Re: how to transition a daemon to its own domain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dominick:

thanks,  i had overlooked the advice on the unit file in your first email,  but i went back to it and user enough it  helped,
but in the end  had to give the python intepreter the exec_t   label,  since its called  by the unit file (the .py file does not use shebang style so its not called directly) viz   /path/to/python  /path/to/app.py

now im working on getting the new type to actually work,  im dealing with strange socket connection errors that are not in the audit logs,  here is what i have so far:



policy_module(myapp, 1.0.0)

########################################
#
# Declarations
#
require {
#        type init_t;
         type systemd_unit_file_t ;
         type urandom_device_t ;
         type etc_runtime_t ;
         type proc_t;
         type bin_t;
         type tmp_t;
         type user_home_dir_t;
         type user_home_t;
         type net_conf_t;
         type ldconfig_exec_t;
         type mongod_port_t;
}

type myapp_t;
type myapp_exec_t;
init_daemon_domain(myapp_t, myapp_exec_t)

type myapp_unit_file_t;
systemd_unit_file(systemd_unit_file_t)

########################################
allow myapp_t self:fifo_file rw_fifo_file_perms;
allow myapp_t self:unix_stream_socket create_stream_socket_perms;
allow myapp_t self:process signal;
allow myapp_t etc_runtime_t:file { read getattr open ioctl execute};
allow myapp_t proc_t:file { read open};
allow myapp_t bin_t:dir write;
allow myapp_t proc_t:file getattr;
allow myapp_t tmp_t:dir {write add_name};
allow myapp_t tmp_t:file {write open create};
allow myapp_t user_home_dir_t:dir { search getattr read open write add_name};
allow myapp_t user_home_t:file { read open  getattr ioctl create};
allow myapp_t user_home_t:dir { read open search getattr };
allow myapp_t ldconfig_exec_t:file {execute  read open  execute_no_trans};
allow myapp_t net_conf_t:file { read  open   getattr ioctl};
allow myapp_t mongod_port_t:tcp_socket name_connect;

allow myapp_t self:tcp_socket { create setopt connect getattr getopt write  read bind append};
allow myapp_t self:udp_socket { create connect getattr getopt setopt write read bind append};
allow myapp_t self:netlink_route_socket { create bind getattr write nlmsg_read nlmsg_write read setattr lock getopt setopt append };


domain_use_interactive_fds(myapp_t)

#files_read_etc_files(myapp_t)

#miscfiles_read_localization(myapp_t)

#!!!! This avc can be allowed using the boolean 'global_ssp'
allow myapp_t urandom_device_t:chr_file {read open};


here is the  traceback that clueing me that there is something thats not yet allowed thats no being logged to audit:

Jan 18 07:39:48 bookworm.saltminon01 myapp[19476]: File "/appcl/penv/lib/python3.3/site-packages/motor/__init__.py", line 809, in open_sync
Jan 18 07:39:48 bookworm.saltminon01 myapp[19476]: raise outcome['error']
Jan 18 07:39:48 bookworm.saltminon01 myapp[19476]: File "/appcl/penv/lib/python3.3/site-packages/motor/__init__.py", line 725, in _connect
Jan 18 07:39:48 bookworm.saltminon01 myapp[19476]: self.delegate = self.__delegate_class__(*args, **kwargs)
Jan 18 07:39:48 bookworm.saltminon01 myapp[19476]: File "/appcl/penv/lib/python3.3/site-packages/pymongo/mongo_client.py", line 336, in __init__
Jan 18 07:39:48 bookworm.saltminon01 myapp[19476]: raise ConnectionFailure(str(e))
Jan 18 07:39:48 bookworm.saltminon01 myapp[19476]: pymongo.errors.ConnectionFailure: [Errno 13] Permission denied



why does selinux not log these types of denials? i had to guess some permissions that it needed like these to get past this point

allow latexapi_t self:tcp_socket { create setopt connect getattr getopt write  read bind append};
allow latexapi_t self:udp_socket { create connect getattr getopt setopt write read bind append};
allow latexapi_t self:netlink_route_socket { create bind getattr write nlmsg_read nlmsg_write read setattr lock getopt setopt append };



regards



On Sun, Jan 19, 2014 at 6:56 PM, Dominick Grift <dominick.grift@xxxxxxxxx> wrote:
On Sun, 2014-01-19 at 09:19 +0300, jiun bookworm wrote:
> Thanks for that,
>
> infortunately im still not there yet,
>
> now the application runs in  initrc_t  (it  was  remaining in init_t)
>
> this is how the policy looks like  (from your  and bigons advice):

Make sure that the "daemon entry file" is labeled myapp_exec_t

so for example if the unit file has execstart=/usr/sbin/bla (or
whatever)

then: chcon -t myapp_exec_t /usr/sbin/bla

The transition happens on the daemon entry file so that must be labeled
accordingly (myapp_exec_t)


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux