Re: TS under SELinux policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06/16/2011 10:58 AM, Igor GaliÄ wrote:

----- Original Message -----
On 06/16/2011 06:04 AM, Jan-Frode Myklebust wrote:

On Wed, Jun 15, 2011 at 05:08:49PM -0430, Marcos Ortiz wrote:

Regards to all the list
I was wondering if any of you have deployed Traffic Server under
SELinux Âs policies?
If itÂs true, Where I can find the work? I don't know if it's been
done, but I intend to build a policy
for it together with the fedora/EPEL package, and try to push it
upstream to the reference policy.


  -jf Dominick Grift ( domg472@xxxxxxxxx ) and me will want to
help to this development, precisely under Fedora. Can you
explain to us the basic workflow of TS?
Thanks a lot
I don't think it'll be that straightforward to create such a policy
for TS, because it's got quite a complex work-flow.

igalic@pheme ~ % ps -cafe | grep -i traffic[_]
root       311     1 TS   19 Jun06 ?        00:00:59 /usr/bin/traffic_cop
nobody     750   311 TS   19 Jun06 ?        00:10:17 /usr/bin/traffic_manager
nobody     961   750 TS   19 Jun06 ?        05:29:24 /usr/bin/traffic_server -M -A,7:X
igalic@pheme ~ % getpcaps 311 750 961
Capabilities for `311': =ep
Capabilities for `750': =p cap_net_bind_service,cap_net_admin,cap_ipc_lock+e
Capabilities for `961': = cap_net_bind_service,cap_net_admin,cap_ipc_lock+ep
igalic@pheme ~ %                                                                                   


* traffic_cop is started as root
* it creates /var/trafficserver/run/cop.lock and writes its PID inside
* it attempts to start traffic_manager

* traffic_manager is started as  "nobody" but inherits the Capabilities from the parent
* it creates /var/trafficserver/run/manager.lock and writes its PID inside
* it binds to port 80 and 443, then drops privileges (see above.)
* it creates /var/trafficserver/logs/manager.log and /var/trafficserver/logs/traffic.out
* it creates several sockets in /var/trafficserver/run/
* it attempts to start traffic_server

* traffic_server is started as "nobody" 
* it opens /var/trafficserver/run/server.lock and writes its PID inside
* it opens /var/trafficserver/logs/{diags,error}.log and /var/trafficserver/logs/squid.blog
* it opens /var/trafficserver/cache/host.db
* depending on your storage.config it will then open the index, in my case these are
  - the disk devices /dev/vde and /dev/vdf

This is a simple startup of a single node. It should look the same in both,
forward proxy and reverse proxy mode.

If you enable clustering, you'll also have to consider this in your firewall
configuration, allowing multi-cast on the local network.

I hope that gets you started.

--
Marcos LuÃs OrtÃz Valmaseda
 Software Engineer (UCI) http://marcosluis2186.posterous.com
 http://twitter.com/marcosluis2186
So long,
i

Well, Dominick, I think that the first thing to do is to build
the .rpm package under correct packaging rules.
Init scripts under:
/usr/sbin
/etc/init.d/ (compatible with the chkconfig tool)
pids under:
/var/run

libraries under:
/usr/lib/trafficserver

docs under:
/usr/share/docs/trafficserver

log files under:
/var/log/trafficserver

and locks under:
/var/locks/trafficserver

It's this correct, Dominick?
Where I can find the spec file for TrafficServer?

Regards


-- 
Marcos LuÃs OrtÃz Valmaseda
 Software Engineer (UCI)
 http://marcosluis2186.posterous.com
 http://twitter.com/marcosluis2186

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux