how to transition a daemon to its own domain
jiun bookworm
thebookworm101 at gmail.com
Mon Jan 20 11:24:01 UTC 2014
init_ranged_daemon_domain() was not working for me, im sure i have done
something wrong, but i have no idea what or where that is, right now
with the policy as it is, its running in
system_u:object_r:unlabeled_t:s0 meaning iv borked things big time.
here is the policy:
policy_module(myapp, 1.0.0)
########################################
#
# Declarations
#
require {
# type init_t;
type initrc_t;
type systemd_unit_file_t ;
type urandom_device_t ;
type etc_runtime_t ;
type proc_t;
type bin_t;
type tmp_t;
type user_home_dir_t;
type user_home_t;
type net_conf_t;
type ldconfig_exec_t;
type mongod_port_t;
type unreserved_port_t;
type http_cache_port_t;
type http_port_t;
type sandbox_file_t;
type node_t ;
type shell_exec_t ;
type bin_t ;
type security_t ;
type setroubleshootd_t ;
type unconfined_t ;
type default_t ;
}
init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh);
type myapp_t;
domain_type(myapp_t);
type myapp_exec_t;
type myapp_unit_file_t;
systemd_unit_file(systemd_unit_file_t)
mcs_process_set_categories(myapp_t);
########################################
allow myapp_t self:fifo_file rw_fifo_file_perms;
allow myapp_t self:unix_stream_socket create_stream_socket_perms;
allow myapp_t self:process signal;
allow myapp_t etc_runtime_t:file { read getattr open ioctl execute};
allow myapp_t proc_t:file { read open};
allow myapp_t bin_t:dir write;
allow myapp_t bin_t:file { execute execute_no_trans };
allow myapp_t proc_t:file getattr;
allow myapp_t tmp_t:dir {write add_name};
allow myapp_t tmp_t:file {write open create};
allow myapp_t user_home_dir_t:dir { search getattr read open write
add_name};
allow myapp_t user_home_t:file { read open getattr ioctl create};
allow myapp_t user_home_t:dir { read open search getattr };
allow myapp_t ldconfig_exec_t:file {execute read open execute_no_trans};
allow myapp_t net_conf_t:file { read open getattr ioctl};
allow myapp_t mongod_port_t:tcp_socket name_connect;
allow myapp_t unreserved_port_t:tcp_socket {name_bind create setopt connect
getattr getopt write read bind append};
allow myapp_t node_t:tcp_socket {node_bind };
allow myapp_t http_cache_port_t:tcp_socket { name_connect create setopt
connect getattr getopt write read bind append };
allow myapp_t http_port_t:tcp_socket { name_connect };
allow myapp_t sandbox_file_t:dir { search getattr read open write add_name
create };
allow myapp_t sandbox_file_t:file { read open getattr ioctl create write
relabelfrom relabelto };
allow myapp_t sandbox_file_t:dir { relabelfrom relabelto };
allow myapp_t shell_exec_t:file { execute execute_no_trans };
allow myapp_t security_t:file write;
allow myapp_t self:tcp_socket { create setopt connect getattr getopt write
read bind append listen accept};
allow myapp_t self:udp_socket { create connect getattr getopt setopt write
read bind append listen accept };
allow myapp_t self:netlink_route_socket { create bind getattr write
nlmsg_read nlmsg_write read setattr lock getopt setopt append };
domain_use_interactive_fds(myapp_t)
allow myapp_t urandom_device_t:chr_file {read open};
allow myapp_t default_t:file { read getattr execute open
execute_no_trans};
allow setroubleshootd_t myapp_exec_t:file getattr;
allow init_t myapp_exec_t:file execute;
allow init_t myapp_exec_t:file { read open execute getattr entrypoint };
On Mon, Jan 20, 2014 at 12:19 PM, Dominick Grift
<dominick.grift at gmail.com>wrote:
> On Mon, 2014-01-20 at 05:51 +0300, jiun bookworm wrote:
> > Let me try the question again, all init daemons are started with
> > the context specified at
> > [jiun at localhost ~]$ cat /etc/selinux/targeted/contexts/initrc_context
> > system_u:system_r:initrc_t:s0
> >
> >
> > is it possible to have my application specifically override this and
> > start with the full mcs range? you mentioned that
> > the init_t is able to do something like this because of some
> > mcsconstraints, what constraints are these?
> >
> > iv tried these and they do not work:
> >
> > init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh)
>
> In theory the above should work maybe theres a small error somewhere
> You should probably look more into the source policy for examples
>
> > mcs_process_set_categories(myapp_t);
>
> Thats one of the available mcs interfaces. Theres more in the policy
>
> seinfo -a | grep mcs
>
> > range_transition initrc_t myapp_exec_t:process s0:c0.c1023;
> >
> oh right, it should probably be:
>
> range_transition init_t myapp_exec_t:process s0:c0.c1023;
>
> So maybe init_ranged_daemon_domain() needed to be updated to reflect
> systems.
>
> But the idea is that init_ranged_daemon_domain() should work
>
> >
> > On Mon, Jan 20, 2014 at 2:28 AM, Dominick Grift
> > <dominick.grift at gmail.com> wrote:
> > On Mon, 2014-01-20 at 01:42 +0300, jiun bookworm wrote:
> >
> > > Dominick,
> > > thanks but you may have misunderstood my question, its not
> > the daemon
> > > that is confined to one category
> > > its the child processes that it spawns, previously when in
> > init_t
> > > the app could spawn processes and assign
> > >
> > > them categories, now it can not, when running under
> > myapp_t, what
> > > makes init_t or other types able to
> > > support mcs and myapp_t can not?
> >
> >
> > There are two options:
> >
> > 1. you run the parent with the full mcs range
> > 2. you override mcs constraints for the parent using the
> > applicable mcs
> > type attributes
> >
> > the latter is why init is allowed to do it but i recommend the
> > former
> > for your parent process
> >
> >
> >
> >
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140120/84e071e7/attachment.html>
More information about the selinux
mailing list