Here's a patch for adding policy for Willy Tarreau's haproxy
http://haproxy.1wt.eu/. Please apply to subversion HEAD of reference
policy, thanks!
When building this policy on RHEL5-latest, I also needed the following
allow rule:
allow haproxy_t unlabeled_t:packet { send recv };
This wasn't needed on fedora10, so I assume it was because of the older
policy on RHEL5.
-jf
-------------- next part --------------
>From 1c436d3ba9c98fcf2ffdefa216f63e8c7a63286c Mon Sep 17 00:00:00 2001
From: Jan-Frode Myklebust <[email protected]>
Date: Wed, 18 Mar 2009 23:14:39 +0100
Subject: [PATCH] Add policy for haproxy:
http://haproxy.1wt.eu/
---
policy/modules/services/haproxy.fc | 6 ++++
policy/modules/services/haproxy.if | 2 +
policy/modules/services/haproxy.te | 56 ++++++++++++++++++++++++++++++++++++
3 files changed, 64 insertions(+), 0 deletions(-)
create mode 100644 policy/modules/services/haproxy.fc
create mode 100644 policy/modules/services/haproxy.if
create mode 100644 policy/modules/services/haproxy.te
diff --git a/policy/modules/services/haproxy.fc b/policy/modules/services/haproxy.fc
new file mode 100644
index 0000000..63a0828
--- /dev/null
+++ b/policy/modules/services/haproxy.fc
@@ -0,0 +1,6 @@
+# haproxy labeling policy
+# file: haproxy.fc
+/usr/sbin/haproxy -- gen_context(system_u:object_r:haproxy_exec_t, s0)
+/etc/haproxy/haproxy\.cfg -- gen_context(system_u:object_r:haproxy_conf_t, s0)
+/var/run/haproxy\.pid -- gen_context(system_u:object_r:haproxy_var_run_t, s0)
+/var/run/haproxy\.sock(.*) -- gen_context(system_u:object_r:haproxy_var_run_t, s0)
diff --git a/policy/modules/services/haproxy.if b/policy/modules/services/haproxy.if
new file mode 100644
index 0000000..236ad38
--- /dev/null
+++ b/policy/modules/services/haproxy.if
@@ -0,0 +1,2 @@
+## <summary>selinux policy module for haproxy</summary>
+
diff --git a/policy/modules/services/haproxy.te b/policy/modules/services/haproxy.te
new file mode 100644
index 0000000..126c08d
--- /dev/null
+++ b/policy/modules/services/haproxy.te
@@ -0,0 +1,56 @@
+policy_module(haproxy,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type haproxy_t;
+type haproxy_exec_t;
+type haproxy_port_t;
+init_daemon_domain(haproxy_t, haproxy_exec_t)
+
+type haproxy_var_run_t;
+files_pid_file(haproxy_var_run_t)
+
+type haproxy_conf_t;
+files_config_file(haproxy_conf_t)
+
+########################################
+#
+# Local policy
+#
+
+# Configuration files - read
+allow haproxy_t haproxy_conf_t : dir list_dir_perms;
+allow haproxy_t haproxy_conf_t : file read_file_perms;
+allow haproxy_t haproxy_conf_t : lnk_file read_lnk_file_perms;
+
+# PID and socket file - create, read, and write
+files_pid_filetrans(haproxy_t, haproxy_var_run_t, { file sock_file })
+allow haproxy_t haproxy_var_run_t:file manage_file_perms;
+allow haproxy_t haproxy_var_run_t:sock_file { create rename link setattr unlink };
+
+allow haproxy_t self : tcp_socket create_stream_socket_perms;
+allow haproxy_t self: udp_socket create_socket_perms;
+allow haproxy_t self: capability { setgid setuid sys_chroot sys_resource kill };
+allow haproxy_t self: process { setrlimit signal };
+
+
+logging_send_syslog_msg(haproxy_t)
+
+corenet_tcp_bind_all_ports(haproxy_t)
+corenet_tcp_connect_all_ports(haproxy_t)
+corenet_tcp_bind_all_nodes(haproxy_t)
+corenet_tcp_sendrecv_all_ports(haproxy_t)
+corenet_tcp_recvfrom_unlabeled(haproxy_t)
+
+# use shared libraries
+libs_use_ld_so(haproxy_t)
+libs_use_shared_libs(haproxy_t)
+
+# Read /etc/localtime:
+miscfiles_read_localization(haproxy_t)
+# Read /etc/passwd and more.
+files_read_etc_files(haproxy_t)
+
--
1.6.0.6
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090318/1ceaaaae/attachment.bin
On Wed, 2009-03-18 at 23:35 +0100, Jan-Frode Myklebust wrote:
> Here's a patch for adding policy for Willy Tarreau's haproxy
> http://haproxy.1wt.eu/. Please apply to subversion HEAD of reference
> policy, thanks!
>
> When building this policy on RHEL5-latest, I also needed the following
> allow rule:
>
> allow haproxy_t unlabeled_t:packet { send recv };
>
> This wasn't needed on fedora10, so I assume it was because of the
> older
> policy on RHEL5.
Sorry for the delay. I have a couple comments:
* please have a better <summary> in the .if. "Policy for haproxy" is
obvious. Something like "HAProxy TCP/HTTP Load Balancer" would be
better.
* haproxy_port_t isn't used. New ports need to go in corenetwork.
* Does it really need to bind and connect to all ports?
>
>
>
>
>
> plain text
> document
> attachment
> (0001-Add-policy-for-haproxy.patch)
>
> From 1c436d3ba9c98fcf2ffdefa216f63e8c7a63286c Mon Sep 17 00:00:00 2001
> From: Jan-Frode Myklebust <[email protected]>
> Date: Wed, 18 Mar 2009 23:14:39 +0100
> Subject: [PATCH] Add policy for haproxy:
>
> http://haproxy.1wt.eu/
> ---
> policy/modules/services/haproxy.fc | 6 ++++
> policy/modules/services/haproxy.if | 2 +
> policy/modules/services/haproxy.te | 56
> ++++++++++++++++++++++++++++++++++++
> 3 files changed, 64 insertions(+), 0 deletions(-)
> create mode 100644 policy/modules/services/haproxy.fc
> create mode 100644 policy/modules/services/haproxy.if
> create mode 100644 policy/modules/services/haproxy.te
>
> diff --git a/policy/modules/services/haproxy.fc
> b/policy/modules/services/haproxy.fc
> new file mode 100644
> index 0000000..63a0828
> --- /dev/null
> +++ b/policy/modules/services/haproxy.fc
> @@ -0,0 +1,6 @@
> +# haproxy labeling policy
> +# file: haproxy.fc
> +/usr/sbin/haproxy --
> gen_context(system_u:object_r:haproxy_exec_t, s0)
> +/etc/haproxy/haproxy\.cfg --
> gen_context(system_u:object_r:haproxy_conf_t, s0)
> +/var/run/haproxy\.pid --
> gen_context(system_u:object_r:haproxy_var_run_t, s0)
> +/var/run/haproxy\.sock(.*) --
> gen_context(system_u:object_r:haproxy_var_run_t, s0)
> diff --git a/policy/modules/services/haproxy.if
> b/policy/modules/services/haproxy.if
> new file mode 100644
> index 0000000..236ad38
> --- /dev/null
> +++ b/policy/modules/services/haproxy.if
> @@ -0,0 +1,2 @@
> +## <summary>selinux policy module for haproxy</summary>
> +
> diff --git a/policy/modules/services/haproxy.te
> b/policy/modules/services/haproxy.te
> new file mode 100644
> index 0000000..126c08d
> --- /dev/null
> +++ b/policy/modules/services/haproxy.te
> @@ -0,0 +1,56 @@
> +policy_module(haproxy,1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type haproxy_t;
> +type haproxy_exec_t;
> +type haproxy_port_t;
> +init_daemon_domain(haproxy_t, haproxy_exec_t)
> +
> +type haproxy_var_run_t;
> +files_pid_file(haproxy_var_run_t)
> +
> +type haproxy_conf_t;
> +files_config_file(haproxy_conf_t)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +# Configuration files - read
> +allow haproxy_t haproxy_conf_t : dir list_dir_perms;
> +allow haproxy_t haproxy_conf_t : file read_file_perms;
> +allow haproxy_t haproxy_conf_t : lnk_file read_lnk_file_perms;
> +
> +# PID and socket file - create, read, and write
> +files_pid_filetrans(haproxy_t, haproxy_var_run_t, { file sock_file })
> +allow haproxy_t haproxy_var_run_t:file manage_file_perms;
> +allow haproxy_t haproxy_var_run_t:sock_file { create rename link
> setattr unlink };
> +
> +allow haproxy_t self : tcp_socket create_stream_socket_perms;
> +allow haproxy_t self: udp_socket create_socket_perms;
> +allow haproxy_t self: capability { setgid setuid sys_chroot
> sys_resource kill };
> +allow haproxy_t self: process { setrlimit signal };
> +
> +
> +logging_send_syslog_msg(haproxy_t)
> +
> +corenet_tcp_bind_all_ports(haproxy_t)
> +corenet_tcp_connect_all_ports(haproxy_t)
> +corenet_tcp_bind_all_nodes(haproxy_t)
> +corenet_tcp_sendrecv_all_ports(haproxy_t)
> +corenet_tcp_recvfrom_unlabeled(haproxy_t)
> +
> +# use shared libraries
> +libs_use_ld_so(haproxy_t)
> +libs_use_shared_libs(haproxy_t)
> +
> +# Read /etc/localtime:
> +miscfiles_read_localization(haproxy_t)
> +# Read /etc/passwd and more.
> +files_read_etc_files(haproxy_t)
> +
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
On Tue, Apr 21, 2009 at 03:49:55PM -0400, Christopher J. PeBenito wrote:
> * please have a better <summary> in the .if. "Policy for haproxy" is
> obvious. Something like "HAProxy TCP/HTTP Load Balancer" would be
> better.
OK, will fix.
> * haproxy_port_t isn't used. New ports need to go in corenetwork.
Yes, probably don't need this one after all..
> * Does it really need to bind and connect to all ports?
It's a general tcp proxy service, so it might need to bind/connect on
any port. But one haproxy-installation will typically only need to
bind/connect to the ports it's proxying for. Do you think maybe we
should use booleans like:
haproxy_bindconnect_any
haproxy_bindconnect_http (to bind/connect to http_port_t)
haproxy_bindconnect_smtp (to bind/connect to smtp_port_t)
haproxy_bindconnect_pop (to bind/connect to pop_port_t)
haproxy_bindconnect_db (to bind/connect to same as httpd_can_network_connect_db)
...
Do you have any suggestions for how to achieve this without creating too
many booleans ?
-jf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090421/661ee0b3/attachment.bin
On Tue, 2009-04-21 at 22:17 +0200, Jan-Frode Myklebust wrote:
> On Tue, Apr 21, 2009 at 03:49:55PM -0400, Christopher J. PeBenito wrote:
> > * Does it really need to bind and connect to all ports?
>
> It's a general tcp proxy service, so it might need to bind/connect on
> any port. But one haproxy-installation will typically only need to
> bind/connect to the ports it's proxying for. Do you think maybe we
> should use booleans like:
>
> haproxy_bindconnect_any
> haproxy_bindconnect_http (to bind/connect to http_port_t)
> haproxy_bindconnect_smtp (to bind/connect to smtp_port_t)
> haproxy_bindconnect_pop (to bind/connect to pop_port_t)
> haproxy_bindconnect_db (to bind/connect to same as httpd_can_network_connect_db)
> ...
>
> Do you have any suggestions for how to achieve this without creating too
> many booleans ?
Is there a reasonable set of common ports that are used? (perhaps what
you have above, http, smtp, pop, postres, mysql)? If so, just allowing
those unconditionally would be sufficient, and then maybe have one
conditional for binding all ports.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150