On 01/18/2010 08:26 PM, Ruben Kerkhof wrote:
On Jan 18, 2010, at 6:28 PM, Dominick Grift wrote:
On 01/17/2010 06:25 PM, Ruben Kerkhof wrote:
Hi list,
I haven't written an selinux module before, so to start simple I created one for beanstalkd, since we use this a lot.
I'm running into one issue though:
beanstalkd has the ability to create binary log files in /var/lib/beanstalkd/binlog. This directory doesn't exist by default, but it is created in the init script.
Starting up beanstalkd creates an AVC denial: type=AVC msg=audit(1263749015.682:199): avc: denied { create } for pid=2163 comm="mkdir" name="beanstalkd" scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1263749015.682:199): arch=c000003e syscall=83 success=no exit=-13 a0=7fff4e491f7b a1=1ed a2=7fff4e490770 a3=7fff4e4902c0 items=0 ppid=2156 pid=2163 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="mkdir" exe="/bin/mkdir" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
How do I allow the init script to do mkdir -p /var/lib/beanstalkd/ binlog?
Ask whoever packaged it to install the directory instead of letting the init script create it.
That certainly seems the easiest way, thanks. I'll file a bug.
Your beanstalk_admin could use a:
files_search_var_lib($1) admin_pattern($1, beanstalkd_var_lib_t, beanstalk_var_lib_t)
I presume this means that someone in the 'admin' role has the rights to manage stuff in /var/lib/beanstalkd? Do I have to setup roles to test this?
The beanstalkd_admin() interface is for the beanstalkadm_r role yes
You can test it by creating a beanstalkadm module:
beanstalkadm.te:
policy_module(beanstalkadm, 1.0.0) role beanstalkadm_r; userdom_base_user_template(beanstalkadm) beanstalk_admin(beanstalkadm_t, beanstalkadm_r)
beanstalkadm.if: ## <summary>beanstalk administrator role</summary>
######################################## ## <summary> ## Change to the beanstalk administrator role. ## </summary> ## <param name="role"> ## <summary> ## Role allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`beanstalkadm_role_change',` gen_require(` role beanstalkadm_r; ')
allow $1 beanstalkadm_r; ')
######################################## ## <summary> ## Change from the beanstalk administrator role. ## </summary> ## <desc> ## <p> ## Change from the beanstalk administrator role to ## the specified role. ## </p> ## <p> ## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ## </p> ## </desc> ## <param name="role"> ## <summary> ## Role allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`beanstalkadm_role_change_to',` gen_require(` role beanstalkadm_r; ')
allow beanstalkadm_r $1; ')
customization to the staff domain:
mystaff.te: policy_module(mystaff, 1.0.0
require { role staff_r; }
optional_policy(` beanstalkadm_role_change(staff_r) ')
Then edit staff_u selinux user mapping:
semanage user -m -L s0 -r s0-s0:c0.c1023 -R "staff_r system_r unconfined_r beanstalkadm_r webadm_r" -P user staff_u
echo "testuser ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL" >> /etc/sudoers
useradd -Z staff_u testuser passwd testuser
login:
sudo -t beanstalkadm_t -r beanstalkadm_r -s
or
sudo -t beanstalkadm_t -r beanstalkadm_r service beanstalkd restart
Your beanstalkadm module may need some more modifications though
have a look at the webadm module and reference its call to apache_admin to apache.if where its defined.
http://oss.tresys.com/projects/refpolicy/browser/policy/modules/roles/webadm... http://oss.tresys.com/projects/refpolicy/browser/policy/modules/roles/webadm... http://oss.tresys.com/projects/refpolicy/browser/policy/modules/services/apa...
You will need to require the beanstalkd_var_lib_t type as well
Other then that, looks good to me.
Thanks for your help,
Ruben
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux