Hi list,
I haven't written an selinux module before, so to start simple I
created one for beanstalkd, since we use this a lot.
I'm running into one issue though:
beanstalkd has the ability to create binary log files in
/var/lib/beanstalkd/binlog.
This directory doesn't exist by default, but it is created in the init script.
Starting up beanstalkd creates an AVC denial:
type=AVC msg=audit(1263749015.682:199): avc: denied { create } for
pid=2163 comm="mkdir" name="beanstalkd"
scontext=unconfined_u:system_r:initrc_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1263749015.682:199): arch=c000003e syscall=83
success=no exit=-13 a0=7fff4e491f7b a1=1ed a2=7fff4e490770
a3=7fff4e4902c0 items=0 ppid=2156 pid=2163 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="mkdir"
exe="/bin/mkdir" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
How do I allow the init script to do mkdir -p /var/lib/beanstalkd/binlog?
Here's my policy:
[root@ruben ~]# cat beanstalkd.fc
/usr/bin/beanstalkd --
gen_context(system_u:object_r:beanstalkd_exec_t,s0)
/etc/rc\.d/init\.d/beanstalkd --
gen_context(system_u:object_r:beanstalkd_initrc_exec_t,s0)
/var/lib/beanstalkd(/.*)?
gen_context(system_u:object_r:beanstalkd_var_lib_t,s0)
[root@ruben ~]# cat beanstalkd.te
policy_module(beanstalkd,1.0.0)
########################################
#
# Declarations
#
type beanstalkd_t;
type beanstalkd_exec_t;
init_daemon_domain(beanstalkd_t, beanstalkd_exec_t)
type beanstalkd_initrc_exec_t;
init_script_file(beanstalkd_initrc_exec_t)
type beanstalkd_var_lib_t;
files_type(beanstalkd_var_lib_t)
########################################
#
# beanstalkd local policy
#
allow beanstalkd_t self:capability { dac_override setgid setuid };
allow beanstalkd_t self:process { fork setrlimit };
allow beanstalkd_t self:tcp_socket create_stream_socket_perms;
manage_files_pattern(beanstalkd_t, beanstalkd_var_lib_t, beanstalkd_var_lib_t)
files_var_lib_filetrans(beanstalkd_t, beanstalkd_var_lib_t, file)
corenet_tcp_sendrecv_generic_if(beanstalkd_t)
corenet_tcp_sendrecv_generic_node(beanstalkd_t)
corenet_tcp_sendrecv_all_ports(beanstalkd_t)
corenet_tcp_bind_generic_node(beanstalkd_t)
corenet_tcp_bind_generic_node(beanstalkd_t)
# FIXME: we need a beanstalkd_port (tcp, 11300) in core policy
corenet_tcp_bind_all_unreserved_ports(beanstalkd_t)
fs_dontaudit_getattr_all_fs(beanstalkd_t)
domain_use_interactive_fds(beanstalkd_t)
auth_use_nsswitch(beanstalkd_t)
[root@ruben ~]# cat beanstalkd.if
## <summary>policy for beanstalkd</summary>
########################################
## <summary>
## Execute a domain transition to run beanstalkd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`beanstalkd_domtrans',`
gen_require(`
type beanstalkd_t, beanstalkd_exec_t;
')
domtrans_pattern($1, beanstalkd_exec_t, beanstalkd_t)
')
########################################
## <summary>
## Execute beanstalkd server in the beanstalkd domain.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`beanstalkd_initrc_domtrans',`
gen_require(`
type beanstalkd_initrc_exec_t;
')
init_labeled_script_domtrans($1, beanstalkd_initrc_exec_t)
')
########################################
## <summary>
## All of the rules required to administrate
## an beanstalkd environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`beanstalkd_admin',`
gen_require(`
type beanstalkd_t;
')
allow $1 beanstalkd_t:process { ptrace signal_perms getattr };
read_files_pattern($1, beanstalkd_t, beanstalkd_t)
gen_require(`
type beanstalkd_initrc_exec_t;
')
beanstalkd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 beanstalkd_initrc_exec_t system_r;
allow $2 system_r;
')
Kind regards,
Ruben Kerkhof
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
