Hello,
I am working on a policy where we want to modularize certain features (management of DHCP, DNS and TFTP services). Since users can turn these features on and off, we would like to introduce SELinux booleans to do the same.
Unfortunately when I try to put some macros in the tunable_policy blocks, I get errors:
tunable_policy(`foreman_proxy_manage_dhcp', ` dhcpd_admin(foreman_proxy_t, system_r) netutils_exec_ping(foreman_proxy_t) netutils_domtrans_ping(foreman_proxy_t) ')
foreman-proxy.te":188:ERROR 'syntax error' at token 'typeattribute' on line 10649: typeattribute foreman_proxy_t initrc_transition_domain; /usr/bin/checkmodule: error(s) encountered while parsing configuration
It works just fine without the tunable_policy block.
Where's the snag and how can we workaround it? Thanks!
On 10/24/2014 10:15 AM, Lukas Zapletal wrote:
Hello,
I am working on a policy where we want to modularize certain features (management of DHCP, DNS and TFTP services). Since users can turn these features on and off, we would like to introduce SELinux booleans to do the same.
Unfortunately when I try to put some macros in the tunable_policy blocks, I get errors:
tunable_policy(`foreman_proxy_manage_dhcp', ` dhcpd_admin(foreman_proxy_t, system_r) netutils_exec_ping(foreman_proxy_t) netutils_domtrans_ping(foreman_proxy_t)
You would not have both of these within the same block. netutils_domtrans_ping implies netutils_exec_ping. You probably want this on all the time.
What types does foreman have to manage under dhcpd? We probably need to add interfaces for this.
')
foreman-proxy.te":188:ERROR 'syntax error' at token 'typeattribute' on line 10649: typeattribute foreman_proxy_t initrc_transition_domain; /usr/bin/checkmodule: error(s) encountered while parsing configuration
It works just fine without the tunable_policy block.
Where's the snag and how can we workaround it? Thanks!
You are not allowed to put attributes within a boolean block.
On 10/24/2014 07:37 PM, Daniel J Walsh wrote:
On 10/24/2014 10:15 AM, Lukas Zapletal wrote:
Hello,
I am working on a policy where we want to modularize certain features (management of DHCP, DNS and TFTP services). Since users can turn these features on and off, we would like to introduce SELinux booleans to do the same.
Unfortunately when I try to put some macros in the tunable_policy blocks, I get errors:
tunable_policy(`foreman_proxy_manage_dhcp', ` dhcpd_admin(foreman_proxy_t, system_r) netutils_exec_ping(foreman_proxy_t) netutils_domtrans_ping(foreman_proxy_t)
You would not have both of these within the same block. netutils_domtrans_ping implies netutils_exec_ping. You probably want this on all the time.
What types does foreman have to manage under dhcpd? We probably need to add interfaces for this.
')
foreman-proxy.te":188:ERROR 'syntax error' at token 'typeattribute' on line 10649: typeattribute foreman_proxy_t initrc_transition_domain; /usr/bin/checkmodule: error(s) encountered while parsing configuration
It works just fine without the tunable_policy block.
Where's the snag and how can we workaround it? Thanks!
You would need to re-write
dhcpd_admin()
interface. It's caused by
init_labeled_script_domtrans()
where we use
typeattribute $1 initrc_transition_domain;
Is this on RHEL7? You don't need to have it in RHEL7 because of systemd. We should probably re-write/fix this init_t/initrc_t/unconfined_services_t concept in Fedora22.
If you use RHEL6, you need to write own _admin() interface to make it working with tunable statement.
You are not allowed to put attributes within a boolean block.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Guys,
sorry for the late reply.
tunable_policy(`foreman_proxy_manage_dhcp', ` dhcpd_admin(foreman_proxy_t, system_r) netutils_exec_ping(foreman_proxy_t) netutils_domtrans_ping(foreman_proxy_t)
You would not have both of these within the same block. netutils_domtrans_ping implies netutils_exec_ping. You probably want this on all the time.
I see. Our domain spawns ping when verifying if a given IP address is not live. My goal is to execute the ping in it's ping_t domain. So is my understanding correct I only need to have:
netutils_domtrans_ping(foreman_proxy_t)
What types does foreman have to manage under dhcpd? We probably need to add interfaces for this.
We do read its configuration (/etc/dhcp) and read leases files. To do DHCP reservations, we call the omshell utility to do the changes. I see that omshell has bin_t on RHEL6.
You would need to re-write
dhcpd_admin()
interface. It's caused by
init_labeled_script_domtrans()
where we use
typeattribute $1 initrc_transition_domain;
Ok I will do this and rewrite it without the typeattribute then.
Is this on RHEL7? You don't need to have it in RHEL7 because of systemd. We should probably re-write/fix this init_t/initrc_t/unconfined_services_t concept in Fedora22.
We support both RHEL6 and RHEL7. I am using the conditionals approach instead of git branches because we have just small bits which are different in 6/7.
I'd appreciate if you can file a BZ for that (I am not really sure how to word this :-) so I can link it in my policy as a comment. In future, we can start using the modified _admin interface.
If you use RHEL6, you need to write own _admin() interface to make it working with tunable statement.
Will do.
DHCP is not the only issue I have. We manage several services: TFTP, DHCP, DNS and Puppet.
Here is my draft version of the policy (this is really a first cut):
https://gist.github.com/lzap/20cafaabee43f7906d66#file-foreman-proxy-te-L167
From the line 167 I had to comment TFTP, DNS and DHCP because I hit the
same errors. Can you help me identify what needs to be done in Fedora or backpoted to RHEL7 so we can use those admin interfaces?
For the TFTP case, we only read/write the TFTP contents.
For the DNS case, we read configuration files, zone files and use rndc utility to modify DNS entries (which already has an _exec_t type).
I've already described the DHCP case.
I'd appreciate any comments. I plan to send my result for review once it is finished. Thanks.
I'd like to correct some of my statements:
For the TFTP case, we only read/write the TFTP contents.
For the DNS case, we read configuration files, zone files and use rndc utility to modify DNS entries (which already has an _exec_t type).
We use nsupdate utility instead of rndc, which is apparently bin_t.
I've already described the DHCP case: We do read its configuration (/etc/dhcp) and read leases files. To do DHCP reservations, we call the omshell utility to do the changes. I see that omshell has bin_t on RHEL6.
So unfortunately I will need to write rules for nsupdate and omshell from scratch as I am unable to find interfaces.
What is the best approach? Should I make a transition using a shell wrapper into my very own domains (nsupdate_t, omshell_t) or should I keep the foreman_proxy_t domain?
For the DHCP case, I've found out _admin interface is not necessary at all. I was able to write something like:
tunable_policy(`foreman_proxy_manage_dhcp_isc', ` sysnet_read_dhcp_config(foreman_proxy_t) sysnet_search_dhcp_state(foreman_proxy_t) # omshell - XXX raise BZ to create omshell iface corenet_tcp_connect_dhcpd_port(foreman_proxy_t) corenet_udp_sendrecv_dhcpd_port(foreman_proxy_t) allow foreman_proxy_t self:unix_dgram_socket { create connect }; ')
I think I will need to drop one more rule to allow dhcp_state_t reading (we do read lease files) but this should do it. I will take similar approach for DNS case.
selinux@lists.fedoraproject.org