On 01/18/2010 06:28 PM, Dominick Grift wrote:
On 01/17/2010 06:25 PM, Ruben Kerkhof wrote:
> Hi list,
>
> I haven't written an selinux module before, so to start simple I
> created one for beanstalkd, since we use this a lot.
>
> I'm running into one issue though:
>
> beanstalkd has the ability to create binary log files in
> /var/lib/beanstalkd/binlog.
> This directory doesn't exist by default, but it is created in the init script.
>
> Starting up beanstalkd creates an AVC denial:
> type=AVC msg=audit(1263749015.682:199): avc: denied { create } for
> pid=2163 comm="mkdir" name="beanstalkd"
> scontext=unconfined_u:system_r:initrc_t:s0
> tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
> type=SYSCALL msg=audit(1263749015.682:199): arch=c000003e syscall=83
> success=no exit=-13 a0=7fff4e491f7b a1=1ed a2=7fff4e490770
> a3=7fff4e4902c0 items=0 ppid=2156 pid=2163 auid=500 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="mkdir"
> exe="/bin/mkdir" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
>
> How do I allow the init script to do mkdir -p /var/lib/beanstalkd/binlog?
>
Ask whoever packaged it to install the directory instead of letting the
init script create it.
Your beanstalk_admin could use a:
files_search_var_lib($1)
admin_pattern($1, beanstalkd_var_lib_t, beanstalk_var_lib_t)
You will need to require the beanstalkd_var_lib_t type as well
Other then that, looks good to me.
> Here's my policy:
>
> [root@ruben ~]# cat beanstalkd.fc
> /usr/bin/beanstalkd --
> gen_context(system_u:object_r:beanstalkd_exec_t,s0)
> /etc/rc\.d/init\.d/beanstalkd --
> gen_context(system_u:object_r:beanstalkd_initrc_exec_t,s0)
> /var/lib/beanstalkd(/.*)?
> gen_context(system_u:object_r:beanstalkd_var_lib_t,s0)
>
> [root@ruben ~]# cat beanstalkd.te
> policy_module(beanstalkd,1.0.0)
>
> ########################################
> #
> # Declarations
> #
>
> type beanstalkd_t;
> type beanstalkd_exec_t;
> init_daemon_domain(beanstalkd_t, beanstalkd_exec_t)
>
> type beanstalkd_initrc_exec_t;
> init_script_file(beanstalkd_initrc_exec_t)
>
> type beanstalkd_var_lib_t;
> files_type(beanstalkd_var_lib_t)
>
> ########################################
> #
> # beanstalkd local policy
> #
>
> allow beanstalkd_t self:capability { dac_override setgid setuid };
> allow beanstalkd_t self:process { fork setrlimit };
> allow beanstalkd_t self:tcp_socket create_stream_socket_perms;
>
> manage_files_pattern(beanstalkd_t, beanstalkd_var_lib_t, beanstalkd_var_lib_t)
> files_var_lib_filetrans(beanstalkd_t, beanstalkd_var_lib_t, file)
>
> corenet_tcp_sendrecv_generic_if(beanstalkd_t)
> corenet_tcp_sendrecv_generic_node(beanstalkd_t)
> corenet_tcp_sendrecv_all_ports(beanstalkd_t)
> corenet_tcp_bind_generic_node(beanstalkd_t)
> corenet_tcp_bind_generic_node(beanstalkd_t)
>
> # FIXME: we need a beanstalkd_port (tcp, 11300) in core policy
> corenet_tcp_bind_all_unreserved_ports(beanstalkd_t)
>
>
> fs_dontaudit_getattr_all_fs(beanstalkd_t)
>
> domain_use_interactive_fds(beanstalkd_t)
>
> auth_use_nsswitch(beanstalkd_t)
>
> [root@ruben ~]# cat beanstalkd.if
>
> ##<summary>policy for beanstalkd</summary>
>
> ########################################
> ##<summary>
> ## Execute a domain transition to run beanstalkd.
> ##</summary>
> ##<param name="domain">
> ##<summary>
> ## Domain allowed to transition.
> ##</summary>
> ##</param>
> #
> interface(`beanstalkd_domtrans',`
> gen_require(`
> type beanstalkd_t, beanstalkd_exec_t;
> ')
>
> domtrans_pattern($1, beanstalkd_exec_t, beanstalkd_t)
> ')
>
>
> ########################################
> ##<summary>
> ## Execute beanstalkd server in the beanstalkd domain.
> ##</summary>
> ##<param name="domain">
> ## <summary>
> ## The type of the process performing this action.
> ## </summary>
> ##</param>
> #
> interface(`beanstalkd_initrc_domtrans',`
> gen_require(`
> type beanstalkd_initrc_exec_t;
> ')
>
> init_labeled_script_domtrans($1, beanstalkd_initrc_exec_t)
> ')
>
> ########################################
> ##<summary>
> ## All of the rules required to administrate
> ## an beanstalkd environment
> ##</summary>
> ##<param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ##</param>
> ##<param name="role">
> ## <summary>
> ## Role allowed access.
> ## </summary>
> ##</param>
> ##<rolecap/>
> #
> interface(`beanstalkd_admin',`
> gen_require(`
> type beanstalkd_t;
> ')
>
> allow $1 beanstalkd_t:process { ptrace signal_perms getattr };
> read_files_pattern($1, beanstalkd_t, beanstalkd_t)
>
>
> gen_require(`
> type beanstalkd_initrc_exec_t;
> ')
>
> beanstalkd_initrc_domtrans($1)
> domain_system_change_exemption($1)
> role_transition $2 beanstalkd_initrc_exec_t system_r;
> allow $2 system_r;
>
> ')
>
> Kind regards,
>
> Ruben Kerkhof
>
# FIXME: we need a beanstalkd_port (tcp, 11300) in core policy
corenet_tcp_bind_all_unreserved_ports(beanstalkd_t)
Just for information, there is a workaround for this. You can add the
following statements to your beanstalkd local policy :
----
type beanstalkd_port_t;
corenet_port(beanstalkd_port_t)
allow beanstalkd_t beanstalkd_port_t:tcp_socket name_bind;
---
Then compile and load your policy module and execute:
# semanage port -a -t beanstalkd_port_t -p tcp 11300
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux