Re: how to transition a daemon to its own domain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



init_ranged_daemon_domain() was not working for me,  im  sure i have done something wrong,  but i have no idea what or where that is,    right now with the policy as it is, its running in   system_u:object_r:unlabeled_t:s0   meaning iv borked things big time.

here is the policy:

policy_module(myapp, 1.0.0)

########################################
#
# Declarations
#
require {
#        type init_t;
         type initrc_t;
         type systemd_unit_file_t ;
         type urandom_device_t ;
         type etc_runtime_t ;
         type proc_t;
         type bin_t;
         type tmp_t;
         type user_home_dir_t;
         type user_home_t;
         type net_conf_t;
         type ldconfig_exec_t;
         type mongod_port_t;
         type unreserved_port_t;
         type http_cache_port_t;
         type http_port_t;
         type sandbox_file_t;
         type node_t ;
         type shell_exec_t ;
         type bin_t ;
         type security_t ;
         type setroubleshootd_t ;
         type unconfined_t ;
         type default_t ;
}

init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh);
type myapp_t;
domain_type(myapp_t);
type myapp_exec_t;

type myapp_unit_file_t;
systemd_unit_file(systemd_unit_file_t)

mcs_process_set_categories(myapp_t);

########################################
allow myapp_t self:fifo_file rw_fifo_file_perms;
allow myapp_t self:unix_stream_socket create_stream_socket_perms;
allow myapp_t self:process signal;
allow myapp_t etc_runtime_t:file { read getattr open ioctl execute};
allow myapp_t proc_t:file { read open};
allow myapp_t bin_t:dir write;
allow myapp_t bin_t:file { execute execute_no_trans };
allow myapp_t proc_t:file getattr;
allow myapp_t tmp_t:dir {write add_name};
allow myapp_t tmp_t:file {write open create};
allow myapp_t user_home_dir_t:dir { search getattr read open write add_name};
allow myapp_t user_home_t:file { read open  getattr ioctl create};
allow myapp_t user_home_t:dir { read open search getattr };
allow myapp_t ldconfig_exec_t:file {execute  read open  execute_no_trans};
allow myapp_t net_conf_t:file { read  open   getattr ioctl};
allow myapp_t mongod_port_t:tcp_socket name_connect;
allow myapp_t unreserved_port_t:tcp_socket {name_bind create setopt connect getattr getopt write  read bind append};
allow myapp_t node_t:tcp_socket {node_bind };
allow myapp_t http_cache_port_t:tcp_socket { name_connect create setopt connect getattr getopt write  read bind append };
allow myapp_t http_port_t:tcp_socket { name_connect };
allow myapp_t sandbox_file_t:dir { search getattr read open write add_name create  };
allow myapp_t sandbox_file_t:file { read open  getattr ioctl create write  relabelfrom relabelto  };
allow myapp_t sandbox_file_t:dir { relabelfrom relabelto };
allow myapp_t shell_exec_t:file { execute execute_no_trans };
allow myapp_t security_t:file write;


allow myapp_t self:tcp_socket { create setopt connect getattr getopt write  read bind append listen accept};
allow myapp_t self:udp_socket { create connect getattr getopt setopt write read bind append listen accept };

allow myapp_t self:netlink_route_socket { create bind getattr write nlmsg_read nlmsg_write read setattr lock getopt setopt append };


domain_use_interactive_fds(myapp_t)


allow myapp_t urandom_device_t:chr_file {read open};

allow myapp_t default_t:file { read getattr execute  open  execute_no_trans};
allow setroubleshootd_t myapp_exec_t:file getattr;
allow init_t myapp_exec_t:file execute;
allow init_t myapp_exec_t:file { read open execute  getattr entrypoint };



On Mon, Jan 20, 2014 at 12:19 PM, Dominick Grift <dominick.grift@xxxxxxxxx> wrote:
On Mon, 2014-01-20 at 05:51 +0300, jiun bookworm wrote:
> Let me try the question again,  all  init daemons are started  with
> the context specified at
> [jiun@localhost ~]$ cat /etc/selinux/targeted/contexts/initrc_context
> system_u:system_r:initrc_t:s0
>
>
> is it possible to have my application specifically override this and
> start with the full mcs range? you mentioned that
> the init_t is able to do something like this because of some
> mcsconstraints, what constraints are these?
>
> iv tried these and they do not work:
>
> init_ranged_daemon_domain(myapp_t,myapp_exec_t,s0 - mcs_systemhigh)

In theory the above should work maybe theres a small error somewhere
You should probably look more into the source policy for examples

> mcs_process_set_categories(myapp_t);

Thats one of the available mcs interfaces. Theres more in the policy

seinfo -a | grep mcs

> range_transition initrc_t myapp_exec_t:process s0:c0.c1023;
>
oh right, it should probably be:

range_transition init_t myapp_exec_t:process s0:c0.c1023;

So maybe init_ranged_daemon_domain() needed to be updated to reflect
systems.

But the idea is that init_ranged_daemon_domain() should work

>
> On Mon, Jan 20, 2014 at 2:28 AM, Dominick Grift
> <dominick.grift@xxxxxxxxx> wrote:
>         On Mon, 2014-01-20 at 01:42 +0300, jiun bookworm wrote:
>
>         > Dominick,
>         > thanks but you may have misunderstood my question,  its not
>         the daemon
>         > that is confined to one category
>         > its the child processes that it spawns,   previously when in
>         init_t
>         > the app could spawn processes and assign
>         >
>         > them categories, now it  can not,  when running under
>         myapp_t,   what
>         > makes init_t or  other types able to
>         > support mcs and myapp_t can not?
>
>
>         There are two options:
>
>         1. you run the parent with the full mcs range
>         2. you override mcs constraints for the parent using the
>         applicable mcs
>         type attributes
>
>         the latter is why init is allowed to do it but i recommend the
>         former
>         for your parent process
>
>
>
>



--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux