Posted the question originally on main selinux mailing list, but as
suggested it seems it belongs here. Apologies for long email.
Anyway, I hope someone can provide some help and guidance.
The problem:
----------------------------------------------------------------------
One application, multiple components/daemons.
Some files are specific to a daemon, some are shared between them (eg.
log files are unique, some config files, keystores... are shared etc.)
All daemons start from a single init script and I am not allowed to
change it.
Options:
1. Create policy for each component and then domain transition between
them (what about shared files, eg. init script that starts both
daemons???)
2. Create a single policy for multiple daemons?
------------------------------------------------------------------------
Advice was to create a single policy with multiple domains for each
daemon + domain for shared resources.
Now, would this be the right approach:
--------------------------------------------------------------------------
- Create a single policy with multiple domains
-- Create separate domains for each daemon + domain for shared resources
-- Transition between them where needed
If the file structure is:
/opt/myapp/bin/daemon1 (daemon1_exec_t)
/opt/myapp/bin/daemon2 (daemon2_exec_t)
/opt/myapp/bin/start_all - (start script for both daemon1 and daemon2)
(myapp_initrc_exec_t)
/opt/myapp/all_shared_resources (myapp_t)
/etc/init.d/sym_link_to_start_all (sym link to /opt/myapp/bin/start_all)
Can I have:
type myapp_initrc_exec_t;
init_script_file(myapp_initrc_exec_t)
for daemon1: init_daemon_domain(daemon1_t, daemon1_exec_t)
for daemon2: init_daemon_domain(daemon2_t, daemon2_exec_t)
...
---------------------------------------------------------------------------
Any advice?
On Fri, 2014-05-16 at 14:16 +1000, Mladen Sekara wrote:
> Posted the question originally on main selinux mailing list, but as
> suggested it seems it belongs here. Apologies for long email.
>
> Anyway, I hope someone can provide some help and guidance.
>
> The problem:
> ----------------------------------------------------------------------
> One application, multiple components/daemons.
> Some files are specific to a daemon, some are shared between them (eg.
> log files are unique, some config files, keystores... are shared etc.)
>
> All daemons start from a single init script and I am not allowed to
> change it.
init_script_domain() will let init domain transition on the script to a
specified domain, rather then initrc_t
this allows you to to use that specified type to specify further domain
transitions to each individual application.
This allows you to confine various services all started from a single
init script in individual domain.
See the hadoop policy module for an example.
Its a common issue with java services.
Mind though that although this works in simple scenarios, it does have
quirks in situations where you for example have to use run_init.
But in simple common scenarios this solution should work
Thanks Dominick.
Could you please elaborate a bit further on use of init_script_domain.
I had a look at hadoop policy module, but it seems haddop has multiple
init scripts for different daemons (don't know much about hadoop and
it's internals though). It has a reference to init_script_domain() in
interface file, but with my SELinux experience, I couldn't make much
sense of it.
In my case I have a single init script starting multiple daemons:
/etc/init.d/start_all (myapp_initrc_exec_t) -> /opt/myapp/start_all
/opt/myapp/bin/daemon1 (domain1_exec_t)
/opt/myapp/bin/daemon2 (domain_exec_t)
So, just to clarify, in this case I would have:
init_script_domain(daemon1_t, daemon1_exec_t)... ???
init_script_domain(daemon2_t, daemon2_exec_t)... ???
or
init_daemon_domain(daemon1_t, daemon1_exec_t)
init_daemon_domain(daemon2_t, daemon2_exec_t)
Mladen Sekara <[email protected]>
On Fri, 2014-05-16 at 14:09 +0200, Dominick Grift wrote:
> to confine various services all started from a single
> init script in individual domain.
>
> See the hadoop policy module for an example
On 05/18/2014 07:37 AM, Mladen Sekara wrote:
> Thanks Dominick.
>
> Could you please elaborate a bit further on use of init_script_domain.
>
> I had a look at hadoop policy module, but it seems haddop has multiple
> init scripts for different daemons (don't know much about hadoop and
> it's internals though). It has a reference to init_script_domain() in
> interface file, but with my SELinux experience, I couldn't make much
> sense of it.
>
> In my case I have a single init script starting multiple daemons:
>
> /etc/init.d/start_all (myapp_initrc_exec_t) -> /opt/myapp/start_all
> /opt/myapp/bin/daemon1 (domain1_exec_t)
> /opt/myapp/bin/daemon2 (domain_exec_t)
>
> So, just to clarify, in this case I would have:
>
> init_script_domain(daemon1_t, daemon1_exec_t)... ???
> init_script_domain(daemon2_t, daemon2_exec_t)... ???
>
> or
> init_daemon_domain(daemon1_t, daemon1_exec_t)
> init_daemon_domain(daemon2_t, daemon2_exec_t)
If your init script simply starts/stops your daemons, you probably don't need a new type for your init script (no need for init_script_domain()). Since you want your two daemons to start up in separate domains, then you would use init_daemon_domain(), i.e. the second option above. Then the private resources would be daemon1_*_t and daemon2_*_t and the shared resources would have their own type(s).
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
Thanks for that.
I think this will give me enough to start.
Just for clarity, what is the difference between the
init_script_domain() and init_daemon_domain():
- init_script_domain() - transition to the init script domain via init
script as an entry point to that domain?
- init_daemon_domain() - transition to the actual daemon domain via an
daemon entry point?
--
Mladen Sekara <[email protected]>
On Tue, 2014-05-20 at 09:24 -0400, Christopher J. PeBenito wrote:
> On 05/18/2014 07:37 AM, Mladen Sekara wrote:
> > Thanks Dominick.
> >
> > Could you please elaborate a bit further on use of init_script_domain.
> >
> > I had a look at hadoop policy module, but it seems haddop has multiple
> > init scripts for different daemons (don't know much about hadoop and
> > it's internals though). It has a reference to init_script_domain() in
> > interface file, but with my SELinux experience, I couldn't make much
> > sense of it.
> >
> > In my case I have a single init script starting multiple daemons:
> >
> > /etc/init.d/start_all (myapp_initrc_exec_t) -> /opt/myapp/start_all
> > /opt/myapp/bin/daemon1 (domain1_exec_t)
> > /opt/myapp/bin/daemon2 (domain_exec_t)
> >
> > So, just to clarify, in this case I would have:
> >
> > init_script_domain(daemon1_t, daemon1_exec_t)... ???
> > init_script_domain(daemon2_t, daemon2_exec_t)... ???
> >
> > or
> > init_daemon_domain(daemon1_t, daemon1_exec_t)
> > init_daemon_domain(daemon2_t, daemon2_exec_t)
>
> If your init script simply starts/stops your daemons, you probably don't need a new type for your init script (no need for init_script_domain()). Since you want your two daemons to start up in separate domains, then you would use init_daemon_domain(), i.e. the second option above. Then the private resources would be daemon1_*_t and daemon2_*_t and the shared resources would have their own type(s).
>
On 5/21/2014 10:13 AM, Mladen Sekara wrote:
> Thanks for that.
>
> I think this will give me enough to start.
>
> Just for clarity, what is the difference between the
> init_script_domain() and init_daemon_domain():
>
> - init_script_domain() - transition to the init script domain via init
> script as an entry point to that domain?
> - init_daemon_domain() - transition to the actual daemon domain via an
> daemon entry point?
Yes. Correct on both.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
Thanks.
--
Mladen Sekara <[email protected]>
On Wed, 2014-05-21 at 12:16 -0400, Christopher J. PeBenito wrote:
> On 5/21/2014 10:13 AM, Mladen Sekara wrote:
> > Thanks for that.
> >
> > I think this will give me enough to start.
> >
> > Just for clarity, what is the difference between the
> > init_script_domain() and init_daemon_domain():
> >
> > - init_script_domain() - transition to the init script domain via init
> > script as an entry point to that domain?
> > - init_daemon_domain() - transition to the actual daemon domain via an
> > daemon entry point?
>
> Yes. Correct on both.
>