Selinux policy for beanstalkd
Ruben Kerkhof
ruben at rubenkerkhof.com
Mon Jan 18 19:26:41 UTC 2010
On Jan 18, 2010, at 6:28 PM, Dominick Grift wrote:
> On 01/17/2010 06:25 PM, Ruben Kerkhof wrote:
>> Hi list,
>>
>> I haven't written an selinux module before, so to start simple I
>> created one for beanstalkd, since we use this a lot.
>>
>> I'm running into one issue though:
>>
>> beanstalkd has the ability to create binary log files in
>> /var/lib/beanstalkd/binlog.
>> This directory doesn't exist by default, but it is created in the
>> init script.
>>
>> Starting up beanstalkd creates an AVC denial:
>> type=AVC msg=audit(1263749015.682:199): avc: denied { create } for
>> pid=2163 comm="mkdir" name="beanstalkd"
>> scontext=unconfined_u:system_r:initrc_t:s0
>> tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
>> type=SYSCALL msg=audit(1263749015.682:199): arch=c000003e syscall=83
>> success=no exit=-13 a0=7fff4e491f7b a1=1ed a2=7fff4e490770
>> a3=7fff4e4902c0 items=0 ppid=2156 pid=2163 auid=500 uid=0 gid=0
>> euid=0
>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="mkdir"
>> exe="/bin/mkdir" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
>>
>> How do I allow the init script to do mkdir -p /var/lib/beanstalkd/
>> binlog?
>
> Ask whoever packaged it to install the directory instead of letting
> the
> init script create it.
That certainly seems the easiest way, thanks. I'll file a bug.
> Your beanstalk_admin could use a:
>
> files_search_var_lib($1)
> admin_pattern($1, beanstalkd_var_lib_t, beanstalk_var_lib_t)
I presume this means that someone in the 'admin' role has the rights
to manage stuff in /var/lib/beanstalkd?
Do I have to setup roles to test this?
> You will need to require the beanstalkd_var_lib_t type as well
>
> Other then that, looks good to me.
Thanks for your help,
Ruben
More information about the selinux
mailing list