I want to convert the selinux commands that I have created for a custom install of apache into an selinux policy such that it could be applied to multiple machines using puppet.
As a snapshot of the selinux config, I have something like:
semanage fcontext -a -t httpd_exec_t "/opt/custom/apache(/.*)?" semanage fcontext -a -t httpd_sys_content_t "/var/custom/webcontent(/.*)?" etc ...
restorecon -R -v /opt/custom/apache restorecon -R -v /var/custom/webcontent etc ... (to actually apply it)
# allow apache to initiate connections (proxying/ajp) setsebool httpd_can_network_connect on setsebool httpd_can_network_relay on etc ...
semanage port -a -t http_port_t -p tcp 9xxx-91xx etc ...
Now I've tried to create a policy for the types above by using chcon to set the type on the various directories and then running up audit2allow in the hope that it would produce a policy based on the fcontext settings, but it doesn't seem to produce anything. Also, I assume it will only log when an attempt is made for access that is then denied rather than give the commands to proactively all various options, like enabling builtin scripting.
I've not seen a way of handling the Booleans so far and the port commands I have used allow httpd_t port_t:tcp_socket name_bind;
So far the apache.te policy file looks like this:
module apache 1.0;
require { type httpd_t; type httpd_exec_t; type httpd_var_run_t; type port_t; class lnk_file read; class dir search; class tcp_socket; }
#============= httpd_t ============== allow httpd_t httpd_exec_t:dir search; allow httpd_t httpd_var_run_t:lnk_file read; allow httpd_t port_t:tcp_socket name_bind;
I've be very grateful for any help on this as I'd really like to be able to tie up all the commands into a policy file which can be applied as part of the apache install process.
Will.
________________________________ The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/21/2014 09:21 AM, William Hargrove wrote:
I want to convert the selinux commands that I have created for a custom install of apache into an selinux policy such that it could be applied to multiple machines using puppet.
As a snapshot of the selinux config, I have something like:
semanage fcontext -a -t httpd_exec_t "/opt/custom/apache(/.*)?"
semanage fcontext -a -t httpd_sys_content_t "/var/custom/webcontent(/.*)?"
etc …
restorecon -R -v /opt/custom/apache
restorecon -R -v /var/custom/webcontent
etc … (to actually apply it)
# allow apache to initiate connections (proxying/ajp)
setsebool httpd_can_network_connect on
setsebool httpd_can_network_relay on
etc …
semanage port -a -t http_port_t -p tcp 9xxx-91xx
etc …
Now I’ve tried to create a policy for the types above by using chcon to set the type on the various directories and then running up audit2allow in the hope that it would produce a policy based on the fcontext settings, but it doesn’t seem to produce anything. Also, I assume it will only log when an attempt is made for access that is then denied rather than give the commands to proactively all various options, like enabling builtin scripting.
I’ve not seen a way of handling the Booleans so far and the port commands I have used allow httpd_t port_t:tcp_socket name_bind;
So far the apache.te policy file looks like this:
module apache 1.0;
require {
type httpd_t;
type httpd_exec_t;
type httpd_var_run_t;
type port_t;
class lnk_file read;
class dir search;
class tcp_socket;
}
#============= httpd_t ==============
allow httpd_t httpd_exec_t:dir search;
allow httpd_t httpd_var_run_t:lnk_file read;
allow httpd_t port_t:tcp_socket name_bind;
I’ve be very grateful for any help on this as I’d really like to be able to tie up all the commands into a policy file which can be applied as part of the apache install process.
Will.
The information contained in this email is strictly confidential and for the use
of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
You can not do boolean settings within a policy module, they have to be done with the setsebool type commands. Puppet has some SELinux bindings that allow you to set booleans and run semanage commands, so not sure why you want to package this up in a policy module, which would also need to be installed within puppet.
On Tue, 2014-01-21 at 14:21 +0000, William Hargrove wrote:
I want to convert the selinux commands that I have created for a custom install of apache into an selinux policy such that it could be applied to multiple machines using puppet.
Its (next to) possible but it will be rather ugly
You can make the booleans unconditional by just adding the conditional rules unconditionally
The workaround you did for the httpd_port_t addition is ugly but it works
The file context specs can be done as shown below.
My example below may have typos and errors (i havent tested it) and this pos e-mail client messes with the format.
Its a compromise for sure, but compromises can be made
The below would be it for Fedora 20:
cat >> mytest.te <<EOF policy_module(mytest, 1.0.0) gen_require(` type httpd_sys_script_t, httpd_suexec_t; attribute client_packet_type, port_type; type node_t, netif_t, port_t; type httpd_exec_t, httpd_sys_content_t, httpd_t, httpd_var_run_t; type http_cache_port_t, http__port_t, gopher_client_packet_t; attribute ephemeral_port_type; type http_cache_client_packet_t; type ftp_port_t, memcache_port_t, ftp_client_packet_t; type http_client_packet_t, squid_port_t, gopher_port_t; type squid_client_packet_t; ') allow httpd_t http_cache_port_t : tcp_socket name_connect ; allow httpd_t http_port_t : tcp_socket name_connect ; allow httpd_t gopher_client_packet_t : packet { send recv } ; allow httpd_t ephemeral_port_type : tcp_socket name_connect ; allow httpd_t http_cache_client_packet_t : packet { send recv } ; allow httpd_t ftp_port_t : tcp_socket name_connect ; allow httpd_t memcache_port_t : tcp_socket name_connect ; allow httpd_t ftp_client_packet_t : packet { send recv } ; allow httpd_t http_client_packet_t : packet { send recv } ; allow httpd_t squid_port_t : tcp_socket name_connect ; allow httpd_t gopher_port_t : tcp_socket name_connect ; allow httpd_t squid_client_packet_t : packet { send recv } ;
allow httpd_t httpd_exec_t:dir search; allow httpd_t httpd_var_run_t:lnk_file read; allow httpd_t port_t:tcp_socket name_bind;
allow httpd_sys_script_t client_packet_type : packet { send recv } ; allow httpd_suexec_t port_type : tcp_socket { recv_msg send_msg name_connect } ; allow httpd_suexec_t port_type : udp_socket { recv_msg send_msg } ; allow httpd_sys_script_t httpd_sys_script_t : tcp_socket { ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown } allow httpd_sys_script_t httpd_sys_script_t : udp_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown } ; allow httpd_suexec_t client_packet_type : packet { send recv } ; allow httpd_sys_script_t node_t : tcp_socket node_bind ; allow httpd_sys_script_t node_t : udp_socket node_bind ; allow httpd_sys_script_t node_t : node { tcp_recv tcp_send udp_recv udp_send recvfrom sendto } allow httpd_t port_type : tcp_socket name_connect ; allow httpd_suexec_t node_t : node { tcp_recv tcp_send udp_recv udp_send recvfrom sendto } ; allow httpd_sys_script_t netif_t : netif { tcp_recv tcp_send udp_recv udp_send ingress egress } ; allow httpd_suexec_t httpd_suexec_t : tcp_socket { ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown } ; allow httpd_suexec_t httpd_suexec_t : udp_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown } ; allow httpd_suexec_t netif_t : netif { tcp_recv tcp_send udp_recv udp_send ingress egress } ; allow httpd_sys_script_t port_type : tcp_socket { recv_msg send_msg name_connect } ; allow httpd_sys_script_t port_type : udp_socket { recv_msg send_msg } ; EOF
cat >> mytest.fc<<EOF /opt/custom/apache(/.*)? gen_context(system_u:object_r:httpd_exec_t,s0) /var/custom/webcontent(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) EOF
make -f /usr/share/selinux/devel/Makefile mytest.pp sudo semodule -i mytest.pp restorecon -R -v -F /opt/custom/{apache,webcontent}
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Dominick Grift -
William Hargrove