Selinux policy for beanstalkd
Miroslav Grepl
mgrepl at redhat.com
Mon Jan 18 18:38:38 UTC 2010
On 01/18/2010 06:28 PM, Dominick Grift wrote:
> On 01/17/2010 06:25 PM, Ruben Kerkhof wrote:
>
>> Hi list,
>>
>> I haven't written an selinux module before, so to start simple I
>> created one for beanstalkd, since we use this a lot.
>>
>> I'm running into one issue though:
>>
>> beanstalkd has the ability to create binary log files in
>> /var/lib/beanstalkd/binlog.
>> This directory doesn't exist by default, but it is created in the init script.
>>
>> Starting up beanstalkd creates an AVC denial:
>> type=AVC msg=audit(1263749015.682:199): avc: denied { create } for
>> pid=2163 comm="mkdir" name="beanstalkd"
>> scontext=unconfined_u:system_r:initrc_t:s0
>> tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
>> type=SYSCALL msg=audit(1263749015.682:199): arch=c000003e syscall=83
>> success=no exit=-13 a0=7fff4e491f7b a1=1ed a2=7fff4e490770
>> a3=7fff4e4902c0 items=0 ppid=2156 pid=2163 auid=500 uid=0 gid=0 euid=0
>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="mkdir"
>> exe="/bin/mkdir" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
>>
>> How do I allow the init script to do mkdir -p /var/lib/beanstalkd/binlog?
>>
> Ask whoever packaged it to install the directory instead of letting the
> init script create it.
>
> Your beanstalk_admin could use a:
>
> files_search_var_lib($1)
> admin_pattern($1, beanstalkd_var_lib_t, beanstalk_var_lib_t)
>
> You will need to require the beanstalkd_var_lib_t type as well
>
> Other then that, looks good to me.
>
>
>> Here's my policy:
>>
>> [root at ruben ~]# cat beanstalkd.fc
>> /usr/bin/beanstalkd --
>> gen_context(system_u:object_r:beanstalkd_exec_t,s0)
>> /etc/rc\.d/init\.d/beanstalkd --
>> gen_context(system_u:object_r:beanstalkd_initrc_exec_t,s0)
>> /var/lib/beanstalkd(/.*)?
>> gen_context(system_u:object_r:beanstalkd_var_lib_t,s0)
>>
>> [root at ruben ~]# cat beanstalkd.te
>> policy_module(beanstalkd,1.0.0)
>>
>> ########################################
>> #
>> # Declarations
>> #
>>
>> type beanstalkd_t;
>> type beanstalkd_exec_t;
>> init_daemon_domain(beanstalkd_t, beanstalkd_exec_t)
>>
>> type beanstalkd_initrc_exec_t;
>> init_script_file(beanstalkd_initrc_exec_t)
>>
>> type beanstalkd_var_lib_t;
>> files_type(beanstalkd_var_lib_t)
>>
>> ########################################
>> #
>> # beanstalkd local policy
>> #
>>
>> allow beanstalkd_t self:capability { dac_override setgid setuid };
>> allow beanstalkd_t self:process { fork setrlimit };
>> allow beanstalkd_t self:tcp_socket create_stream_socket_perms;
>>
>> manage_files_pattern(beanstalkd_t, beanstalkd_var_lib_t, beanstalkd_var_lib_t)
>> files_var_lib_filetrans(beanstalkd_t, beanstalkd_var_lib_t, file)
>>
>> corenet_tcp_sendrecv_generic_if(beanstalkd_t)
>> corenet_tcp_sendrecv_generic_node(beanstalkd_t)
>> corenet_tcp_sendrecv_all_ports(beanstalkd_t)
>> corenet_tcp_bind_generic_node(beanstalkd_t)
>> corenet_tcp_bind_generic_node(beanstalkd_t)
>>
>> # FIXME: we need a beanstalkd_port (tcp, 11300) in core policy
>> corenet_tcp_bind_all_unreserved_ports(beanstalkd_t)
>>
>>
>> fs_dontaudit_getattr_all_fs(beanstalkd_t)
>>
>> domain_use_interactive_fds(beanstalkd_t)
>>
>> auth_use_nsswitch(beanstalkd_t)
>>
>> [root at ruben ~]# cat beanstalkd.if
>>
>> ##<summary>policy for beanstalkd</summary>
>>
>> ########################################
>> ##<summary>
>> ## Execute a domain transition to run beanstalkd.
>> ##</summary>
>> ##<param name="domain">
>> ##<summary>
>> ## Domain allowed to transition.
>> ##</summary>
>> ##</param>
>> #
>> interface(`beanstalkd_domtrans',`
>> gen_require(`
>> type beanstalkd_t, beanstalkd_exec_t;
>> ')
>>
>> domtrans_pattern($1, beanstalkd_exec_t, beanstalkd_t)
>> ')
>>
>>
>> ########################################
>> ##<summary>
>> ## Execute beanstalkd server in the beanstalkd domain.
>> ##</summary>
>> ##<param name="domain">
>> ## <summary>
>> ## The type of the process performing this action.
>> ## </summary>
>> ##</param>
>> #
>> interface(`beanstalkd_initrc_domtrans',`
>> gen_require(`
>> type beanstalkd_initrc_exec_t;
>> ')
>>
>> init_labeled_script_domtrans($1, beanstalkd_initrc_exec_t)
>> ')
>>
>> ########################################
>> ##<summary>
>> ## All of the rules required to administrate
>> ## an beanstalkd environment
>> ##</summary>
>> ##<param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ##</param>
>> ##<param name="role">
>> ## <summary>
>> ## Role allowed access.
>> ## </summary>
>> ##</param>
>> ##<rolecap/>
>> #
>> interface(`beanstalkd_admin',`
>> gen_require(`
>> type beanstalkd_t;
>> ')
>>
>> allow $1 beanstalkd_t:process { ptrace signal_perms getattr };
>> read_files_pattern($1, beanstalkd_t, beanstalkd_t)
>>
>>
>> gen_require(`
>> type beanstalkd_initrc_exec_t;
>> ')
>>
>> beanstalkd_initrc_domtrans($1)
>> domain_system_change_exemption($1)
>> role_transition $2 beanstalkd_initrc_exec_t system_r;
>> allow $2 system_r;
>>
>> ')
>>
>> Kind regards,
>>
>> Ruben Kerkhof
>>
# FIXME: we need a beanstalkd_port (tcp, 11300) in core policy
corenet_tcp_bind_all_unreserved_ports(beanstalkd_t)
Just for information, there is a workaround for this. You can add the
following statements to your beanstalkd local policy :
----
type beanstalkd_port_t;
corenet_port(beanstalkd_port_t)
allow beanstalkd_t beanstalkd_port_t:tcp_socket name_bind;
---
Then compile and load your policy module and execute:
# semanage port -a -t beanstalkd_port_t -p tcp 11300
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20100118/1a2e7f40/attachment.html
More information about the selinux
mailing list