Hi list,
I haven't written an selinux module before, so to start simple I created one for beanstalkd, since we use this a lot.
I'm running into one issue though:
beanstalkd has the ability to create binary log files in /var/lib/beanstalkd/binlog. This directory doesn't exist by default, but it is created in the init script.
Starting up beanstalkd creates an AVC denial: type=AVC msg=audit(1263749015.682:199): avc: denied { create } for pid=2163 comm="mkdir" name="beanstalkd" scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1263749015.682:199): arch=c000003e syscall=83 success=no exit=-13 a0=7fff4e491f7b a1=1ed a2=7fff4e490770 a3=7fff4e4902c0 items=0 ppid=2156 pid=2163 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="mkdir" exe="/bin/mkdir" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
How do I allow the init script to do mkdir -p /var/lib/beanstalkd/binlog?
Here's my policy:
[root@ruben ~]# cat beanstalkd.fc /usr/bin/beanstalkd -- gen_context(system_u:object_r:beanstalkd_exec_t,s0) /etc/rc.d/init.d/beanstalkd -- gen_context(system_u:object_r:beanstalkd_initrc_exec_t,s0) /var/lib/beanstalkd(/.*)? gen_context(system_u:object_r:beanstalkd_var_lib_t,s0)
[root@ruben ~]# cat beanstalkd.te policy_module(beanstalkd,1.0.0)
######################################## # # Declarations #
type beanstalkd_t; type beanstalkd_exec_t; init_daemon_domain(beanstalkd_t, beanstalkd_exec_t)
type beanstalkd_initrc_exec_t; init_script_file(beanstalkd_initrc_exec_t)
type beanstalkd_var_lib_t; files_type(beanstalkd_var_lib_t)
######################################## # # beanstalkd local policy #
allow beanstalkd_t self:capability { dac_override setgid setuid }; allow beanstalkd_t self:process { fork setrlimit }; allow beanstalkd_t self:tcp_socket create_stream_socket_perms;
manage_files_pattern(beanstalkd_t, beanstalkd_var_lib_t, beanstalkd_var_lib_t) files_var_lib_filetrans(beanstalkd_t, beanstalkd_var_lib_t, file)
corenet_tcp_sendrecv_generic_if(beanstalkd_t) corenet_tcp_sendrecv_generic_node(beanstalkd_t) corenet_tcp_sendrecv_all_ports(beanstalkd_t) corenet_tcp_bind_generic_node(beanstalkd_t) corenet_tcp_bind_generic_node(beanstalkd_t)
# FIXME: we need a beanstalkd_port (tcp, 11300) in core policy corenet_tcp_bind_all_unreserved_ports(beanstalkd_t)
fs_dontaudit_getattr_all_fs(beanstalkd_t)
domain_use_interactive_fds(beanstalkd_t)
auth_use_nsswitch(beanstalkd_t)
[root@ruben ~]# cat beanstalkd.if
## <summary>policy for beanstalkd</summary>
######################################## ## <summary> ## Execute a domain transition to run beanstalkd. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed to transition. ## </summary> ## </param> # interface(`beanstalkd_domtrans',` gen_require(` type beanstalkd_t, beanstalkd_exec_t; ')
domtrans_pattern($1, beanstalkd_exec_t, beanstalkd_t) ')
######################################## ## <summary> ## Execute beanstalkd server in the beanstalkd domain. ## </summary> ## <param name="domain"> ## <summary> ## The type of the process performing this action. ## </summary> ## </param> # interface(`beanstalkd_initrc_domtrans',` gen_require(` type beanstalkd_initrc_exec_t; ')
init_labeled_script_domtrans($1, beanstalkd_initrc_exec_t) ')
######################################## ## <summary> ## All of the rules required to administrate ## an beanstalkd environment ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <param name="role"> ## <summary> ## Role allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`beanstalkd_admin',` gen_require(` type beanstalkd_t; ')
allow $1 beanstalkd_t:process { ptrace signal_perms getattr }; read_files_pattern($1, beanstalkd_t, beanstalkd_t)
gen_require(` type beanstalkd_initrc_exec_t; ')
beanstalkd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 beanstalkd_initrc_exec_t system_r; allow $2 system_r;
')
Kind regards,
Ruben Kerkhof
On 01/17/2010 06:25 PM, Ruben Kerkhof wrote:
Hi list,
I haven't written an selinux module before, so to start simple I created one for beanstalkd, since we use this a lot.
I'm running into one issue though:
beanstalkd has the ability to create binary log files in /var/lib/beanstalkd/binlog. This directory doesn't exist by default, but it is created in the init script.
Starting up beanstalkd creates an AVC denial: type=AVC msg=audit(1263749015.682:199): avc: denied { create } for pid=2163 comm="mkdir" name="beanstalkd" scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1263749015.682:199): arch=c000003e syscall=83 success=no exit=-13 a0=7fff4e491f7b a1=1ed a2=7fff4e490770 a3=7fff4e4902c0 items=0 ppid=2156 pid=2163 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="mkdir" exe="/bin/mkdir" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
How do I allow the init script to do mkdir -p /var/lib/beanstalkd/binlog?
Ask whoever packaged it to install the directory instead of letting the init script create it.
Your beanstalk_admin could use a:
files_search_var_lib($1) admin_pattern($1, beanstalkd_var_lib_t, beanstalk_var_lib_t)
You will need to require the beanstalkd_var_lib_t type as well
Other then that, looks good to me.
Here's my policy:
[root@ruben ~]# cat beanstalkd.fc /usr/bin/beanstalkd -- gen_context(system_u:object_r:beanstalkd_exec_t,s0) /etc/rc.d/init.d/beanstalkd -- gen_context(system_u:object_r:beanstalkd_initrc_exec_t,s0) /var/lib/beanstalkd(/.*)? gen_context(system_u:object_r:beanstalkd_var_lib_t,s0)
[root@ruben ~]# cat beanstalkd.te policy_module(beanstalkd,1.0.0)
######################################## # # Declarations #
type beanstalkd_t; type beanstalkd_exec_t; init_daemon_domain(beanstalkd_t, beanstalkd_exec_t)
type beanstalkd_initrc_exec_t; init_script_file(beanstalkd_initrc_exec_t)
type beanstalkd_var_lib_t; files_type(beanstalkd_var_lib_t)
######################################## # # beanstalkd local policy #
allow beanstalkd_t self:capability { dac_override setgid setuid }; allow beanstalkd_t self:process { fork setrlimit }; allow beanstalkd_t self:tcp_socket create_stream_socket_perms;
manage_files_pattern(beanstalkd_t, beanstalkd_var_lib_t, beanstalkd_var_lib_t) files_var_lib_filetrans(beanstalkd_t, beanstalkd_var_lib_t, file)
corenet_tcp_sendrecv_generic_if(beanstalkd_t) corenet_tcp_sendrecv_generic_node(beanstalkd_t) corenet_tcp_sendrecv_all_ports(beanstalkd_t) corenet_tcp_bind_generic_node(beanstalkd_t) corenet_tcp_bind_generic_node(beanstalkd_t)
# FIXME: we need a beanstalkd_port (tcp, 11300) in core policy corenet_tcp_bind_all_unreserved_ports(beanstalkd_t)
fs_dontaudit_getattr_all_fs(beanstalkd_t)
domain_use_interactive_fds(beanstalkd_t)
auth_use_nsswitch(beanstalkd_t)
[root@ruben ~]# cat beanstalkd.if
## <summary>policy for beanstalkd</summary>
######################################## ## <summary> ## Execute a domain transition to run beanstalkd. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed to transition. ## </summary> ## </param> # interface(`beanstalkd_domtrans',` gen_require(` type beanstalkd_t, beanstalkd_exec_t; ')
domtrans_pattern($1, beanstalkd_exec_t, beanstalkd_t) ')
######################################## ## <summary> ## Execute beanstalkd server in the beanstalkd domain. ## </summary> ## <param name="domain"> ## <summary> ## The type of the process performing this action. ## </summary> ## </param> # interface(`beanstalkd_initrc_domtrans',` gen_require(` type beanstalkd_initrc_exec_t; ')
init_labeled_script_domtrans($1, beanstalkd_initrc_exec_t) ')
######################################## ## <summary> ## All of the rules required to administrate ## an beanstalkd environment ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <param name="role"> ## <summary> ## Role allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`beanstalkd_admin',` gen_require(` type beanstalkd_t; ')
allow $1 beanstalkd_t:process { ptrace signal_perms getattr }; read_files_pattern($1, beanstalkd_t, beanstalkd_t)
gen_require(` type beanstalkd_initrc_exec_t; ')
beanstalkd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 beanstalkd_initrc_exec_t system_r; allow $2 system_r;
')
Kind regards,
Ruben Kerkhof
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 01/18/2010 06:28 PM, Dominick Grift wrote:
On 01/17/2010 06:25 PM, Ruben Kerkhof wrote:
Hi list,
I haven't written an selinux module before, so to start simple I created one for beanstalkd, since we use this a lot.
I'm running into one issue though:
beanstalkd has the ability to create binary log files in /var/lib/beanstalkd/binlog. This directory doesn't exist by default, but it is created in the init script.
Starting up beanstalkd creates an AVC denial: type=AVC msg=audit(1263749015.682:199): avc: denied { create } for pid=2163 comm="mkdir" name="beanstalkd" scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1263749015.682:199): arch=c000003e syscall=83 success=no exit=-13 a0=7fff4e491f7b a1=1ed a2=7fff4e490770 a3=7fff4e4902c0 items=0 ppid=2156 pid=2163 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="mkdir" exe="/bin/mkdir" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
How do I allow the init script to do mkdir -p /var/lib/beanstalkd/binlog?
Ask whoever packaged it to install the directory instead of letting the init script create it.
Your beanstalk_admin could use a:
files_search_var_lib($1) admin_pattern($1, beanstalkd_var_lib_t, beanstalk_var_lib_t)
You will need to require the beanstalkd_var_lib_t type as well
Other then that, looks good to me.
Here's my policy:
[root@ruben ~]# cat beanstalkd.fc /usr/bin/beanstalkd -- gen_context(system_u:object_r:beanstalkd_exec_t,s0) /etc/rc.d/init.d/beanstalkd -- gen_context(system_u:object_r:beanstalkd_initrc_exec_t,s0) /var/lib/beanstalkd(/.*)? gen_context(system_u:object_r:beanstalkd_var_lib_t,s0)
[root@ruben ~]# cat beanstalkd.te policy_module(beanstalkd,1.0.0)
######################################## # # Declarations #
type beanstalkd_t; type beanstalkd_exec_t; init_daemon_domain(beanstalkd_t, beanstalkd_exec_t)
type beanstalkd_initrc_exec_t; init_script_file(beanstalkd_initrc_exec_t)
type beanstalkd_var_lib_t; files_type(beanstalkd_var_lib_t)
######################################## # # beanstalkd local policy #
allow beanstalkd_t self:capability { dac_override setgid setuid }; allow beanstalkd_t self:process { fork setrlimit }; allow beanstalkd_t self:tcp_socket create_stream_socket_perms;
manage_files_pattern(beanstalkd_t, beanstalkd_var_lib_t, beanstalkd_var_lib_t) files_var_lib_filetrans(beanstalkd_t, beanstalkd_var_lib_t, file)
corenet_tcp_sendrecv_generic_if(beanstalkd_t) corenet_tcp_sendrecv_generic_node(beanstalkd_t) corenet_tcp_sendrecv_all_ports(beanstalkd_t) corenet_tcp_bind_generic_node(beanstalkd_t) corenet_tcp_bind_generic_node(beanstalkd_t)
# FIXME: we need a beanstalkd_port (tcp, 11300) in core policy corenet_tcp_bind_all_unreserved_ports(beanstalkd_t)
fs_dontaudit_getattr_all_fs(beanstalkd_t)
domain_use_interactive_fds(beanstalkd_t)
auth_use_nsswitch(beanstalkd_t)
[root@ruben ~]# cat beanstalkd.if
##<summary>policy for beanstalkd</summary>
######################################## ##<summary> ## Execute a domain transition to run beanstalkd. ##</summary> ##<param name="domain"> ##<summary> ## Domain allowed to transition. ##</summary> ##</param> # interface(`beanstalkd_domtrans',` gen_require(` type beanstalkd_t, beanstalkd_exec_t; ')
domtrans_pattern($1, beanstalkd_exec_t, beanstalkd_t) ')
######################################## ##<summary> ## Execute beanstalkd server in the beanstalkd domain. ##</summary> ##<param name="domain"> ## <summary> ## The type of the process performing this action. ## </summary> ##</param> # interface(`beanstalkd_initrc_domtrans',` gen_require(` type beanstalkd_initrc_exec_t; ')
init_labeled_script_domtrans($1, beanstalkd_initrc_exec_t) ')
######################################## ##<summary> ## All of the rules required to administrate ## an beanstalkd environment ##</summary> ##<param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ##</param> ##<param name="role"> ## <summary> ## Role allowed access. ## </summary> ##</param> ##<rolecap/> # interface(`beanstalkd_admin',` gen_require(` type beanstalkd_t; ')
allow $1 beanstalkd_t:process { ptrace signal_perms getattr }; read_files_pattern($1, beanstalkd_t, beanstalkd_t)
gen_require(` type beanstalkd_initrc_exec_t; ')
beanstalkd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 beanstalkd_initrc_exec_t system_r; allow $2 system_r;
')
Kind regards,
Ruben Kerkhof
# FIXME: we need a beanstalkd_port (tcp, 11300) in core policy corenet_tcp_bind_all_unreserved_ports(beanstalkd_t)
Just for information, there is a workaround for this. You can add the following statements to your beanstalkd local policy :
----
type beanstalkd_port_t; corenet_port(beanstalkd_port_t)
allow beanstalkd_t beanstalkd_port_t:tcp_socket name_bind;
---
Then compile and load your policy module and execute:
# semanage port -a -t beanstalkd_port_t -p tcp 11300
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Jan 18, 2010, at 7:38 PM, Miroslav Grepl wrote:
# FIXME: we need a beanstalkd_port (tcp, 11300) in core policy corenet_tcp_bind_all_unreserved_ports(beanstalkd_t)
Just for information, there is a workaround for this. You can add the following statements to your beanstalkd local policy :
type beanstalkd_port_t; corenet_port(beanstalkd_port_t)
allow beanstalkd_t beanstalkd_port_t:tcp_socket name_bind;
Then compile and load your policy module and execute:
# semanage port -a -t beanstalkd_port_t -p tcp 11300
Thanks, I'll give it a try.
Once my module is finished, what's the best way to get this in selinux- policy? Provide a patch agains refpolicy.git from Tresys, or against Fedora rawhide cvs?
Ruben
On Jan 18, 2010, at 6:28 PM, Dominick Grift wrote:
On 01/17/2010 06:25 PM, Ruben Kerkhof wrote:
Hi list,
I haven't written an selinux module before, so to start simple I created one for beanstalkd, since we use this a lot.
I'm running into one issue though:
beanstalkd has the ability to create binary log files in /var/lib/beanstalkd/binlog. This directory doesn't exist by default, but it is created in the init script.
Starting up beanstalkd creates an AVC denial: type=AVC msg=audit(1263749015.682:199): avc: denied { create } for pid=2163 comm="mkdir" name="beanstalkd" scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1263749015.682:199): arch=c000003e syscall=83 success=no exit=-13 a0=7fff4e491f7b a1=1ed a2=7fff4e490770 a3=7fff4e4902c0 items=0 ppid=2156 pid=2163 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="mkdir" exe="/bin/mkdir" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
How do I allow the init script to do mkdir -p /var/lib/beanstalkd/ binlog?
Ask whoever packaged it to install the directory instead of letting the init script create it.
That certainly seems the easiest way, thanks. I'll file a bug.
Your beanstalk_admin could use a:
files_search_var_lib($1) admin_pattern($1, beanstalkd_var_lib_t, beanstalk_var_lib_t)
I presume this means that someone in the 'admin' role has the rights to manage stuff in /var/lib/beanstalkd? Do I have to setup roles to test this?
You will need to require the beanstalkd_var_lib_t type as well
Other then that, looks good to me.
Thanks for your help,
Ruben
On 01/18/2010 08:26 PM, Ruben Kerkhof wrote:
On Jan 18, 2010, at 6:28 PM, Dominick Grift wrote:
On 01/17/2010 06:25 PM, Ruben Kerkhof wrote:
Hi list,
I haven't written an selinux module before, so to start simple I created one for beanstalkd, since we use this a lot.
I'm running into one issue though:
beanstalkd has the ability to create binary log files in /var/lib/beanstalkd/binlog. This directory doesn't exist by default, but it is created in the init script.
Starting up beanstalkd creates an AVC denial: type=AVC msg=audit(1263749015.682:199): avc: denied { create } for pid=2163 comm="mkdir" name="beanstalkd" scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1263749015.682:199): arch=c000003e syscall=83 success=no exit=-13 a0=7fff4e491f7b a1=1ed a2=7fff4e490770 a3=7fff4e4902c0 items=0 ppid=2156 pid=2163 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="mkdir" exe="/bin/mkdir" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
How do I allow the init script to do mkdir -p /var/lib/beanstalkd/ binlog?
Ask whoever packaged it to install the directory instead of letting the init script create it.
That certainly seems the easiest way, thanks. I'll file a bug.
Your beanstalk_admin could use a:
files_search_var_lib($1) admin_pattern($1, beanstalkd_var_lib_t, beanstalk_var_lib_t)
I presume this means that someone in the 'admin' role has the rights to manage stuff in /var/lib/beanstalkd? Do I have to setup roles to test this?
The beanstalkd_admin() interface is for the beanstalkadm_r role yes
You can test it by creating a beanstalkadm module:
beanstalkadm.te:
policy_module(beanstalkadm, 1.0.0) role beanstalkadm_r; userdom_base_user_template(beanstalkadm) beanstalk_admin(beanstalkadm_t, beanstalkadm_r)
beanstalkadm.if: ## <summary>beanstalk administrator role</summary>
######################################## ## <summary> ## Change to the beanstalk administrator role. ## </summary> ## <param name="role"> ## <summary> ## Role allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`beanstalkadm_role_change',` gen_require(` role beanstalkadm_r; ')
allow $1 beanstalkadm_r; ')
######################################## ## <summary> ## Change from the beanstalk administrator role. ## </summary> ## <desc> ## <p> ## Change from the beanstalk administrator role to ## the specified role. ## </p> ## <p> ## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ## </p> ## </desc> ## <param name="role"> ## <summary> ## Role allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`beanstalkadm_role_change_to',` gen_require(` role beanstalkadm_r; ')
allow beanstalkadm_r $1; ')
customization to the staff domain:
mystaff.te: policy_module(mystaff, 1.0.0
require { role staff_r; }
optional_policy(` beanstalkadm_role_change(staff_r) ')
Then edit staff_u selinux user mapping:
semanage user -m -L s0 -r s0-s0:c0.c1023 -R "staff_r system_r unconfined_r beanstalkadm_r webadm_r" -P user staff_u
echo "testuser ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL" >> /etc/sudoers
useradd -Z staff_u testuser passwd testuser
login:
sudo -t beanstalkadm_t -r beanstalkadm_r -s
or
sudo -t beanstalkadm_t -r beanstalkadm_r service beanstalkd restart
Your beanstalkadm module may need some more modifications though
have a look at the webadm module and reference its call to apache_admin to apache.if where its defined.
http://oss.tresys.com/projects/refpolicy/browser/policy/modules/roles/webadm... http://oss.tresys.com/projects/refpolicy/browser/policy/modules/roles/webadm... http://oss.tresys.com/projects/refpolicy/browser/policy/modules/services/apa...
You will need to require the beanstalkd_var_lib_t type as well
Other then that, looks good to me.
Thanks for your help,
Ruben
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org