As i manage a small vps i wrote a simple daemon in python to read the journal and email me anytime a service fails. The source code is located at https://github.com/gkarakou/systemd-mailify.
As i currently have too many problems with selinux enforcing in my desktop and i wouldn't make tests on the live system i kindly request someone to review my selinux policy module. All the app is doing is reading systemd-journal and name connects on smtp ports. It reads its configuration from a file in etc (/etc/systemd-mailify.conf) and has a dedicated service file. The executable is located in /usr/bin and a pid file is written under /run. Here are the relevant parts.
systemd-mailify.te ############################# policy_module(systemd_mailify, 1.0)
type systemd_mailify_t; type systemd_mailify_exec_t; type systemd_unit_file_t; type systemd_mailify_conf_t; type systemd_mailify_var_run_t; class tcp_socket name_connect;
init_daemon_domain(systemd_mailify_t, systemd_mailify_exec_t)
allow systemd_mailify_t systemd_mailify_conf_t : file rw_file_perms; allow systemd_mailify_t systemd_mailify_conf_t : lnk_file { getattr read }; manage_files_pattern(systemd_mailify_t, systemd_mailify_var_run_t, systemd_mailify_var_run_t)
files_config_file(systemd_mailify_conf_t); files_pid_file(systemd_mailify_var_run_t); files_read_etc_files(systemd_mailify_conf_t); files_search_etc(systemd_mailify_conf_t); files_pid_filetrans(systemd_mailify_t,systemd_mailify_var_run_t, { file });
auth_use_nsswitch(systemd_mailify_t); logging_send_syslog_msg(systemd_mailify_t); miscfiles_read_localization(systemd_mailify_t); sysnet_dns_name_resolve(systemd_mailify_t); allow systemd_mailify_exec_t smtp_port_t:tcp_socket name_connect;
corenet_tcp_sendrecv_all_if(systemd_mailify_exec_t); corenet_tcp_sendrecv_all_nodes(systemd_mailify_exec_t); corenet_tcp_sendrecv_all_ports(systemd_mailify_exec_t); corenet_all_recvfrom_unlabeled(systemd_mailify_exec_t); domain_use_interactive_fds(systemd_mailify_exec_t);
#######################
systemd-mailify.fc ####################### /usr/bin/systemd-mailify.py -- gen_context(system_u:object_r:systemd_mailify_exec_t,s0) /etc/systemd-mailify.conf gen_context(system_u:object_r:systemd_mailify_conf_t,s0) /usr/lib/systemd/system/systemd-mailify.service gen_context(system_u:object_r:systemd_unit_file_t,s0) /run/systemd-mailify.pid gen_context(system_u:object_r:systemd_mailify_var_run_t,s0)
On 05/29/2015 10:43 PM, George Karakougioumtzis wrote:
As i manage a small vps i wrote a simple daemon in python to read the journal and email me anytime a service fails. The source code is located at https://github.com/gkarakou/systemd-mailify.
As i currently have too many problems with selinux enforcing in my desktop and i wouldn't make tests on the live system i kindly request someone to review my selinux policy module. All the app is doing is reading systemd-journal and name connects on smtp ports. It reads its configuration from a file in etc (/etc/systemd-mailify.conf) and has a dedicated service file. The executable is located in /usr/bin and a pid file is written under /run. Here are the relevant parts.
systemd-mailify.te ############################# policy_module(systemd_mailify, 1.0)
type systemd_mailify_t; type systemd_mailify_exec_t; type systemd_unit_file_t; type systemd_mailify_conf_t; type systemd_mailify_var_run_t; class tcp_socket name_connect;
init_daemon_domain(systemd_mailify_t, systemd_mailify_exec_t)
allow systemd_mailify_t systemd_mailify_conf_t : file rw_file_perms; allow systemd_mailify_t systemd_mailify_conf_t : lnk_file { getattr read }; manage_files_pattern(systemd_mailify_t, systemd_mailify_var_run_t, systemd_mailify_var_run_t)
files_config_file(systemd_mailify_conf_t); files_pid_file(systemd_mailify_var_run_t);
files_read_etc_files(systemd_mailify_conf_t); files_search_etc(systemd_mailify_conf_t);
systemd_mailify_conf_t is object type which does not access to any objects. You want to allow domain types to access it (you have already correct rules above).
files_pid_filetrans(systemd_mailify_t,systemd_mailify_var_run_t, { file });
auth_use_nsswitch(systemd_mailify_t); logging_send_syslog_msg(systemd_mailify_t); miscfiles_read_localization(systemd_mailify_t); sysnet_dns_name_resolve(systemd_mailify_t);
allow systemd_mailify_exec_t smtp_port_t:tcp_socket name_connect;
systemd_mailify_exec_t is again object type for executable. You want to have corenet_tcp_connect_smtp_port(systemd_mailify_t)
corenet_tcp_sendrecv_all_if(systemd_mailify_exec_t); corenet_tcp_sendrecv_all_nodes(systemd_mailify_exec_t); corenet_tcp_sendrecv_all_ports(systemd_mailify_exec_t); corenet_all_recvfrom_unlabeled(systemd_mailify_exec_t); domain_use_interactive_fds(systemd_mailify_exec_t);
The same here, you use object type instead of subject (domain) type.
#######################
systemd-mailify.fc ####################### /usr/bin/systemd-mailify.py -- gen_context(system_u:object_r:systemd_mailify_exec_t,s0) /etc/systemd-mailify.conf gen_context(system_u:object_r:systemd_mailify_conf_t,s0) /usr/lib/systemd/system/systemd-mailify.service gen_context(system_u:object_r:systemd_unit_file_t,s0) /run/systemd-mailify.pid gen_context(system_u:object_r:systemd_mailify_var_run_t,s0)
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Miroslav thanks for the answer. So if i understand correctly the transition from systemd_mailiify_t to systemd_mailify_exec_t happens only once once and i dont have to allow systemd_mailify_exec_t access to anything right? And since i want to allow systemd_mailify_t to open and read systemd journal i would allow it like that? systemd_mailify_t var_log_t:file {read open}; And is my updated policy correct?
systemd-mailify.te ############################# policy_module(systemd_mailify, 1.0)
type systemd_mailify_t; type systemd_mailify_exec_t; type systemd_unit_file_t; type systemd_mailify_conf_t; type systemd_mailify_var_run_t; type var_log_t; class tcp_socket name_connect; class file {read open};
init_daemon_domain(systemd_mailify_t, systemd_mailify_exec_t)
allow systemd_mailify_t systemd_mailify_conf_t : file rw_file_perms; allow systemd_mailify_t var_log_t:file {open read}; manage_files_pattern(systemd_mailify_t, systemd_mailify_var_run_t,systemd_mailify_var_run_t)
files_config_file(systemd_mailify_conf_t); files_pid_file(systemd_mailify_var_run_t);
files_pid_filetrans(systemd_mailify_t,systemd_mailify_var_run_t, { file }); auth_use_nsswitch(systemd_mailify_t); logging_send_syslog_msg(systemd_mailify_t); sysnet_dns_name_resolve(systemd_mailify_t);
corenet_tcp_connect_smtp_port(systemd_mailify_t)
corenet_tcp_sendrecv_all_if(systemd_mailify_t); corenet_tcp_sendrecv_all_nodes(systemd_mailify_t); corenet_all_recvfrom_unlabeled(systemd_mailify_t); domain_use_interactive_fds(systemd_mailify_t);
On 06/01/2015 12:33 PM, Miroslav Grepl wrote:
On 05/29/2015 10:43 PM, George Karakougioumtzis wrote:
As i manage a small vps i wrote a simple daemon in python to read the journal and email me anytime a service fails. The source code is located at https://github.com/gkarakou/systemd-mailify.
As i currently have too many problems with selinux enforcing in my desktop and i wouldn't make tests on the live system i kindly request someone to review my selinux policy module. All the app is doing is reading systemd-journal and name connects on smtp ports. It reads its configuration from a file in etc (/etc/systemd-mailify.conf) and has a dedicated service file. The executable is located in /usr/bin and a pid file is written under /run. Here are the relevant parts.
systemd-mailify.te ############################# policy_module(systemd_mailify, 1.0)
type systemd_mailify_t; type systemd_mailify_exec_t; type systemd_unit_file_t; type systemd_mailify_conf_t; type systemd_mailify_var_run_t; class tcp_socket name_connect;
init_daemon_domain(systemd_mailify_t, systemd_mailify_exec_t)
allow systemd_mailify_t systemd_mailify_conf_t : file rw_file_perms; allow systemd_mailify_t systemd_mailify_conf_t : lnk_file { getattr read }; manage_files_pattern(systemd_mailify_t, systemd_mailify_var_run_t, systemd_mailify_var_run_t)
files_config_file(systemd_mailify_conf_t); files_pid_file(systemd_mailify_var_run_t); files_read_etc_files(systemd_mailify_conf_t); files_search_etc(systemd_mailify_conf_t);
systemd_mailify_conf_t is object type which does not access to any objects. You want to allow domain types to access it (you have already correct rules above).
files_pid_filetrans(systemd_mailify_t,systemd_mailify_var_run_t, { file });
auth_use_nsswitch(systemd_mailify_t); logging_send_syslog_msg(systemd_mailify_t); miscfiles_read_localization(systemd_mailify_t); sysnet_dns_name_resolve(systemd_mailify_t); allow systemd_mailify_exec_t smtp_port_t:tcp_socket name_connect;
systemd_mailify_exec_t is again object type for executable. You want to have corenet_tcp_connect_smtp_port(systemd_mailify_t)
corenet_tcp_sendrecv_all_if(systemd_mailify_exec_t); corenet_tcp_sendrecv_all_nodes(systemd_mailify_exec_t); corenet_tcp_sendrecv_all_ports(systemd_mailify_exec_t); corenet_all_recvfrom_unlabeled(systemd_mailify_exec_t); domain_use_interactive_fds(systemd_mailify_exec_t);
The same here, you use object type instead of subject (domain) type.
#######################
systemd-mailify.fc ####################### /usr/bin/systemd-mailify.py -- gen_context(system_u:object_r:systemd_mailify_exec_t,s0) /etc/systemd-mailify.conf gen_context(system_u:object_r:systemd_mailify_conf_t,s0) /usr/lib/systemd/system/systemd-mailify.service gen_context(system_u:object_r:systemd_unit_file_t,s0) /run/systemd-mailify.pid gen_context(system_u:object_r:systemd_mailify_var_run_t,s0)
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org