Helper program for a daemon
Daniel J Walsh
dwalsh at redhat.com
Mon Apr 23 15:14:08 UTC 2007
Al Pacifico wrote:
>
>
> On 4/19/07, *Daniel J Walsh* <dwalsh at redhat.com
> <mailto:dwalsh at redhat.com>> wrote:
>
> Al Pacifico wrote:
> > I (a greenhorn with selinux) am writing a policy for a daemon that
> > streams music files over my home network to a music player client (a
> > Slimdevices Squeezebox). My OS is FC5.
> >
> > The main daemon (/usr/sbin/slimserver) is a perl script that serves
> > the music files and is started with an init script. My questions
> have
> > to do with a secondary program (/usr/sbin/slimserver-scanner,
> also a
> > perl script) that scans the music on the server, reading mp3
> tags and
> > such, and generates a database of stored music that is stored in a
> > MySQL database. /usr/sbin/slimserver-scanner is invoked by the
> > /usr/sbin/slimserver daemon and might be invoked by the user
> (although
> > I can't recall ever doing so in several years of owning a
> Squeezebox).
> >
> > I've been following the example posted by Dan Walsh in a blog at
> > http://danwalsh.livejournal.com/8707.html?thread=39171 which has
> been
> > extremely helpful.
> >
> > My (2) questions:
> > 1. What is the appropriate file context for the scanner program?
> > system_u:object_r:sbin_t?
> > system_u:object_r:slimserver_t?
> > system_u:object_r:slimserver_exec_t?
> >
> That depends on your security goals. If you want the
> slimserver-scanner
> to have the same privs as slimserver you would label it sbin_t and
> allow
> slimserver to corecmd_exec_sbin(). If you want to go with least
> privs,
> you would create a new policy for slimserver-scanner
> (slimserver_scanner_t with file context of slimserver_scanner_exec_t)
> and then add a rule to slimserver_t to domtrans
> slimserver_scanner_domtrans(slimserver_t)
>
>
> After reviewing the source code to:
> 1) confirm that slimserver-scanner is intended to be run from the
> command line as well as by the slimserver daemon
> 2) see if it logs to the slimserver log
> 3) determine if it might want to use the network
> (to which all three answers were 'yes')
> ...I tried to use policygentool to create a policy for
> slimserver-scanner. However, I was stymied by an error.
>
> Here is what happened:
> [root at joplin slimserver-scanner]#
> /usr/share/selinux/devel/policygentool slimserver-scanner
> /usr/sbin/slimserver-scanner
>
>
> This tool generate three files for policy development, A Type
> Enforcement (te)
> file, a File Context (fc), and a Interface File(if). Most of the
> policy rules
> will be written in the te file. Use the File Context file to
> associate file
> paths with security context. Use the interface rules to allow other
> protected
> domains to interact with the newly defined domains.
>
> After generating these files use the /usr/share/selinux/devel/Makefile to
> compile your policy package. Then use the semodule tool to load it.
>
> # /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp
> # make -f /usr/share/selinux/devel/Makefile
> # semodule -l myapp.pp
> # restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"
>
> Now you can turn on permissive mode, start your application and avc
> messages
> will be generated. You can use audit2allow to help translate the avc
> messages
> into policy.
>
> # setenforce 0
> # service myapp start
> # audit2allow -R -i /var/log/audit/audit.log
>
> Return to continue:
>
> If the module uses pidfiles, what is the pidfile called?
>
> If the module uses logfiles, where are they stored?
> /var/log/slimserver
> If the module has var/lib files, where are they stored?
>
> Does the module have a init script? [yN]
> N
> Does the module use the network? [yN]
> y
> [root at joplin slimserver-scanner]# ls
> slimserver-scanner.fc slimserver-scanner.if slimserver-scanner.te
> [root at joplin slimserver-scanner]# make -f
> /usr/share/selinux/devel/Makefile
> Compiling targeted slimserver-scanner module
> /usr/bin/checkmodule: loading policy configuration from
> tmp/slimserver-scanner.tmp
> slimserver-scanner.te:1:ERROR 'syntax error' at token
> 'slimserver-scanner' on line 59006:
> module slimserver-scanner 1.0.0;
> #line 1
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [tmp/slimserver-scanner.mod] Error 1
>
> I thought I would display the line containing the error and associated
> context with the following:
> [root at joplin slimserver-scanner]# nl tmp/slimserver-scanner.tmp | sed
> -n '58990,59022p'
> 50718 ## Execute a domain transition to run slimserver-scanner.
> 50719 ## </summary>
> 50720 ## <param name="domain">
> 50721 ## <summary>
> 50722 ## Domain allowed to transition.
> 50723 ## </summary>
> 50724 ## </param>
> 50725 #
> 50726
> 50727 #line 124172
>
> 50728 #line 1 "slimserver-scanner.te "
>
> 50729 #line 1
> 50730
> 50731 #line 1
> 50732 module slimserver-scanner 1.0.0;
> 50733 #line 1
>
> 50734 #line 1
> 50735 require {
> 50736 #line 1
> 50737 role system_r;
> 50738 #line 1
> 50739
> 50740 #line 1
> 50741 class security { compute_av compute_create
> compute_member check_context load_policy compute_relabel compute_user
> setenforce setbool setsecparam setcheckreqprot };
> 50742 #line 1
> 50743 class process { fork transition sigchld sigkill
> sigstop signull signal ptrace getsched setsched getsession getpgid
> setpgid getcap setcap share getattr setexec setfscreate noatsecure
> siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack
> execheap setkeycreate };
> 50744 #line 1
> 50745 class system { ipc_info syslog_read syslog_mod
> syslog_console }; 50746 #line 1
> 50747 class capability { chown dac_override dac_read_search
> fowner fsetid kill setgid setuid setpcap linux_immutable
> net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner
> sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin
> sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease
> audit_write audit_control };
>
> which does show the line 'module slimserver-scanner 1.0.0;', although
> the line numbering is inconsistent.
>
> At first, I thought maybe policygentool inspected the context for the
> /usr/sbin/slimserver-scanner binary and that was the problem. Cursory
> examination of the source code did not suggest this. Now, I wonder if
> policygentool is only to be used for daemons. This wasn't stated in
> any comments. (BTW I'm using the selinux-policy-devel-2.3.7-2.fc5
> package.)
>
> Are there any thoughts regarding the nature of the error or
> suggestions for alternative tools for generating the policy?
> -al
>
Could it be that the compiler does not like the - in the policy name?
Could you change it to sslimserver_scanner?
> --
> Al Pacifico
> Seattle, WA
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the selinux
mailing list