From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 21 Apr 2009 15:49:55 -0400 Subject: [refpolicy] add policy for haproxy In-Reply-To: <20090318223522.GA14675@janfrode.ibm.com> References: <20090318223522.GA14675@janfrode.ibm.com> Message-ID: <1240343395.19211.773.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2009-03-18 at 23:35 +0100, Jan-Frode Myklebust wrote: > Here's a patch for adding policy for Willy Tarreau's haproxy > http://haproxy.1wt.eu/. Please apply to subversion HEAD of reference > policy, thanks! > > When building this policy on RHEL5-latest, I also needed the following > allow rule: > > allow haproxy_t unlabeled_t:packet { send recv }; > > This wasn't needed on fedora10, so I assume it was because of the > older > policy on RHEL5. Sorry for the delay. I have a couple comments: * please have a better in the .if. "Policy for haproxy" is obvious. Something like "HAProxy TCP/HTTP Load Balancer" would be better. * haproxy_port_t isn't used. New ports need to go in corenetwork. * Does it really need to bind and connect to all ports? > > > > > > plain text > document > attachment > (0001-Add-policy-for-haproxy.patch) > > From 1c436d3ba9c98fcf2ffdefa216f63e8c7a63286c Mon Sep 17 00:00:00 2001 > From: Jan-Frode Myklebust > Date: Wed, 18 Mar 2009 23:14:39 +0100 > Subject: [PATCH] Add policy for haproxy: > > http://haproxy.1wt.eu/ > --- > policy/modules/services/haproxy.fc | 6 ++++ > policy/modules/services/haproxy.if | 2 + > policy/modules/services/haproxy.te | 56 > ++++++++++++++++++++++++++++++++++++ > 3 files changed, 64 insertions(+), 0 deletions(-) > create mode 100644 policy/modules/services/haproxy.fc > create mode 100644 policy/modules/services/haproxy.if > create mode 100644 policy/modules/services/haproxy.te > > diff --git a/policy/modules/services/haproxy.fc > b/policy/modules/services/haproxy.fc > new file mode 100644 > index 0000000..63a0828 > --- /dev/null > +++ b/policy/modules/services/haproxy.fc > @@ -0,0 +1,6 @@ > +# haproxy labeling policy > +# file: haproxy.fc > +/usr/sbin/haproxy -- > gen_context(system_u:object_r:haproxy_exec_t, s0) > +/etc/haproxy/haproxy\.cfg -- > gen_context(system_u:object_r:haproxy_conf_t, s0) > +/var/run/haproxy\.pid -- > gen_context(system_u:object_r:haproxy_var_run_t, s0) > +/var/run/haproxy\.sock(.*) -- > gen_context(system_u:object_r:haproxy_var_run_t, s0) > diff --git a/policy/modules/services/haproxy.if > b/policy/modules/services/haproxy.if > new file mode 100644 > index 0000000..236ad38 > --- /dev/null > +++ b/policy/modules/services/haproxy.if > @@ -0,0 +1,2 @@ > +## selinux policy module for haproxy > + > diff --git a/policy/modules/services/haproxy.te > b/policy/modules/services/haproxy.te > new file mode 100644 > index 0000000..126c08d > --- /dev/null > +++ b/policy/modules/services/haproxy.te > @@ -0,0 +1,56 @@ > +policy_module(haproxy,1.0.0) > + > +######################################## > +# > +# Declarations > +# > + > +type haproxy_t; > +type haproxy_exec_t; > +type haproxy_port_t; > +init_daemon_domain(haproxy_t, haproxy_exec_t) > + > +type haproxy_var_run_t; > +files_pid_file(haproxy_var_run_t) > + > +type haproxy_conf_t; > +files_config_file(haproxy_conf_t) > + > +######################################## > +# > +# Local policy > +# > + > +# Configuration files - read > +allow haproxy_t haproxy_conf_t : dir list_dir_perms; > +allow haproxy_t haproxy_conf_t : file read_file_perms; > +allow haproxy_t haproxy_conf_t : lnk_file read_lnk_file_perms; > + > +# PID and socket file - create, read, and write > +files_pid_filetrans(haproxy_t, haproxy_var_run_t, { file sock_file }) > +allow haproxy_t haproxy_var_run_t:file manage_file_perms; > +allow haproxy_t haproxy_var_run_t:sock_file { create rename link > setattr unlink }; > + > +allow haproxy_t self : tcp_socket create_stream_socket_perms; > +allow haproxy_t self: udp_socket create_socket_perms; > +allow haproxy_t self: capability { setgid setuid sys_chroot > sys_resource kill }; > +allow haproxy_t self: process { setrlimit signal }; > + > + > +logging_send_syslog_msg(haproxy_t) > + > +corenet_tcp_bind_all_ports(haproxy_t) > +corenet_tcp_connect_all_ports(haproxy_t) > +corenet_tcp_bind_all_nodes(haproxy_t) > +corenet_tcp_sendrecv_all_ports(haproxy_t) > +corenet_tcp_recvfrom_unlabeled(haproxy_t) > + > +# use shared libraries > +libs_use_ld_so(haproxy_t) > +libs_use_shared_libs(haproxy_t) > + > +# Read /etc/localtime: > +miscfiles_read_localization(haproxy_t) > +# Read /etc/passwd and more. > +files_read_etc_files(haproxy_t) > + -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150