Al Pacifico wrote:
On 4/19/07, *Daniel J Walsh* <dwalsh@xxxxxxxxxx
<mailto:dwalsh@xxxxxxxxxx>> wrote:
Al Pacifico wrote:
> I (a greenhorn with selinux) am writing a policy for a daemon that
> streams music files over my home network to a music player client (a
> Slimdevices Squeezebox). My OS is FC5.
>
> The main daemon (/usr/sbin/slimserver) is a perl script that serves
> the music files and is started with an init script. My questions
have
> to do with a secondary program (/usr/sbin/slimserver-scanner,
also a
> perl script) that scans the music on the server, reading mp3
tags and
> such, and generates a database of stored music that is stored in a
> MySQL database. /usr/sbin/slimserver-scanner is invoked by the
> /usr/sbin/slimserver daemon and might be invoked by the user
(although
> I can't recall ever doing so in several years of owning a
Squeezebox).
>
> I've been following the example posted by Dan Walsh in a blog at
> http://danwalsh.livejournal.com/8707.html?thread=39171 which has
been
> extremely helpful.
>
> My (2) questions:
> 1. What is the appropriate file context for the scanner program?
> system_u:object_r:sbin_t?
> system_u:object_r:slimserver_t?
> system_u:object_r:slimserver_exec_t?
>
That depends on your security goals. If you want the
slimserver-scanner
to have the same privs as slimserver you would label it sbin_t and
allow
slimserver to corecmd_exec_sbin(). If you want to go with least
privs,
you would create a new policy for slimserver-scanner
(slimserver_scanner_t with file context of slimserver_scanner_exec_t)
and then add a rule to slimserver_t to domtrans
slimserver_scanner_domtrans(slimserver_t)
After reviewing the source code to:
1) confirm that slimserver-scanner is intended to be run from the
command line as well as by the slimserver daemon
2) see if it logs to the slimserver log
3) determine if it might want to use the network
(to which all three answers were 'yes')
...I tried to use policygentool to create a policy for
slimserver-scanner. However, I was stymied by an error.
Here is what happened:
[root@joplin slimserver-scanner]#
/usr/share/selinux/devel/policygentool slimserver-scanner
/usr/sbin/slimserver-scanner
This tool generate three files for policy development, A Type
Enforcement (te)
file, a File Context (fc), and a Interface File(if). Most of the
policy rules
will be written in the te file. Use the File Context file to
associate file
paths with security context. Use the interface rules to allow other
protected
domains to interact with the newly defined domains.
After generating these files use the /usr/share/selinux/devel/Makefile to
compile your policy package. Then use the semodule tool to load it.
# /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp
# make -f /usr/share/selinux/devel/Makefile
# semodule -l myapp.pp
# restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"
Now you can turn on permissive mode, start your application and avc
messages
will be generated. You can use audit2allow to help translate the avc
messages
into policy.
# setenforce 0
# service myapp start
# audit2allow -R -i /var/log/audit/audit.log
Return to continue:
If the module uses pidfiles, what is the pidfile called?
If the module uses logfiles, where are they stored?
/var/log/slimserver
If the module has var/lib files, where are they stored?
Does the module have a init script? [yN]
N
Does the module use the network? [yN]
y
[root@joplin slimserver-scanner]# ls
slimserver-scanner.fc slimserver-scanner.if slimserver-scanner.te
[root@joplin slimserver-scanner]# make -f
/usr/share/selinux/devel/Makefile
Compiling targeted slimserver-scanner module
/usr/bin/checkmodule: loading policy configuration from
tmp/slimserver-scanner.tmp
slimserver-scanner.te:1:ERROR 'syntax error' at token
'slimserver-scanner' on line 59006:
module slimserver-scanner 1.0.0;
#line 1
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/slimserver-scanner.mod] Error 1
I thought I would display the line containing the error and associated
context with the following:
[root@joplin slimserver-scanner]# nl tmp/slimserver-scanner.tmp | sed
-n '58990,59022p'
50718 ## Execute a domain transition to run slimserver-scanner.
50719 ## </summary>
50720 ## <param name="domain">
50721 ## <summary>
50722 ## Domain allowed to transition.
50723 ## </summary>
50724 ## </param>
50725 #
50726
50727 #line 124172
50728 #line 1 "slimserver-scanner.te "
50729 #line 1
50730
50731 #line 1
50732 module slimserver-scanner 1.0.0;
50733 #line 1
50734 #line 1
50735 require {
50736 #line 1
50737 role system_r;
50738 #line 1
50739
50740 #line 1
50741 class security { compute_av compute_create
compute_member check_context load_policy compute_relabel compute_user
setenforce setbool setsecparam setcheckreqprot };
50742 #line 1
50743 class process { fork transition sigchld sigkill
sigstop signull signal ptrace getsched setsched getsession getpgid
setpgid getcap setcap share getattr setexec setfscreate noatsecure
siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack
execheap setkeycreate };
50744 #line 1
50745 class system { ipc_info syslog_read syslog_mod
syslog_console }; 50746 #line 1
50747 class capability { chown dac_override dac_read_search
fowner fsetid kill setgid setuid setpcap linux_immutable
net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner
sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin
sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease
audit_write audit_control };
which does show the line 'module slimserver-scanner 1.0.0;', although
the line numbering is inconsistent.
At first, I thought maybe policygentool inspected the context for the
/usr/sbin/slimserver-scanner binary and that was the problem. Cursory
examination of the source code did not suggest this. Now, I wonder if
policygentool is only to be used for daemons. This wasn't stated in
any comments. (BTW I'm using the selinux-policy-devel-2.3.7-2.fc5
package.)
Are there any thoughts regarding the nature of the error or
suggestions for alternative tools for generating the policy?
-al
Could it be that the compiler does not like the - in the policy name?
Could you change it to sslimserver_scanner?
--
Al Pacifico
Seattle, WA
------------------------------------------------------------------------
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
