Helper program for a daemon

Al Pacifico adpacifico at users.sourceforge.net
Thu Apr 19 23:22:11 UTC 2007


On 4/19/07, Daniel J Walsh <dwalsh at redhat.com> wrote:
>
> Al Pacifico wrote:
> > I (a greenhorn with selinux) am writing a policy for a daemon that
> > streams music files over my home network to a music player client (a
> > Slimdevices Squeezebox). My OS is FC5.
> >
> > The main daemon (/usr/sbin/slimserver) is a perl script that serves
> > the music files and is started with an init script. My questions have
> > to do with a secondary program (/usr/sbin/slimserver-scanner, also a
> > perl script) that scans the music on the server, reading mp3 tags and
> > such, and generates a database of stored music that is stored in a
> > MySQL database. /usr/sbin/slimserver-scanner is invoked by the
> > /usr/sbin/slimserver daemon and might be invoked by the user (although
> > I can't recall ever doing so in several years of owning a Squeezebox).
> >
> > I've been following the example posted by Dan Walsh in a blog at
> > http://danwalsh.livejournal.com/8707.html?thread=39171 which has been
> > extremely helpful.
> >
> > My (2) questions:
> > 1. What is the appropriate file context for the scanner program?
> > system_u:object_r:sbin_t?
> > system_u:object_r:slimserver_t?
> > system_u:object_r:slimserver_exec_t?
> >
> That depends on your security goals.  If you want the slimserver-scanner
> to have the same privs as slimserver you would label it sbin_t and allow
> slimserver to corecmd_exec_sbin().  If you want to go with least privs,
> you would create a new policy for slimserver-scanner
> (slimserver_scanner_t with file context of slimserver_scanner_exec_t)
> and then add a rule to slimserver_t to domtrans
> slimserver_scanner_domtrans(slimserver_t)


After reviewing the source code to:
1) confirm that slimserver-scanner is intended to be run from the command
line as well as by the slimserver daemon
2) see if it logs to the slimserver log
3) determine if it might want to use the network
(to which all three answers were 'yes')
...I tried to use policygentool to create a policy for slimserver-scanner.
However, I was stymied by an error.

Here is what happened:
[root at joplin slimserver-scanner]# /usr/share/selinux/devel/policygentool
slimserver-scanner /usr/sbin/slimserver-scanner


This tool generate three files for policy development, A Type Enforcement
(te)
file, a File Context (fc), and a Interface File(if).  Most of the policy
rules
will be written in the te file.  Use the File Context file to associate file
paths with security context.  Use the interface rules to allow other
protected
domains to interact with the newly defined domains.

After generating these files use the /usr/share/selinux/devel/Makefile to
compile your policy package.  Then use the semodule tool to load it.

# /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp
# make -f /usr/share/selinux/devel/Makefile
# semodule -l myapp.pp
# restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"

Now you can turn on permissive mode, start your application and avc messages
will be generated.  You can use audit2allow to help translate the avc
messages
into policy.

# setenforce 0
# service myapp start
# audit2allow -R -i /var/log/audit/audit.log

Return to continue:

If the module uses pidfiles, what is the pidfile called?

If the module uses logfiles, where are they stored?
/var/log/slimserver
If the module has var/lib files, where are they stored?

Does the module have a init script? [yN]
N
Does the module use the network? [yN]
y
[root at joplin slimserver-scanner]# ls
slimserver-scanner.fc  slimserver-scanner.if  slimserver-scanner.te
[root at joplin slimserver-scanner]# make -f /usr/share/selinux/devel/Makefile
Compiling targeted slimserver-scanner module
/usr/bin/checkmodule:  loading policy configuration from tmp/slimserver-
scanner.tmp
slimserver-scanner.te:1:ERROR 'syntax error' at token 'slimserver-scanner'
on line 59006:
                module slimserver-scanner 1.0.0;
#line 1
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/slimserver-scanner.mod] Error 1

I thought I would display the line containing the error and associated
context with the following:
[root at joplin slimserver-scanner]# nl tmp/slimserver-scanner.tmp | sed -n
'58990,59022p'
 50718  ##      Execute a domain transition to run slimserver-scanner.
 50719  ## </summary>
 50720  ## <param name="domain">
 50721  ## <summary>
 50722  ##      Domain allowed to transition.
 50723  ## </summary>
 50724  ## </param>
 50725  #
 50726
 50727  #line 124172

 50728  #line 1 "slimserver-scanner.te"

 50729  #line 1
 50730
 50731  #line 1
 50732                  module slimserver-scanner 1.0.0;
 50733  #line 1

 50734  #line 1
 50735                  require {
 50736  #line 1
 50737                          role system_r;
 50738  #line 1
 50739
 50740  #line 1
 50741          class security { compute_av compute_create compute_member
check_context load_policy compute_relabel compute_user setenforce setbool
setsecparam setcheckreqprot };
 50742  #line 1
 50743          class process { fork transition sigchld sigkill sigstop
signull signal ptrace getsched setsched getsession getpgid setpgid getcap
setcap share getattr setexec setfscreate noatsecure siginh setrlimit
rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate
};
 50744  #line 1
 50745          class system { ipc_info syslog_read syslog_mod
syslog_console }; 50746  #line 1
 50747          class capability { chown dac_override dac_read_search fowner
fsetid kill setgid setuid setpcap linux_immutable net_bind_service
net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio
sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource
sys_time sys_tty_config mknod lease audit_write audit_control };

which does show the line 'module slimserver-scanner 1.0.0;', although the
line numbering is inconsistent.

At first, I thought maybe policygentool inspected the context for the
/usr/sbin/slimserver-scanner binary and that was the problem. Cursory
examination of the source code did not suggest this. Now, I wonder if
policygentool is only to be used for daemons. This wasn't stated in any
comments. (BTW I'm using the selinux-policy-devel-2.3.7-2.fc5 package.)

Are there any thoughts regarding the nature of the error or suggestions for
alternative tools for generating the policy?
-al

-- 
Al Pacifico
Seattle, WA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20070419/1cf4bc9f/attachment.htm>


More information about the fedora-selinux-list mailing list