On 01/18/2010 08:26 PM, Ruben Kerkhof wrote:
>
> On Jan 18, 2010, at 6:28 PM, Dominick Grift wrote:
>
>> On 01/17/2010 06:25 PM, Ruben Kerkhof wrote:
>>> Hi list,
>>>
>>> I haven't written an selinux module before, so to start simple I
>>> created one for beanstalkd, since we use this a lot.
>>>
>>> I'm running into one issue though:
>>>
>>> beanstalkd has the ability to create binary log files in
>>> /var/lib/beanstalkd/binlog.
>>> This directory doesn't exist by default, but it is created in the
>>> init script.
>>>
>>> Starting up beanstalkd creates an AVC denial:
>>> type=AVC msg=audit(1263749015.682:199): avc: denied { create } for
>>> pid=2163 comm="mkdir" name="beanstalkd"
>>> scontext=unconfined_u:system_r:initrc_t:s0
>>> tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
>>> type=SYSCALL msg=audit(1263749015.682:199): arch=c000003e syscall=83
>>> success=no exit=-13 a0=7fff4e491f7b a1=1ed a2=7fff4e490770
>>> a3=7fff4e4902c0 items=0 ppid=2156 pid=2163 auid=500 uid=0 gid=0
>>> euid=0
>>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="mkdir"
>>> exe="/bin/mkdir" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
>>>
>>> How do I allow the init script to do mkdir -p /var/lib/beanstalkd/
>>> binlog?
>>
>> Ask whoever packaged it to install the directory instead of letting
>> the
>> init script create it.
>
> That certainly seems the easiest way, thanks. I'll file a bug.
>
>> Your beanstalk_admin could use a:
>>
>> files_search_var_lib($1)
>> admin_pattern($1, beanstalkd_var_lib_t, beanstalk_var_lib_t)
>
> I presume this means that someone in the 'admin' role has the rights
> to manage stuff in /var/lib/beanstalkd?
> Do I have to setup roles to test this?
The beanstalkd_admin() interface is for the beanstalkadm_r role yes
You can test it by creating a beanstalkadm module:
beanstalkadm.te:
policy_module(beanstalkadm, 1.0.0)
role beanstalkadm_r;
userdom_base_user_template(beanstalkadm)
beanstalk_admin(beanstalkadm_t, beanstalkadm_r)
beanstalkadm.if:
## <summary>beanstalk administrator role</summary>
########################################
## <summary>
## Change to the beanstalk administrator role.
## </summary>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`beanstalkadm_role_change',`
gen_require(`
role beanstalkadm_r;
')
allow $1 beanstalkadm_r;
')
########################################
## <summary>
## Change from the beanstalk administrator role.
## </summary>
## <desc>
## <p>
## Change from the beanstalk administrator role to
## the specified role.
## </p>
## <p>
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
## </p>
## </desc>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`beanstalkadm_role_change_to',`
gen_require(`
role beanstalkadm_r;
')
allow beanstalkadm_r $1;
')
customization to the staff domain:
mystaff.te:
policy_module(mystaff, 1.0.0
require { role staff_r; }
optional_policy(`
beanstalkadm_role_change(staff_r)
')
Then edit staff_u selinux user mapping:
semanage user -m -L s0 -r s0-s0:c0.c1023 -R "staff_r system_r
unconfined_r beanstalkadm_r webadm_r" -P user staff_u
echo "testuser ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL" >>
/etc/sudoers
useradd -Z staff_u testuser
passwd testuser
login:
sudo -t beanstalkadm_t -r beanstalkadm_r -s
or
sudo -t beanstalkadm_t -r beanstalkadm_r service beanstalkd restart
Your beanstalkadm module may need some more modifications though
have a look at the webadm module and reference its call to apache_admin
to apache.if where its defined.
http://oss.tresys.com/projects/refpolicy/browser/policy/modules/roles/webadm.te
http://oss.tresys.com/projects/refpolicy/browser/policy/modules/roles/webadm.if
http://oss.tresys.com/projects/refpolicy/browser/policy/modules/services/apache.if
>
>> You will need to require the beanstalkd_var_lib_t type as well
>>
>> Other then that, looks good to me.
>
> Thanks for your help,
>
> Ruben
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
