $1 beanstalkadm_r;
')
########################################
## <summary>
## Change from the beanstalk administrator role.
## </summary>
## <desc>
## <p>
## Change from the beanstalk administrator role to
## the specified role.
## </p>
## <p>
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
## </p>
## </desc>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`beanstalkadm_role_change_to',`
gen_require(`
role beanstalkadm_r;
')
allow beanstalkadm_r $1;
')
customization to the staff domain:
mystaff.te:
policy_module(mystaff, 1.0.0
require { role staff_r; }
optional_policy(`
beanstalkadm_role_change(staff_r)
')
Then edit staff_u selinux user mapping:
semanage user -m -L s0 -r s0-s0:c0.c1023 -R "staff_r system_r
unconfined_r beanstalkadm_r webadm_r" -P user staff_u
echo "testuser ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL" >>
/etc/sudoers
useradd -Z staff_u testuser
passwd testuser
login:
sudo -t beanstalkadm_t -r beanstalkadm_r -s
or
sudo -t beanstalkadm_t -r beanstalkadm_r service beanstalkd restart
Your beanstalkadm module may need some more modifications though
have a look at the webadm module and reference its call to apache_admin
to apache.if where its defined.
http://oss.tresys.com/projects/refpolicy/browser/policy/modules/roles/web...
http://oss.tresys.com/projects/refpolicy/browser/policy/modules/roles/web...
http://oss.tresys.com/projects/refpolicy/browser/policy/modules/services/...
> You will need to require the beanstalkd_var_lib_t type as well
>
> Other then that, looks good to me.
Thanks for your help,
Ruben
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux