Selinux policy for beanstalkd

Miroslav Grepl mgrepl at redhat.com
Mon Jan 18 18:38:38 UTC 2010 

On 01/18/2010 06:28 PM, Dominick Grift wrote:
> On 01/17/2010 06:25 PM, Ruben Kerkhof wrote:
>    
>> Hi list,
>>
>> I haven't written an selinux module before, so to start simple I
>> created one for beanstalkd, since we use this a lot.
>>
>> I'm running into one issue though:
>>
>> beanstalkd has the ability to create binary log files in
>> /var/lib/beanstalkd/binlog.
>> This directory doesn't exist by default, but it is created in the init script.
>>
>> Starting up beanstalkd creates an AVC denial:
>> type=AVC msg=audit(1263749015.682:199): avc:  denied  { create } for
>> pid=2163 comm="mkdir" name="beanstalkd"
>> scontext=unconfined_u:system_r:initrc_t:s0
>> tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
>> type=SYSCALL msg=audit(1263749015.682:199): arch=c000003e syscall=83
>> success=no exit=-13 a0=7fff4e491f7b a1=1ed a2=7fff4e490770
>> a3=7fff4e4902c0 items=0 ppid=2156 pid=2163 auid=500 uid=0 gid=0 euid=0
>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="mkdir"
>> exe="/bin/mkdir" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
>>
>> How do I allow the init script to do mkdir -p /var/lib/beanstalkd/binlog?
>>      
> Ask whoever packaged it to install the directory instead of letting the
> init script create it.
>
> Your beanstalk_admin could use a:
>
> files_search_var_lib($1)
> admin_pattern($1, beanstalkd_var_lib_t, beanstalk_var_lib_t)
>
> You will need to require the beanstalkd_var_lib_t type as well
>
> Other then that, looks good to me.
>
>    
>> Here's my policy:
>>
>> [root at ruben ~]# cat beanstalkd.fc
>> /usr/bin/beanstalkd             --
>> gen_context(system_u:object_r:beanstalkd_exec_t,s0)
>> /etc/rc\.d/init\.d/beanstalkd   --
>> gen_context(system_u:object_r:beanstalkd_initrc_exec_t,s0)
>> /var/lib/beanstalkd(/.*)?
>> gen_context(system_u:object_r:beanstalkd_var_lib_t,s0)
>>
>> [root at ruben ~]# cat beanstalkd.te
>> policy_module(beanstalkd,1.0.0)
>>
>> ########################################
>> #
>> # Declarations
>> #
>>
>> type beanstalkd_t;
>> type beanstalkd_exec_t;
>> init_daemon_domain(beanstalkd_t, beanstalkd_exec_t)
>>
>> type beanstalkd_initrc_exec_t;
>> init_script_file(beanstalkd_initrc_exec_t)
>>
>> type beanstalkd_var_lib_t;
>> files_type(beanstalkd_var_lib_t)
>>
>> ########################################
>> #
>> # beanstalkd local policy
>> #
>>
>> allow beanstalkd_t self:capability { dac_override setgid setuid };
>> allow beanstalkd_t self:process { fork setrlimit };
>> allow beanstalkd_t self:tcp_socket create_stream_socket_perms;
>>
>> manage_files_pattern(beanstalkd_t, beanstalkd_var_lib_t, beanstalkd_var_lib_t)
>> files_var_lib_filetrans(beanstalkd_t, beanstalkd_var_lib_t, file)
>>
>> corenet_tcp_sendrecv_generic_if(beanstalkd_t)
>> corenet_tcp_sendrecv_generic_node(beanstalkd_t)
>> corenet_tcp_sendrecv_all_ports(beanstalkd_t)
>> corenet_tcp_bind_generic_node(beanstalkd_t)
>> corenet_tcp_bind_generic_node(beanstalkd_t)
>>
>> # FIXME: we need a beanstalkd_port (tcp, 11300) in core policy
>> corenet_tcp_bind_all_unreserved_ports(beanstalkd_t)
>>
>>
>> fs_dontaudit_getattr_all_fs(beanstalkd_t)
>>
>> domain_use_interactive_fds(beanstalkd_t)
>>
>> auth_use_nsswitch(beanstalkd_t)
>>
>> [root at ruben ~]# cat beanstalkd.if
>>
>> ##<summary>policy for beanstalkd</summary>
>>
>> ########################################
>> ##<summary>
>> ##	Execute a domain transition to run beanstalkd.
>> ##</summary>
>> ##<param name="domain">
>> ##<summary>
>> ##	Domain allowed to transition.
>> ##</summary>
>> ##</param>
>> #
>> interface(`beanstalkd_domtrans',`
>> 	gen_require(`
>> 		type beanstalkd_t, beanstalkd_exec_t;
>> 	')
>>
>> 	domtrans_pattern($1, beanstalkd_exec_t, beanstalkd_t)
>> ')
>>
>>
>> ########################################
>> ##<summary>
>> ##	Execute beanstalkd server in the beanstalkd domain.
>> ##</summary>
>> ##<param name="domain">
>> ##	<summary>
>> ##	The type of the process performing this action.
>> ##	</summary>
>> ##</param>
>> #
>> interface(`beanstalkd_initrc_domtrans',`
>> 	gen_require(`
>> 		type beanstalkd_initrc_exec_t;
>> 	')
>>
>> 	init_labeled_script_domtrans($1, beanstalkd_initrc_exec_t)
>> ')
>>
>> ########################################
>> ##<summary>
>> ##	All of the rules required to administrate
>> ##	an beanstalkd environment
>> ##</summary>
>> ##<param name="domain">
>> ##	<summary>
>> ##	Domain allowed access.
>> ##	</summary>
>> ##</param>
>> ##<param name="role">
>> ##	<summary>
>> ##	Role allowed access.
>> ##	</summary>
>> ##</param>
>> ##<rolecap/>
>> #
>> interface(`beanstalkd_admin',`
>> 	gen_require(`
>> 		type beanstalkd_t;
>> 	')
>>
>> 	allow $1 beanstalkd_t:process { ptrace signal_perms getattr };
>> 	read_files_pattern($1, beanstalkd_t, beanstalkd_t)
>> 	
>>
>> 	gen_require(`
>> 		type beanstalkd_initrc_exec_t;
>> 	')
>>
>> 	beanstalkd_initrc_domtrans($1)
>> 	domain_system_change_exemption($1)
>> 	role_transition $2 beanstalkd_initrc_exec_t system_r;
>> 	allow $2 system_r;
>>
>> ')
>>
>> Kind regards,
>>
>> Ruben Kerkhof
>>      
# FIXME: we need a beanstalkd_port (tcp, 11300) in core policy
corenet_tcp_bind_all_unreserved_ports(beanstalkd_t)


Just for information, there is a workaround for this. You can add  the 
following statements to your beanstalkd local policy :

----

type beanstalkd_port_t;
corenet_port(beanstalkd_port_t)

allow beanstalkd_t beanstalkd_port_t:tcp_socket name_bind;

---

Then compile and load your policy module and execute:

# semanage port -a -t beanstalkd_port_t -p tcp 11300
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>      
>
>    
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20100118/1a2e7f40/attachment.html

More information about the selinux mailing list