Helper program for a daemon

Daniel J Walsh dwalsh at redhat.com
Mon Apr 23 15:14:08 UTC 2007 

Al Pacifico wrote:
>
>
> On 4/19/07, *Daniel J Walsh* <dwalsh at redhat.com 
> <mailto:dwalsh at redhat.com>> wrote:
>
>     Al Pacifico wrote:
>     > I (a greenhorn with selinux) am writing a policy for a daemon that
>     > streams music files over my home network to a music player client (a
>     > Slimdevices Squeezebox). My OS is FC5.
>     >
>     > The main daemon (/usr/sbin/slimserver) is a perl script that serves
>     > the music files and is started with an init script. My questions
>     have
>     > to do with a secondary program (/usr/sbin/slimserver-scanner,
>     also a
>     > perl script) that scans the music on the server, reading mp3
>     tags and
>     > such, and generates a database of stored music that is stored in a
>     > MySQL database. /usr/sbin/slimserver-scanner is invoked by the
>     > /usr/sbin/slimserver daemon and might be invoked by the user
>     (although
>     > I can't recall ever doing so in several years of owning a
>     Squeezebox).
>     >
>     > I've been following the example posted by Dan Walsh in a blog at
>     > http://danwalsh.livejournal.com/8707.html?thread=39171 which has
>     been
>     > extremely helpful.
>     >
>     > My (2) questions:
>     > 1. What is the appropriate file context for the scanner program?
>     > system_u:object_r:sbin_t?
>     > system_u:object_r:slimserver_t?
>     > system_u:object_r:slimserver_exec_t?
>     >
>     That depends on your security goals.  If you want the
>     slimserver-scanner
>     to have the same privs as slimserver you would label it sbin_t and
>     allow
>     slimserver to corecmd_exec_sbin().  If you want to go with least
>     privs,
>     you would create a new policy for slimserver-scanner
>     (slimserver_scanner_t with file context of slimserver_scanner_exec_t)
>     and then add a rule to slimserver_t to domtrans
>     slimserver_scanner_domtrans(slimserver_t)
>
>
> After reviewing the source code to:
> 1) confirm that slimserver-scanner is intended to be run from the 
> command line as well as by the slimserver daemon
> 2) see if it logs to the slimserver log
> 3) determine if it might want to use the network
> (to which all three answers were 'yes')
> ...I tried to use policygentool to create a policy for 
> slimserver-scanner. However, I was stymied by an error.
>
> Here is what happened:
> [root at joplin slimserver-scanner]# 
> /usr/share/selinux/devel/policygentool slimserver-scanner 
> /usr/sbin/slimserver-scanner
>
>
> This tool generate three files for policy development, A Type 
> Enforcement (te)
> file, a File Context (fc), and a Interface File(if).  Most of the 
> policy rules
> will be written in the te file.  Use the File Context file to 
> associate file
> paths with security context.  Use the interface rules to allow other 
> protected
> domains to interact with the newly defined domains.
>
> After generating these files use the /usr/share/selinux/devel/Makefile to
> compile your policy package.  Then use the semodule tool to load it.
>
> # /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp
> # make -f /usr/share/selinux/devel/Makefile
> # semodule -l myapp.pp
> # restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"
>
> Now you can turn on permissive mode, start your application and avc 
> messages
> will be generated.  You can use audit2allow to help translate the avc 
> messages
> into policy.
>
> # setenforce 0
> # service myapp start
> # audit2allow -R -i /var/log/audit/audit.log
>
> Return to continue:
>
> If the module uses pidfiles, what is the pidfile called?
>
> If the module uses logfiles, where are they stored?
> /var/log/slimserver
> If the module has var/lib files, where are they stored?
>
> Does the module have a init script? [yN]
> N
> Does the module use the network? [yN]
> y
> [root at joplin slimserver-scanner]# ls
> slimserver-scanner.fc  slimserver-scanner.if  slimserver-scanner.te
> [root at joplin slimserver-scanner]# make -f 
> /usr/share/selinux/devel/Makefile
> Compiling targeted slimserver-scanner module
> /usr/bin/checkmodule:  loading policy configuration from 
> tmp/slimserver-scanner.tmp
> slimserver-scanner.te:1:ERROR 'syntax error' at token 
> 'slimserver-scanner' on line 59006:
>                 module slimserver-scanner 1.0.0;
> #line 1
> /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> make: *** [tmp/slimserver-scanner.mod] Error 1
>
> I thought I would display the line containing the error and associated 
> context with the following:
> [root at joplin slimserver-scanner]# nl tmp/slimserver-scanner.tmp | sed 
> -n '58990,59022p'
>  50718  ##      Execute a domain transition to run slimserver-scanner.
>  50719  ## </summary>
>  50720  ## <param name="domain">
>  50721  ## <summary>
>  50722  ##      Domain allowed to transition.
>  50723  ## </summary>
>  50724  ## </param>
>  50725  #
>  50726
>  50727  #line 124172
>
>  50728  #line 1 "slimserver-scanner.te "
>
>  50729  #line 1
>  50730
>  50731  #line 1
>  50732                  module slimserver-scanner 1.0.0;
>  50733  #line 1
>
>  50734  #line 1
>  50735                  require {
>  50736  #line 1
>  50737                          role system_r;
>  50738  #line 1
>  50739
>  50740  #line 1
>  50741          class security { compute_av compute_create 
> compute_member check_context load_policy compute_relabel compute_user 
> setenforce setbool setsecparam setcheckreqprot };
>  50742  #line 1
>  50743          class process { fork transition sigchld sigkill 
> sigstop signull signal ptrace getsched setsched getsession getpgid 
> setpgid getcap setcap share getattr setexec setfscreate noatsecure 
> siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack 
> execheap setkeycreate };
>  50744  #line 1
>  50745          class system { ipc_info syslog_read syslog_mod 
> syslog_console }; 50746  #line 1
>  50747          class capability { chown dac_override dac_read_search 
> fowner fsetid kill setgid setuid setpcap linux_immutable 
> net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner 
> sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin 
> sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease 
> audit_write audit_control };
>
> which does show the line 'module slimserver-scanner 1.0.0;', although 
> the line numbering is inconsistent.
>
> At first, I thought maybe policygentool inspected the context for the 
> /usr/sbin/slimserver-scanner binary and that was the problem. Cursory 
> examination of the source code did not suggest this. Now, I wonder if 
> policygentool is only to be used for daemons. This wasn't stated in 
> any comments. (BTW I'm using the selinux-policy-devel-2.3.7-2.fc5 
> package.)
>
> Are there any thoughts regarding the nature of the error or 
> suggestions for alternative tools for generating the policy?
> -al
>
Could it be that the compiler does not like the - in the policy name?  
Could you change it to sslimserver_scanner?
> -- 
> Al Pacifico
> Seattle, WA
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list