I (a greenhorn with selinux) am writing a policy for a daemon that streams music files over my home network to a music player client (a Slimdevices Squeezebox). My OS is FC5.
The main daemon (/usr/sbin/slimserver) is a perl script that serves the music files and is started with an init script. My questions have to do with a secondary program (/usr/sbin/slimserver-scanner, also a perl script) that scans the music on the server, reading mp3 tags and such, and generates a database of stored music that is stored in a MySQL database. /usr/sbin/slimserver-scanner is invoked by the /usr/sbin/slimserver daemon and might be invoked by the user (although I can't recall ever doing so in several years of owning a Squeezebox).
I've been following the example posted by Dan Walsh in a blog at http://danwalsh.livejournal.com/8707.html?thread=39171 which has been extremely helpful.
My (2) questions: 1. What is the appropriate file context for the scanner program? system_u:object_r:sbin_t? system_u:object_r:slimserver_t? system_u:object_r:slimserver_exec_t?
The generated slimserver.fc file contains: # slimserver executable will have: # label: system_u:object_r:slimserver_exec_t # MLS sensitivity: s0 # MCS categories: <none>
/usr/sbin/slimserver -- gen_context(system_u:object_r:slimserver_exec_t,s0) /var/run/slimserver.pid gen_context(system_u:object_r:slimserver_var_run_t,s0) /var/log/slimserver gen_context(system_u:object_r:slimserver_var_log_t,s0)
and the slimserver.if file contains: interface(`slimserver_domtrans',` gen_require(` type slimserver_t, slimserver_exec_t; ')
domain_auto_trans($1,slimserver_exec_t,slimserver_t)
allow $1 slimserver_t:fd use; allow slimserver_t $1:fd use; allow slimserver_t $1:fifo_file rw_file_perms; allow slimserver_t $1:process sigchld; ')
2. There is no reason to add the scanner program be added to slimserver.fcthat was generated by policygentool, is there? The file itself just needs to be labeled appropriately, right? Or does that file play some role in policy compilation in a step that I did not explicitly executed when I invoked 'make -f /usr/share/selinux/devel/Makefile'?
Thanks in advance. -al
On 2007-04-18, Al Pacifico adpacifico@users.sourceforge.net wrote:
I (a greenhorn with selinux) am writing a policy for a daemon that streams music files over my home network to a music player client (a Slimdevices Squeezebox). My OS is FC5.
Cool, I have a Squeezebox too, and slimserver running on Centos5.
I've been following the example posted by Dan Walsh in a blog at http://danwalsh.livejournal.com/8707.html?thread=39171 which has been extremely helpful.
Have a look at my venture into selinux-land too :-)
Cronologically:
http://tanso.net/selinux/ http://tanso.net/selinux/argus/ http://tanso.net/selinux/argus/argus-from-scratch/
My (2) questions:
- What is the appropriate file context for the scanner program?
system_u:object_r:sbin_t? system_u:object_r:slimserver_t? system_u:object_r:slimserver_exec_t?
I believe the scanner is executed from the web-server process (there's a scan-now link, or similar). So, my guess would be that you should make the main slimserver script that's supposed to transition into slimserver_t slimserver_exec_t, while the scanner should be slimserver_t.
If you make it sbin_t or bin_t, it will mean that you'll need to give the main slimserver access to execute all files of type (s)bin_t. It will probably be interesting to see how much it's possible to confine a perl-script like the slimserver. Without looking, I'd assume it'd need to exec lots of bin_t executables..
- There is no reason to add the scanner program be added to
slimserver.fcthat was generated by policygentool, is there? The file itself just needs to be labeled appropriately, right?
I think you'll want to add the scanner to slimserver.fc to make sure the labeling gets correct on the next re-label or slimserver upgrade.
-jf
Al Pacifico wrote:
I (a greenhorn with selinux) am writing a policy for a daemon that streams music files over my home network to a music player client (a Slimdevices Squeezebox). My OS is FC5.
The main daemon (/usr/sbin/slimserver) is a perl script that serves the music files and is started with an init script. My questions have to do with a secondary program (/usr/sbin/slimserver-scanner, also a perl script) that scans the music on the server, reading mp3 tags and such, and generates a database of stored music that is stored in a MySQL database. /usr/sbin/slimserver-scanner is invoked by the /usr/sbin/slimserver daemon and might be invoked by the user (although I can't recall ever doing so in several years of owning a Squeezebox).
I've been following the example posted by Dan Walsh in a blog at http://danwalsh.livejournal.com/8707.html?thread=39171 which has been extremely helpful.
My (2) questions:
- What is the appropriate file context for the scanner program?
system_u:object_r:sbin_t? system_u:object_r:slimserver_t? system_u:object_r:slimserver_exec_t?
That depends on your security goals. If you want the slimserver-scanner to have the same privs as slimserver you would label it sbin_t and allow slimserver to corecmd_exec_sbin(). If you want to go with least privs, you would create a new policy for slimserver-scanner (slimserver_scanner_t with file context of slimserver_scanner_exec_t) and then add a rule to slimserver_t to domtrans slimserver_scanner_domtrans(slimserver_t)
The generated slimserver.fc file contains: # slimserver executable will have: # label: system_u:object_r:slimserver_exec_t # MLS sensitivity: s0 # MCS categories: <none>
/usr/sbin/slimserver -- gen_context(system_u:object_r:slimserver_exec_t,s0) /var/run/slimserver.pid gen_context(system_u:object_r:slimserver_var_run_t,s0) /var/log/slimserver gen_context(system_u:object_r:slimserver_var_log_t,s0)
and the slimserver.if file contains: interface(`slimserver_domtrans',` gen_require(` type slimserver_t, slimserver_exec_t; ')
domain_auto_trans($1,slimserver_exec_t,slimserver_t) allow $1 slimserver_t:fd use; allow slimserver_t $1:fd use; allow slimserver_t $1:fifo_file rw_file_perms; allow slimserver_t $1:process sigchld;
')
- There is no reason to add the scanner program be added to
slimserver.fc that was generated by policygentool, is there?
Only if you are creating a context for slimserver_scanner_exec_t, otherwise just let it be labeled sbin_t.
The file itself just needs to be labeled appropriately, right? Or does that file play some role in policy compilation in a step that I did not explicitly executed when I invoked 'make -f /usr/share/selinux/devel/Makefile'?
Thanks in advance.
-al
Al Pacifico Seattle, WA
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On 4/19/07, Daniel J Walsh dwalsh@redhat.com wrote:
Al Pacifico wrote:
I (a greenhorn with selinux) am writing a policy for a daemon that streams music files over my home network to a music player client (a Slimdevices Squeezebox). My OS is FC5.
The main daemon (/usr/sbin/slimserver) is a perl script that serves the music files and is started with an init script. My questions have to do with a secondary program (/usr/sbin/slimserver-scanner, also a perl script) that scans the music on the server, reading mp3 tags and such, and generates a database of stored music that is stored in a MySQL database. /usr/sbin/slimserver-scanner is invoked by the /usr/sbin/slimserver daemon and might be invoked by the user (although I can't recall ever doing so in several years of owning a Squeezebox).
I've been following the example posted by Dan Walsh in a blog at http://danwalsh.livejournal.com/8707.html?thread=39171 which has been extremely helpful.
My (2) questions:
- What is the appropriate file context for the scanner program?
system_u:object_r:sbin_t? system_u:object_r:slimserver_t? system_u:object_r:slimserver_exec_t?
That depends on your security goals. If you want the slimserver-scanner to have the same privs as slimserver you would label it sbin_t and allow slimserver to corecmd_exec_sbin(). If you want to go with least privs, you would create a new policy for slimserver-scanner (slimserver_scanner_t with file context of slimserver_scanner_exec_t) and then add a rule to slimserver_t to domtrans slimserver_scanner_domtrans(slimserver_t)
After reviewing the source code to: 1) confirm that slimserver-scanner is intended to be run from the command line as well as by the slimserver daemon 2) see if it logs to the slimserver log 3) determine if it might want to use the network (to which all three answers were 'yes') ...I tried to use policygentool to create a policy for slimserver-scanner. However, I was stymied by an error.
Here is what happened: [root@joplin slimserver-scanner]# /usr/share/selinux/devel/policygentool slimserver-scanner /usr/sbin/slimserver-scanner
This tool generate three files for policy development, A Type Enforcement (te) file, a File Context (fc), and a Interface File(if). Most of the policy rules will be written in the te file. Use the File Context file to associate file paths with security context. Use the interface rules to allow other protected domains to interact with the newly defined domains.
After generating these files use the /usr/share/selinux/devel/Makefile to compile your policy package. Then use the semodule tool to load it.
# /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp # make -f /usr/share/selinux/devel/Makefile # semodule -l myapp.pp # restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"
Now you can turn on permissive mode, start your application and avc messages will be generated. You can use audit2allow to help translate the avc messages into policy.
# setenforce 0 # service myapp start # audit2allow -R -i /var/log/audit/audit.log
Return to continue:
If the module uses pidfiles, what is the pidfile called?
If the module uses logfiles, where are they stored? /var/log/slimserver If the module has var/lib files, where are they stored?
Does the module have a init script? [yN] N Does the module use the network? [yN] y [root@joplin slimserver-scanner]# ls slimserver-scanner.fc slimserver-scanner.if slimserver-scanner.te [root@joplin slimserver-scanner]# make -f /usr/share/selinux/devel/Makefile Compiling targeted slimserver-scanner module /usr/bin/checkmodule: loading policy configuration from tmp/slimserver- scanner.tmp slimserver-scanner.te:1:ERROR 'syntax error' at token 'slimserver-scanner' on line 59006: module slimserver-scanner 1.0.0; #line 1 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/slimserver-scanner.mod] Error 1
I thought I would display the line containing the error and associated context with the following: [root@joplin slimserver-scanner]# nl tmp/slimserver-scanner.tmp | sed -n '58990,59022p' 50718 ## Execute a domain transition to run slimserver-scanner. 50719 ## </summary> 50720 ## <param name="domain"> 50721 ## <summary> 50722 ## Domain allowed to transition. 50723 ## </summary> 50724 ## </param> 50725 # 50726 50727 #line 124172
50728 #line 1 "slimserver-scanner.te"
50729 #line 1 50730 50731 #line 1 50732 module slimserver-scanner 1.0.0; 50733 #line 1
50734 #line 1 50735 require { 50736 #line 1 50737 role system_r; 50738 #line 1 50739 50740 #line 1 50741 class security { compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot }; 50742 #line 1 50743 class process { fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate }; 50744 #line 1 50745 class system { ipc_info syslog_read syslog_mod syslog_console }; 50746 #line 1 50747 class capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control };
which does show the line 'module slimserver-scanner 1.0.0;', although the line numbering is inconsistent.
At first, I thought maybe policygentool inspected the context for the /usr/sbin/slimserver-scanner binary and that was the problem. Cursory examination of the source code did not suggest this. Now, I wonder if policygentool is only to be used for daemons. This wasn't stated in any comments. (BTW I'm using the selinux-policy-devel-2.3.7-2.fc5 package.)
Are there any thoughts regarding the nature of the error or suggestions for alternative tools for generating the policy? -al
On 2007-04-19, Al Pacifico adpacifico@users.sourceforge.net wrote:
scanner.tmp slimserver-scanner.te:1:ERROR 'syntax error' at token 'slimserver-scanner' on line 59006: module slimserver-scanner 1.0.0; #line 1 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/slimserver-scanner.mod] Error 1
AFAIK it doesn't like the '-' in the module name. Try changing it to "slimserverscanner" or "slimserver_scanner".
-jf
Al Pacifico wrote:
On 4/19/07, *Daniel J Walsh* <dwalsh@redhat.com mailto:dwalsh@redhat.com> wrote:
Al Pacifico wrote: > I (a greenhorn with selinux) am writing a policy for a daemon that > streams music files over my home network to a music player client (a > Slimdevices Squeezebox). My OS is FC5. > > The main daemon (/usr/sbin/slimserver) is a perl script that serves > the music files and is started with an init script. My questions have > to do with a secondary program (/usr/sbin/slimserver-scanner, also a > perl script) that scans the music on the server, reading mp3 tags and > such, and generates a database of stored music that is stored in a > MySQL database. /usr/sbin/slimserver-scanner is invoked by the > /usr/sbin/slimserver daemon and might be invoked by the user (although > I can't recall ever doing so in several years of owning a Squeezebox). > > I've been following the example posted by Dan Walsh in a blog at > http://danwalsh.livejournal.com/8707.html?thread=39171 which has been > extremely helpful. > > My (2) questions: > 1. What is the appropriate file context for the scanner program? > system_u:object_r:sbin_t? > system_u:object_r:slimserver_t? > system_u:object_r:slimserver_exec_t? > That depends on your security goals. If you want the slimserver-scanner to have the same privs as slimserver you would label it sbin_t and allow slimserver to corecmd_exec_sbin(). If you want to go with least privs, you would create a new policy for slimserver-scanner (slimserver_scanner_t with file context of slimserver_scanner_exec_t) and then add a rule to slimserver_t to domtrans slimserver_scanner_domtrans(slimserver_t)
After reviewing the source code to:
- confirm that slimserver-scanner is intended to be run from the
command line as well as by the slimserver daemon 2) see if it logs to the slimserver log 3) determine if it might want to use the network (to which all three answers were 'yes') ...I tried to use policygentool to create a policy for slimserver-scanner. However, I was stymied by an error.
Here is what happened: [root@joplin slimserver-scanner]# /usr/share/selinux/devel/policygentool slimserver-scanner /usr/sbin/slimserver-scanner
This tool generate three files for policy development, A Type Enforcement (te) file, a File Context (fc), and a Interface File(if). Most of the policy rules will be written in the te file. Use the File Context file to associate file paths with security context. Use the interface rules to allow other protected domains to interact with the newly defined domains.
After generating these files use the /usr/share/selinux/devel/Makefile to compile your policy package. Then use the semodule tool to load it.
# /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp # make -f /usr/share/selinux/devel/Makefile # semodule -l myapp.pp # restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"
Now you can turn on permissive mode, start your application and avc messages will be generated. You can use audit2allow to help translate the avc messages into policy.
# setenforce 0 # service myapp start # audit2allow -R -i /var/log/audit/audit.log
Return to continue:
If the module uses pidfiles, what is the pidfile called?
If the module uses logfiles, where are they stored? /var/log/slimserver If the module has var/lib files, where are they stored?
Does the module have a init script? [yN] N Does the module use the network? [yN] y [root@joplin slimserver-scanner]# ls slimserver-scanner.fc slimserver-scanner.if slimserver-scanner.te [root@joplin slimserver-scanner]# make -f /usr/share/selinux/devel/Makefile Compiling targeted slimserver-scanner module /usr/bin/checkmodule: loading policy configuration from tmp/slimserver-scanner.tmp slimserver-scanner.te:1:ERROR 'syntax error' at token 'slimserver-scanner' on line 59006: module slimserver-scanner 1.0.0; #line 1 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/slimserver-scanner.mod] Error 1
I thought I would display the line containing the error and associated context with the following: [root@joplin slimserver-scanner]# nl tmp/slimserver-scanner.tmp | sed -n '58990,59022p' 50718 ## Execute a domain transition to run slimserver-scanner. 50719 ## </summary> 50720 ## <param name="domain"> 50721 ## <summary> 50722 ## Domain allowed to transition. 50723 ## </summary> 50724 ## </param> 50725 # 50726 50727 #line 124172
50728 #line 1 "slimserver-scanner.te "
50729 #line 1 50730 50731 #line 1 50732 module slimserver-scanner 1.0.0; 50733 #line 1
50734 #line 1 50735 require { 50736 #line 1 50737 role system_r; 50738 #line 1 50739 50740 #line 1 50741 class security { compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot }; 50742 #line 1 50743 class process { fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate }; 50744 #line 1 50745 class system { ipc_info syslog_read syslog_mod syslog_console }; 50746 #line 1 50747 class capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control };
which does show the line 'module slimserver-scanner 1.0.0;', although the line numbering is inconsistent.
At first, I thought maybe policygentool inspected the context for the /usr/sbin/slimserver-scanner binary and that was the problem. Cursory examination of the source code did not suggest this. Now, I wonder if policygentool is only to be used for daemons. This wasn't stated in any comments. (BTW I'm using the selinux-policy-devel-2.3.7-2.fc5 package.)
Are there any thoughts regarding the nature of the error or suggestions for alternative tools for generating the policy? -al
Could it be that the compiler does not like the - in the policy name? Could you change it to sslimserver_scanner?
-- Al Pacifico Seattle, WA
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On 4/19/07, Daniel J Walsh dwalsh@redhat.com wrote:
Al Pacifico wrote:
I (a greenhorn with selinux) am writing a policy for a daemon that streams music files over my home network to a music player client (a Slimdevices Squeezebox). My OS is FC5.
The main daemon (/usr/sbin/slimserver) is a perl script that serves the music files and is started with an init script. My questions have to do with a secondary program (/usr/sbin/slimserver-scanner, also a perl script) that scans the music on the server, reading mp3 tags and such, and generates a database of stored music that is stored in a MySQL database. /usr/sbin/slimserver-scanner is invoked by the /usr/sbin/slimserver daemon and might be invoked by the user (although I can't recall ever doing so in several years of owning a Squeezebox).
I've been following the example posted by Dan Walsh in a blog at http://danwalsh.livejournal.com/8707.html?thread=39171 which has been extremely helpful.
My (2) questions:
- What is the appropriate file context for the scanner program?
system_u:object_r:sbin_t? system_u:object_r:slimserver_t? system_u:object_r:slimserver_exec_t?
That depends on your security goals. If you want the slimserver-scanner to have the same privs as slimserver you would label it sbin_t and allow slimserver to corecmd_exec_sbin(). If you want to go with least privs, you would create a new policy for slimserver-scanner (slimserver_scanner_t with file context of slimserver_scanner_exec_t) and then add a rule to slimserver_t to domtrans slimserver_scanner_domtrans(slimserver_t)
I'm a little confused about this. I want to limit privileges of slimserver and slimserver-scanner to accessing only certain files. If I label slimserver-scanner as 'sbin_t', when a user executes slimserver-scanner, won't he/she have more privileges than slimserver then?
The generated slimserver.fc file contains:
# slimserver executable will have: # label: system_u:object_r:slimserver_exec_t # MLS sensitivity: s0 # MCS categories: <none>
/usr/sbin/slimserver -- gen_context(system_u:object_r:slimserver_exec_t,s0) /var/run/slimserver.pid gen_context(system_u:object_r:slimserver_var_run_t,s0) /var/log/slimserver gen_context(system_u:object_r:slimserver_var_log_t,s0)
and the slimserver.if file contains: interface(`slimserver_domtrans',` gen_require(` type slimserver_t, slimserver_exec_t; ')
domain_auto_trans($1,slimserver_exec_t,slimserver_t) allow $1 slimserver_t:fd use; allow slimserver_t $1:fd use; allow slimserver_t $1:fifo_file rw_file_perms; allow slimserver_t $1:process sigchld;
')
- There is no reason to add the scanner program be added to
slimserver.fc that was generated by policygentool, is there?
Only if you are creating a context for slimserver_scanner_exec_t, otherwise just let it be labeled sbin_t.
The file itself just needs to be labeled appropriately, right? Or does that file play some role in policy compilation in a step that I did not explicitly executed when I invoked 'make -f /usr/share/selinux/devel/Makefile'?
Thanks in advance.
-al
Al Pacifico Seattle, WA
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On 2007-04-24, Al Pacifico adpacifico@users.sourceforge.net wrote:
That depends on your security goals. If you want the slimserver-scanner to have the same privs as slimserver you would label it sbin_t and allow slimserver to corecmd_exec_sbin(). If you want to go with least privs, you would create a new policy for slimserver-scanner (slimserver_scanner_t with file context of slimserver_scanner_exec_t) and then add a rule to slimserver_t to domtrans slimserver_scanner_domtrans(slimserver_t)
I'm a little confused about this. I want to limit privileges of slimserver and slimserver-scanner to accessing only certain files. If I label slimserver-scanner as 'sbin_t', when a user executes slimserver-scanner, won't he/she have more privileges than slimserver then?
Yes.
If you want slimserver-scanner to have less privileges when executed interactively by a user, you'll need to create a new domain for (i.e. not sbin_t), and transition into this domain when the user exec it. But, why would you want that? All it's doing is reading the mp3-files, and updating a database. If you limit the scanners privileges, your users can still step outside of this by "cp /usr/sbin/slimserver-scanner /tmp/slimserver-scanner"..
I would aim at confining the main web-based slimserver, and make sure the slimserver-scanner executed within this process doesn't get more privileges than absolutely necessary.
-jf
selinux@lists.fedoraproject.org